├── Attack-Scripts ├── AAD-Brute-Force-Success-Simulator.ps1 ├── Malware-Generator-EICAR.ps1 └── SQL-Brute-Force-Simulator.ps1 ├── KQL-Query-Cheat-Sheet.md ├── README.md ├── Sentinel-Analytics-Rules └── Sentinel-Analytics-Rules(KQL Alert Queries).json ├── Sentinel-Maps(JSON) ├── geoip-summarized.csv ├── linux-ssh-auth-fail.json ├── mssql-auth-fail.json ├── nsg-malicious-allowed-in.json └── windows-rdp-auth-fail.json ├── Separate-Projects └── NICE.py ├── Special-Windows-Event-Data-Collection-Rules └── Rules.txt ├── Storage-Account-Scripts └── Blob-Upload.ps1 └── Vulnerability-Management ├── Toggle-SMBv1.ps1 └── Toggle-TLS-1.0-and-1.1.ps1 /Attack-Scripts/AAD-Brute-Force-Success-Simulator.ps1: -------------------------------------------------------------------------------- 1 | # This script fails to login '$max_attempts' times, and then successfully logs in once 2 | 3 | # Authenticate user against Azure AD 4 | $tenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # Your Tenant ID, you can find on the AAD Blade in the Azure Portal 5 | $username = "attacker@joshmadakorgmail.onmicrosoft.com" # Some Username that exists in your AAD Tenant 6 | $correct_password = "Cyberlab123!" # Enter the correct password for the above user 7 | $wrong_password = "___WRONG PASSWORD___" # This is used to generate auth failures 8 | $max_attempts = 11 # This is the number of times to fail the login before succeeding 9 | 10 | # Disconnect from AAD if already connected; we want to try to authenticate 11 | if ((Get-AzContext) -eq $true) { 12 | Disconnect-AzAccount 13 | } 14 | 15 | # This section will fail 11 logon attempts against Azure AD 16 | $count = 0 17 | 18 | while ($count -le $max_attempts) { 19 | Start-Sleep -Seconds 1 20 | $count++ 21 | try { 22 | $securePassword = ConvertTo-SecureString $wrong_password -AsPlainText -Force 23 | $cred = New-Object System.Management.Automation.PSCredential ($username, $securePassword) 24 | Connect-AzAccount -TenantId $tenantId -Credential $cred -ErrorAction SilentlyContinue 25 | } 26 | catch { 27 | Write-Host "Login Failure. $($count))" 28 | # $Error[0].Exception.Message # Remove the Hash (#) before $Error if you want to see the error message 29 | } 30 | } 31 | 32 | # This section will (should) successfully authenticate against AAD, simulating a successful brute force attack 33 | $securePassword = ConvertTo-SecureString $correct_password -AsPlainText -Force 34 | $cred = New-Object System.Management.Automation.PSCredential ($username, $securePassword) 35 | Connect-AzAccount -TenantId $tenantId -Credential $cred -ErrorAction SilentlyContinue 36 | -------------------------------------------------------------------------------- /Attack-Scripts/Malware-Generator-EICAR.ps1: -------------------------------------------------------------------------------- 1 | $TOTAL_VIRUSES_TO_MAKE = 1 2 | 3 | $firsthalf = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR' 4 | $secondhalf = '-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' 5 | 6 | $count = 0 7 | 8 | while ($count -lt $TOTAL_VIRUSES_TO_MAKE) { 9 | 10 | Write-Host "Generating: EICAR-$($count).txt" 11 | "$($firsthalf)$($secondhalf)" | Out-File -FilePath "EICAR-$($count).txt" 12 | $count++ 13 | } 14 | -------------------------------------------------------------------------------- /Attack-Scripts/SQL-Brute-Force-Simulator.ps1: -------------------------------------------------------------------------------- 1 | $serverName = "20.242.43.183" # Replace with the name of your SQL Server instance 2 | $databaseName = "master" # Replace with the name of your database 3 | $username = "cyber-lab-fake-user" # This is the username to attempt a login with (you can change this) 4 | $password = "__obvious_bad_password_to_generate_auth_failures__" 5 | $max_attempts = 30 # 6 | 7 | 8 | # Build the connection string using Windows authentication. You don't have to touch this 9 | $connectionString = "Server=$serverName;Database=$databaseName;Integrated Security=False;User Id=$username;Password=$password;" 10 | 11 | $count = 0 12 | 13 | while ($count -lt $max_attempts){ 14 | $count++ 15 | try { 16 | # Pause the script for 2 seconds to allow for processing 17 | Start-Sleep -Seconds 3 18 | 19 | # Open the connection 20 | $connection = New-Object System.Data.SqlClient.SqlConnection($connectionString) 21 | $connection.Open() 22 | 23 | # Define the SQL query to execute 24 | $query = "SELECT * FROM spt_monitor" 25 | 26 | # Create a command object and execute the query 27 | $command = New-Object System.Data.SqlClient.SqlCommand($query, $connection) 28 | $result = $command.ExecuteReader() 29 | 30 | # Process the query results 31 | while ($result.Read()) { 32 | Write-Host $result 33 | } 34 | 35 | } catch { 36 | # Handle any errors that occur 37 | Write-Host "Error: $($Error[0].Exception.Message)" 38 | } finally { 39 | # Close the connection 40 | if ($connection.State -eq "Open") { 41 | $connection.Close() 42 | } 43 | } 44 | } 45 | 46 | -------------------------------------------------------------------------------- /KQL-Query-Cheat-Sheet.md: -------------------------------------------------------------------------------- 1 | # Windows Security Event Log 2 | 3 | ``` 4 | // Failed Authentication (RDP, SMB) 5 | SecurityEvent 6 | | where EventID == 4625 7 | | where TimeGenerated > ago(15m) 8 | 9 | // Authentication Success (RDP, SMB) 10 | SecurityEvent 11 | | where EventID == 4624 12 | | where TimeGenerated > ago(15m) 13 | 14 | // Brute Force Attempt 15 | SecurityEvent 16 | | where EventID == 4625 17 | | where TimeGenerated > ago(60m) 18 | | summarize FailureCount = count() by SourceIP = IpAddress, EventID, Activity 19 | | where FailureCount >= 10 20 | 21 | // Brute Force Success Windows 22 | let FailedLogons = SecurityEvent 23 | | where EventID == 4625 and LogonType == 3 24 | | where TimeGenerated > ago(60m) 25 | | summarize FailureCount = count() by AttackerIP = IpAddress, EventID, Activity, LogonType, DestinationHostName = Computer 26 | | where FailureCount >= 5; 27 | let SuccessfulLogons = SecurityEvent 28 | | where EventID == 4624 and LogonType == 3 29 | | where TimeGenerated > ago(60m) 30 | | summarize SuccessfulCount = count() by AttackerIP = IpAddress, LogonType, DestinationHostName = Computer, AuthenticationSuccessTime = TimeGenerated; 31 | SuccessfulLogons 32 | | join kind = leftouter FailedLogons on DestinationHostName, AttackerIP, LogonType 33 | | project AuthenticationSuccessTime, AttackerIP, DestinationHostName, FailureCount, SuccessfulCount 34 | ``` 35 | 36 | # Windows Security Event Log (Malware & Firewall) 37 | ``` 38 | // Malware Detection 39 | Event 40 | | where EventLog == "Microsoft-Windows-Windows Defender/Operational" 41 | | where EventID == "1116" or EventID == "1117" 42 | 43 | // Firewall Tamper Detection 44 | Event 45 | | where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" 46 | | where EventID == 2003 47 | ``` 48 | 49 | # Linux Syslog 50 | 51 | ``` 52 | // Failed logon (ip address extract) 53 | let IpAddress_REGEX_PATTERN = @"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"; 54 | Syslog 55 | | where Facility == "auth" 56 | | where SyslogMessage startswith "Failed password for" 57 | | project TimeGenerated, SourceIP = extract(IpAddress_REGEX_PATTERN, 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type 58 | 59 | // Successful logon (ip address extract) 60 | let IpAddress_REGEX_PATTERN = @"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"; 61 | Syslog 62 | | where Facility == "auth" 63 | | where SyslogMessage startswith "Accepted password for" 64 | | project TimeGenerated, SourceIP = extract(IpAddress_REGEX_PATTERN, 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type 65 | 66 | // Brute Force Attempt Linux Syslog 67 | let IpAddress_REGEX_PATTERN = @"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b"; 68 | Syslog 69 | | where Facility == "auth" and SyslogMessage startswith "Failed password for" 70 | | where TimeGenerated > ago(1h) 71 | | project TimeGenerated, AttackerIP = extract(IpAddress_REGEX_PATTERN, 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type 72 | | summarize FailureCount = count() by AttackerIP, DestinationHostName, DestinationIP 73 | | where FailureCount >= 5 74 | 75 | // Brute Force Success Linux 76 | let FailedLogons = Syslog 77 | | where Facility == "auth" and SyslogMessage startswith "Failed password for" 78 | | where TimeGenerated > ago(1h) 79 | | project TimeGenerated, SourceIP = extract(@"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type 80 | | summarize FailureCount = count() by AttackerIP = SourceIP, DestinationHostName 81 | | where FailureCount >= 5; 82 | let SuccessfulLogons = Syslog 83 | | where Facility == "auth" and SyslogMessage startswith "Accepted password for" 84 | | where TimeGenerated > ago(1h) 85 | | project TimeGenerated, SourceIP = extract(@"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b", 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type 86 | | summarize SuccessfulCount = count() by SuccessTime = TimeGenerated, AttackerIP = SourceIP, DestinationHostName 87 | | where SuccessfulCount >= 1 88 | | project DestinationHostName, SuccessfulCount, AttackerIP, SuccessTime; 89 | let BruteForceSuccesses = SuccessfulLogons 90 | | join kind = leftouter FailedLogons on AttackerIP, DestinationHostName; 91 | BruteForceSuccesses 92 | 93 | // Queries the linux syslog for any user accounts created 94 | // By @slendymayne (Discord) 95 | Syslog 96 | | where Facility == "authpriv" and SeverityLevel == "info" 97 | | where SyslogMessage contains "new user" and SyslogMessage contains "shell=/bin/bash" 98 | | project TimeGenerated, HostIP, HostName, ProcessID, SyslogMessage 99 | 100 | // Queries for any users given sudo privileges 101 | // By @slendymayne (Discord) 102 | Syslog 103 | | where Facility == "authpriv" and SeverityLevel == "info" 104 | | where SyslogMessage contains "to group 'sudo'" 105 | | project TimeGenerated, HostIP, Computer, ProcessID, SyslogMessage 106 | ``` 107 | 108 | # Azure Active Directory 109 | 110 | ``` 111 | // View Mass AAD Auth Failures 112 | SigninLogs 113 | | where ResultDescription == "Invalid username or password or Invalid on-premise username or password." 114 | | extend location = parse_json(LocationDetails) 115 | | extend City = location.city, State = location.state, Country = location.countryOrRegion, Latitude = location.geoCoordinates.latitude, Longitude = location.geoCoordinates.longitude 116 | | project TimeGenerated, ResultDescription, UserPrincipalName, AppDisplayName, IPAddress, IPAddressFromResourceProvider, City, State, Country, Latitude, Longitude 117 | 118 | // View Global Administrator Assignment 119 | AuditLogs 120 | | where OperationName == "Add member to role" and Result == "success" 121 | | where TargetResources[0].modifiedProperties[1].newValue == '"Global Administrator"' or TargetResources[0].modifiedProperties[1].newValue == '"Company Administrator"' 122 | | order by TimeGenerated desc 123 | | project TimeGenerated, OperationName, AssignedRole = TargetResources[0].modifiedProperties[1].newValue, Status = Result, TargetResources 124 | 125 | // View Password Activities 126 | AuditLogs 127 | | where OperationName contains "password" 128 | | order by TimeGenerated 129 | 130 | // Brute Force Success Azure Active Directory 131 | let FailedLogons = SigninLogs 132 | | where Status.failureReason == "Invalid username or password or Invalid on-premise username or password." 133 | | where TimeGenerated > ago(1h) 134 | | project TimeGenerated, Status = Status.failureReason, UserPrincipalName, UserId, UserDisplayName, AppDisplayName, AttackerIP = IPAddress, IPAddressFromResourceProvider, City = LocationDetails.city, State = LocationDetails.state, Country = LocationDetails.country, Latitude = LocationDetails.geoCoordinates.latitude, Longitude = LocationDetails.geoCoordinates.longitude 135 | | summarize FailureCount = count() by AttackerIP, UserPrincipalName; 136 | let SuccessfulLogons = SigninLogs 137 | | where Status.errorCode == 0 138 | | where TimeGenerated > ago(1h) 139 | | project TimeGenerated, Status = Status.errorCode, UserPrincipalName, UserId, UserDisplayName, AppDisplayName, AttackerIP = IPAddress, IPAddressFromResourceProvider, City = LocationDetails.city, State = LocationDetails.state, Country = LocationDetails.country, Latitude = LocationDetails.geoCoordinates.latitude, Longitude = LocationDetails.geoCoordinates.longitude 140 | | summarize SuccessCount = count() by AuthenticationSuccessTime = TimeGenerated, AttackerIP, UserPrincipalName, UserId, UserDisplayName; 141 | let BruteForceSuccesses = SuccessfulLogons 142 | | join kind = leftouter FailedLogons on AttackerIP, UserPrincipalName; 143 | BruteForceSuccesses 144 | | project AttackerIP, TargetAccount = UserPrincipalName, UserId, FailureCount, SuccessCount, AuthenticationSuccessTime 145 | 146 | // Excessive password Resets 147 | AuditLogs 148 | | where OperationName startswith "Change" or OperationName startswith "Reset" 149 | | order by TimeGenerated 150 | | summarize count() by tostring(InitiatedBy) 151 | | project Count = count_, InitiatorId = parse_json(InitiatedBy).user.id, InitiatorUpn = parse_json(InitiatedBy).user.userPrincipalName, InitiatorIpAddress = parse_json(InitiatedBy).user.ipAddress 152 | | where Count >= 10 153 | 154 | ``` 155 | 156 | # Azure Storage Account 157 | 158 | ``` 159 | // Authorization Error 160 | StorageBlobLogs 161 | | where MetricResponseType endswith "Error" 162 | | where StatusText == "AuthorizationPermissionMismatch" 163 | | order by TimeGenerated asc 164 | 165 | // Reading a bunch of blobs 166 | StorageBlobLogs 167 | | where OperationName == "GetBlob" 168 | 169 | //Deleting a bunch of blobs (in a short time period) 170 | StorageBlobLogs | where OperationName == "DeleteBlob" 171 | | where TimeGenerated > ago(24h) 172 | 173 | //Putting a bunch of blobs (in a short time period) 174 | StorageBlobLogs | where OperationName == "PutBlob" 175 | | where TimeGenerated > ago(24h) 176 | 177 | //Copying a bunch of blobs (in a short time period) 178 | StorageBlobLogs | where OperationName == "CopyBlob" 179 | | where TimeGenerated > ago(24h) 180 | ``` 181 | 182 | # Azure Key Vault 183 | 184 | ``` 185 | // List out Secrets 186 | AzureDiagnostics 187 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 188 | | where OperationName == "SecretList" 189 | 190 | // Attempt to view passwords that don't exist 191 | AzureDiagnostics 192 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 193 | | where OperationName == "SecretGet" 194 | | where ResultSignature == "Not Found" 195 | 196 | // Viewing an actual existing password 197 | AzureDiagnostics 198 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 199 | | where OperationName == "SecretGet" 200 | | where ResultSignature == "OK" 201 | 202 | // Viewing a specific existing password 203 | let CRITICAL_PASSWORD_NAME = "Tenant-Global-Admin-Password"; 204 | AzureDiagnostics 205 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 206 | | where OperationName == "SecretGet" 207 | | where id_s contains CRITICAL_PASSWORD_NAME 208 | 209 | // Updating a password Success 210 | AzureDiagnostics 211 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 212 | | where OperationName == "SecretSet" 213 | 214 | // Updating a specific existing password Success 215 | let CRITICAL_PASSWORD_NAME = "Tenant-Global-Admin-Password"; 216 | AzureDiagnostics 217 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 218 | | where OperationName == "SecretSet" 219 | | where id_s endswith CRITICAL_PASSWORD_NAME 220 | | where TimeGenerated > ago(2h) 221 | 222 | // Failed access attempts 223 | AzureDiagnostics 224 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 225 | | where ResultSignature == "Unauthorized" 226 | 227 | // Updating a specific existing secret in Key Vault 228 | let CRITICAL_PASSWORD_NAME = "Tenant-Global-Admin-Password"; 229 | AzureDiagnostics 230 | | where ResourceProvider == "MICROSOFT.KEYVAULT" 231 | | where OperationName == "SecretSet" 232 | | where id_s endswith CRITICAL_PASSWORD_NAME 233 | ``` 234 | 235 | # Network Security Groups 236 | 237 | ``` 238 | // Allowed inbound malicious flows 239 | AzureNetworkAnalytics_CL 240 | | where FlowType_s == "MaliciousFlow" and AllowedInFlows_d >= 1 241 | | project TimeGenerated, FlowType = FlowType_s, IpAddress = SrcIP_s, DestinationIpAddress = DestIP_s, DestinationPort = DestPort_d, Protocol = L7Protocol_s, NSGRuleMatched = NSGRules_s, InboundFlowCount = AllowedInFlows_d 242 | ``` 243 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Building a SOC + Honeynet in Azure (Live Traffic) 2 | ![Cloud Honeynet / SOC](https://i.imgur.com/ZWxe03e.jpg) 3 | 4 | ## Introduction 5 | 6 | In this project, I build a mini honeynet in Azure and ingest log sources from various resources into a Log Analytics workspace, which is then used by Microsoft Sentinel to build attack maps, trigger alerts, and create incidents. I measured some security metrics in the insecure environment for 24 hours, apply some security controls to harden the environment, measure metrics for another 24 hours, then show the results below. The metrics we will show are: 7 | 8 | - SecurityEvent (Windows Event Logs) 9 | - Syslog (Linux Event Logs) 10 | - SecurityAlert (Log Analytics Alerts Triggered) 11 | - SecurityIncident (Incidents created by Sentinel) 12 | - AzureNetworkAnalytics_CL (Malicious Flows allowed into our honeynet) 13 | 14 | ## Architecture Before Hardening / Security Controls 15 | ![Architecture Diagram](https://i.imgur.com/aBDwnKb.jpg) 16 | 17 | ## Architecture After Hardening / Security Controls 18 | ![Architecture Diagram](https://i.imgur.com/YQNa9Pp.jpg) 19 | 20 | The architecture of the mini honeynet in Azure consists of the following components: 21 | 22 | - Virtual Network (VNet) 23 | - Network Security Group (NSG) 24 | - Virtual Machines (2 windows, 1 linux) 25 | - Log Analytics Workspace 26 | - Azure Key Vault 27 | - Azure Storage Account 28 | - Microsoft Sentinel 29 | 30 | For the "BEFORE" metrics, all resources were originally deployed, exposed to the internet. The Virtual Machines had both their Network Security Groups and built-in firewalls wide open, and all other resources are deployed with public endpoints visible to the Internet; aka, no use for Private Endpoints. 31 | 32 | For the "AFTER" metrics, Network Security Groups were hardened by blocking ALL traffic with the exception of my admin workstation, and all other resources were protected by their built-in firewalls as well as Private Endpoint 33 | 34 | ## Attack Maps Before Hardening / Security Controls 35 | ![NSG Allowed Inbound Malicious Flows](https://i.imgur.com/1qvswSX.png)
36 | ![Linux Syslog Auth Failures](https://i.imgur.com/G1YgZt6.png)
37 | ![Windows RDP/SMB Auth Failures](https://i.imgur.com/ESr9Dlv.png)
38 | 39 | ## Metrics Before Hardening / Security Controls 40 | 41 | The following table shows the metrics we measured in our insecure environment for 24 hours: 42 | Start Time 2023-03-15 17:04:29 43 | Stop Time 2023-03-16 17:04:29 44 | 45 | | Metric | Count 46 | | ------------------------ | ----- 47 | | SecurityEvent | 19470 48 | | Syslog | 3028 49 | | SecurityAlert | 10 50 | | SecurityIncident | 348 51 | | AzureNetworkAnalytics_CL | 843 52 | 53 | ## Attack Maps Before Hardening / Security Controls 54 | 55 | ```All map queries actually returned no results due to no instances of malicious activity for the 24 hour period after hardening.``` 56 | 57 | ## Metrics After Hardening / Security Controls 58 | 59 | The following table shows the metrics we measured in our environment for another 24 hours, but after we have applied security controls: 60 | Start Time 2023-03-18 15:37 61 | Stop Time 2023-03-19 15:37 62 | 63 | | Metric | Count 64 | | ------------------------ | ----- 65 | | SecurityEvent | 8778 66 | | Syslog | 25 67 | | SecurityAlert | 0 68 | | SecurityIncident | 0 69 | | AzureNetworkAnalytics_CL | 0 70 | 71 | ## Conclusion 72 | 73 | In this project, a mini honeynet was constructed in Microsoft Azure and log sources were integrated into a Log Analytics workspace. Microsoft Sentinel was employed to trigger alerts and create incidents based on the ingested logs. Additionally, metrics were measured in the insecure environment before security controls were applied, and then again after implementing security measures. It is noteworthy that the number of security events and incidents were drastically reduced after the security controls were applied, demonstrating their effectiveness. 74 | 75 | It is worth noting that if the resources within the network were heavily utilized by regular users, it is likely that more security events and alerts may have been generated within the 24-hour period following the implementation of the security controls. 76 | -------------------------------------------------------------------------------- /Sentinel-Analytics-Rules/Sentinel-Analytics-Rules(KQL Alert Queries).json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "workspace": { 6 | "type": "String" 7 | } 8 | }, 9 | "resources": [ 10 | { 11 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c220acf2-b8bb-436d-ad4f-7e3174bbf5a1')]", 12 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c220acf2-b8bb-436d-ad4f-7e3174bbf5a1')]", 13 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 14 | "kind": "Scheduled", 15 | "apiVersion": "2022-09-01-preview", 16 | "properties": { 17 | "displayName": "CUSTOM: Possible Privilege Escalation (Azure Key Vault Critical Credential Retrieval or Update)", 18 | "description": "", 19 | "severity": "High", 20 | "enabled": true, 21 | "query": "// Updating a specific existing password Success\nlet CRITICAL_PASSWORD_NAME = \"Tenant-Global-Admin-Password\";\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.KEYVAULT\" \n| where OperationName == \"SecretGet\" or OperationName == \"SecretSet\"\n| where id_s contains CRITICAL_PASSWORD_NAME", 22 | "queryFrequency": "PT10M", 23 | "queryPeriod": "PT5H", 24 | "triggerOperator": "GreaterThan", 25 | "triggerThreshold": 0, 26 | "suppressionDuration": "PT5H", 27 | "suppressionEnabled": false, 28 | "startTimeUtc": null, 29 | "tactics": [ 30 | "PrivilegeEscalation" 31 | ], 32 | "techniques": [], 33 | "alertRuleTemplateName": null, 34 | "incidentConfiguration": { 35 | "createIncident": true, 36 | "groupingConfiguration": { 37 | "enabled": true, 38 | "reopenClosedIncident": false, 39 | "lookbackDuration": "PT5H", 40 | "matchingMethod": "AllEntities", 41 | "groupByEntities": [], 42 | "groupByAlertDetails": [], 43 | "groupByCustomDetails": [] 44 | } 45 | }, 46 | "eventGroupingSettings": { 47 | "aggregationKind": "SingleAlert" 48 | }, 49 | "alertDetailsOverride": null, 50 | "customDetails": null, 51 | "entityMappings": [ 52 | { 53 | "entityType": "IP", 54 | "fieldMappings": [ 55 | { 56 | "identifier": "Address", 57 | "columnName": "CallerIPAddress" 58 | } 59 | ] 60 | } 61 | ], 62 | "sentinelEntitiesMappings": null, 63 | "templateVersion": null 64 | } 65 | }, 66 | { 67 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dbab268c-6906-4e22-a632-8fe263025f2b')]", 68 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dbab268c-6906-4e22-a632-8fe263025f2b')]", 69 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 70 | "kind": "Scheduled", 71 | "apiVersion": "2022-09-01-preview", 72 | "properties": { 73 | "displayName": "CUSTOM: Brute Force SUCCESS - Linux Syslog", 74 | "description": "", 75 | "severity": "High", 76 | "enabled": true, 77 | "query": "// Brute Force Success Linux\nlet FailedLogons = Syslog\n| where Facility == \"auth\" and SyslogMessage startswith \"Failed password for\"\n| where TimeGenerated > ago(1h)\n| project TimeGenerated, SourceIP = extract(@\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\", 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type\n| summarize FailureCount = count() by AttackerIP = SourceIP, DestinationHostName\n| where FailureCount >= 5;\nlet SuccessfulLogons = Syslog\n| where Facility == \"auth\" and SyslogMessage startswith \"Accepted password for\"\n| where TimeGenerated > ago(1h)\n| project TimeGenerated, SourceIP = extract(@\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\", 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type\n| summarize SuccessfulCount = count() by SuccessTime = TimeGenerated, AttackerIP = SourceIP, DestinationHostName\n| where SuccessfulCount >= 1\n| project DestinationHostName, SuccessfulCount, AttackerIP, SuccessTime;\nlet BruteForceSuccesses = SuccessfulLogons \n| join kind = inner FailedLogons on AttackerIP, DestinationHostName;\nBruteForceSuccesses", 78 | "queryFrequency": "PT59M", 79 | "queryPeriod": "PT1H", 80 | "triggerOperator": "GreaterThan", 81 | "triggerThreshold": 0, 82 | "suppressionDuration": "PT5H", 83 | "suppressionEnabled": false, 84 | "startTimeUtc": null, 85 | "tactics": [ 86 | "CredentialAccess" 87 | ], 88 | "techniques": [ 89 | "T1110" 90 | ], 91 | "alertRuleTemplateName": null, 92 | "incidentConfiguration": { 93 | "createIncident": true, 94 | "groupingConfiguration": { 95 | "enabled": true, 96 | "reopenClosedIncident": false, 97 | "lookbackDuration": "PT1H", 98 | "matchingMethod": "AllEntities", 99 | "groupByEntities": [], 100 | "groupByAlertDetails": [], 101 | "groupByCustomDetails": [] 102 | } 103 | }, 104 | "eventGroupingSettings": { 105 | "aggregationKind": "AlertPerResult" 106 | }, 107 | "alertDetailsOverride": null, 108 | "customDetails": null, 109 | "entityMappings": [ 110 | { 111 | "entityType": "IP", 112 | "fieldMappings": [ 113 | { 114 | "identifier": "Address", 115 | "columnName": "AttackerIP" 116 | } 117 | ] 118 | }, 119 | { 120 | "entityType": "Host", 121 | "fieldMappings": [ 122 | { 123 | "identifier": "HostName", 124 | "columnName": "DestinationHostName" 125 | } 126 | ] 127 | } 128 | ], 129 | "sentinelEntitiesMappings": null, 130 | "templateVersion": null 131 | } 132 | }, 133 | { 134 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2ba75994-1fbe-4ec0-b312-015b47e10576')]", 135 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2ba75994-1fbe-4ec0-b312-015b47e10576')]", 136 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 137 | "kind": "Scheduled", 138 | "apiVersion": "2022-09-01-preview", 139 | "properties": { 140 | "displayName": "CUSTOM: Brute Force ATTEMPT - Azure Key Vault", 141 | "description": "", 142 | "severity": "Medium", 143 | "enabled": true, 144 | "query": "// Failed access attempts\nAzureDiagnostics\n| where ResourceProvider == \"MICROSOFT.KEYVAULT\" \n| where ResultSignature == \"Forbidden\"\n\n", 145 | "queryFrequency": "PT10M", 146 | "queryPeriod": "PT5H", 147 | "triggerOperator": "GreaterThan", 148 | "triggerThreshold": 9, 149 | "suppressionDuration": "PT5H", 150 | "suppressionEnabled": false, 151 | "startTimeUtc": null, 152 | "tactics": [ 153 | "CredentialAccess" 154 | ], 155 | "techniques": [ 156 | "T1110" 157 | ], 158 | "alertRuleTemplateName": null, 159 | "incidentConfiguration": { 160 | "createIncident": true, 161 | "groupingConfiguration": { 162 | "enabled": true, 163 | "reopenClosedIncident": false, 164 | "lookbackDuration": "PT5H", 165 | "matchingMethod": "AllEntities", 166 | "groupByEntities": [], 167 | "groupByAlertDetails": [], 168 | "groupByCustomDetails": [] 169 | } 170 | }, 171 | "eventGroupingSettings": { 172 | "aggregationKind": "SingleAlert" 173 | }, 174 | "alertDetailsOverride": null, 175 | "customDetails": null, 176 | "entityMappings": [ 177 | { 178 | "entityType": "IP", 179 | "fieldMappings": [ 180 | { 181 | "identifier": "Address", 182 | "columnName": "CallerIPAddress" 183 | } 184 | ] 185 | } 186 | ], 187 | "sentinelEntitiesMappings": null, 188 | "templateVersion": null 189 | } 190 | }, 191 | { 192 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e5450d35-8fd2-47a8-b9cf-e8081d798e8b')]", 193 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e5450d35-8fd2-47a8-b9cf-e8081d798e8b')]", 194 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 195 | "kind": "Scheduled", 196 | "apiVersion": "2022-09-01-preview", 197 | "properties": { 198 | "displayName": "CUSTOM: Malware Detected", 199 | "description": "", 200 | "severity": "High", 201 | "enabled": true, 202 | "query": "Event\n| where EventLog == \"Microsoft-Windows-Windows Defender/Operational\"\n| where EventID == \"1116\" or EventID == \"1117\"", 203 | "queryFrequency": "PT10M", 204 | "queryPeriod": "PT1H", 205 | "triggerOperator": "GreaterThan", 206 | "triggerThreshold": 0, 207 | "suppressionDuration": "PT5H", 208 | "suppressionEnabled": false, 209 | "startTimeUtc": null, 210 | "tactics": [], 211 | "techniques": [], 212 | "alertRuleTemplateName": null, 213 | "incidentConfiguration": { 214 | "createIncident": true, 215 | "groupingConfiguration": { 216 | "enabled": true, 217 | "reopenClosedIncident": false, 218 | "lookbackDuration": "PT5H", 219 | "matchingMethod": "AllEntities", 220 | "groupByEntities": [], 221 | "groupByAlertDetails": [], 222 | "groupByCustomDetails": [] 223 | } 224 | }, 225 | "eventGroupingSettings": { 226 | "aggregationKind": "SingleAlert" 227 | }, 228 | "alertDetailsOverride": null, 229 | "customDetails": null, 230 | "entityMappings": [ 231 | { 232 | "entityType": "Host", 233 | "fieldMappings": [ 234 | { 235 | "identifier": "HostName", 236 | "columnName": "Computer" 237 | } 238 | ] 239 | } 240 | ], 241 | "sentinelEntitiesMappings": null, 242 | "templateVersion": null 243 | } 244 | }, 245 | { 246 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5b3b873a-3204-4983-9533-88b4a9c71c2d')]", 247 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5b3b873a-3204-4983-9533-88b4a9c71c2d')]", 248 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 249 | "kind": "Scheduled", 250 | "apiVersion": "2022-09-01-preview", 251 | "properties": { 252 | "displayName": "CUSTOM: Brute Force SUCCESS - Windows", 253 | "description": "If you see a SUCCESS but the Account is \"NT AUTHORITY\\ANONYMOUS LOGON\", check out this article: https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", 254 | "severity": "High", 255 | "enabled": true, 256 | "query": "// Brute Force Success Windows\nlet FailedLogons = SecurityEvent\n| where EventID == 4625 and LogonType == 3\n| where TimeGenerated > ago(1h)\n| summarize FailureCount = count() by AttackerIP = IpAddress, EventID, Activity, LogonType, DestinationHostName = Computer\n| where FailureCount >= 5;\nlet SuccessfulLogons = SecurityEvent\n| where EventID == 4624 and LogonType == 3\n| where TimeGenerated > ago(1h)\n| summarize SuccessfulCount = count() by AttackerIP = IpAddress, LogonType, DestinationHostName = Computer, AuthenticationSuccessTime = TimeGenerated;\nSuccessfulLogons\n| join kind = inner FailedLogons on DestinationHostName, AttackerIP, LogonType\n| project AuthenticationSuccessTime, AttackerIP, DestinationHostName, FailureCount, SuccessfulCount\n", 257 | "queryFrequency": "PT59M", 258 | "queryPeriod": "PT1H", 259 | "triggerOperator": "GreaterThan", 260 | "triggerThreshold": 0, 261 | "suppressionDuration": "PT5H", 262 | "suppressionEnabled": false, 263 | "startTimeUtc": null, 264 | "tactics": [ 265 | "CredentialAccess" 266 | ], 267 | "techniques": [ 268 | "T1110" 269 | ], 270 | "alertRuleTemplateName": null, 271 | "incidentConfiguration": { 272 | "createIncident": true, 273 | "groupingConfiguration": { 274 | "enabled": true, 275 | "reopenClosedIncident": false, 276 | "lookbackDuration": "PT1H", 277 | "matchingMethod": "AllEntities", 278 | "groupByEntities": [], 279 | "groupByAlertDetails": [], 280 | "groupByCustomDetails": [] 281 | } 282 | }, 283 | "eventGroupingSettings": { 284 | "aggregationKind": "AlertPerResult" 285 | }, 286 | "alertDetailsOverride": null, 287 | "customDetails": null, 288 | "entityMappings": [ 289 | { 290 | "entityType": "IP", 291 | "fieldMappings": [ 292 | { 293 | "identifier": "Address", 294 | "columnName": "AttackerIP" 295 | } 296 | ] 297 | }, 298 | { 299 | "entityType": "Host", 300 | "fieldMappings": [ 301 | { 302 | "identifier": "HostName", 303 | "columnName": "DestinationHostName" 304 | } 305 | ] 306 | } 307 | ], 308 | "sentinelEntitiesMappings": null, 309 | "templateVersion": null 310 | } 311 | }, 312 | { 313 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c18a784d-5d2e-47bd-8203-bd4cc09b03d2')]", 314 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c18a784d-5d2e-47bd-8203-bd4cc09b03d2')]", 315 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 316 | "kind": "Scheduled", 317 | "apiVersion": "2022-09-01-preview", 318 | "properties": { 319 | "displayName": "CUSTOM: Brute Force ATTEMPT - MS SQL Server", 320 | "description": "", 321 | "severity": "Medium", 322 | "enabled": true, 323 | "query": "// Brute Force Attempt MS SQL Server\nlet IpAddress_REGEX_PATTERN = @\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\";\nEvent\n| where EventLog == \"Application\"\n| where EventID == 18456\n| where TimeGenerated > ago(1hr)\n| project TimeGenerated, AttackerIP = extract(IpAddress_REGEX_PATTERN, 0, RenderedDescription), DestinationHostName = Computer, RenderedDescription\n| summarize FailureCount = count() by AttackerIP, DestinationHostName\n| where FailureCount >= 10", 324 | "queryFrequency": "PT10M", 325 | "queryPeriod": "PT1H", 326 | "triggerOperator": "GreaterThan", 327 | "triggerThreshold": 0, 328 | "suppressionDuration": "PT5H", 329 | "suppressionEnabled": false, 330 | "startTimeUtc": null, 331 | "tactics": [ 332 | "CredentialAccess" 333 | ], 334 | "techniques": [ 335 | "T1110" 336 | ], 337 | "alertRuleTemplateName": null, 338 | "incidentConfiguration": { 339 | "createIncident": true, 340 | "groupingConfiguration": { 341 | "enabled": true, 342 | "reopenClosedIncident": false, 343 | "lookbackDuration": "PT5H", 344 | "matchingMethod": "AllEntities", 345 | "groupByEntities": [], 346 | "groupByAlertDetails": [], 347 | "groupByCustomDetails": [] 348 | } 349 | }, 350 | "eventGroupingSettings": { 351 | "aggregationKind": "SingleAlert" 352 | }, 353 | "alertDetailsOverride": null, 354 | "customDetails": null, 355 | "entityMappings": [ 356 | { 357 | "entityType": "Host", 358 | "fieldMappings": [ 359 | { 360 | "identifier": "HostName", 361 | "columnName": "DestinationHostName" 362 | } 363 | ] 364 | }, 365 | { 366 | "entityType": "IP", 367 | "fieldMappings": [ 368 | { 369 | "identifier": "Address", 370 | "columnName": "AttackerIP" 371 | } 372 | ] 373 | } 374 | ], 375 | "sentinelEntitiesMappings": null, 376 | "templateVersion": null 377 | } 378 | }, 379 | { 380 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d333ea31-4077-48a4-ad0e-c43909edde93')]", 381 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d333ea31-4077-48a4-ad0e-c43909edde93')]", 382 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 383 | "kind": "Scheduled", 384 | "apiVersion": "2022-09-01-preview", 385 | "properties": { 386 | "displayName": "CUSTOM: Possible Privilege Escallation (Global Administrator Role Assignment)", 387 | "description": "", 388 | "severity": "High", 389 | "enabled": true, 390 | "query": "AuditLogs\n| where OperationName == \"Add member to role\" and Result == \"success\"\n| where TargetResources[0].modifiedProperties[1].newValue == '\"Global Administrator\"' or TargetResources[0].modifiedProperties[1].newValue == '\"Company Administrator\"' and TargetResources[0].type == \"User\"\n| where TimeGenerated > ago(60m)\n| project\n TimeGenerated,\n OperationName,\n AssignedRole = TargetResources[0].modifiedProperties[1].newValue,\n Status = Result,\n TargetResources,\n InitiatorID = InitiatedBy[\"user\"][\"id\"],\n TargetID = TargetResources[0][\"id\"]", 391 | "queryFrequency": "PT5M", 392 | "queryPeriod": "PT1H", 393 | "triggerOperator": "GreaterThan", 394 | "triggerThreshold": 0, 395 | "suppressionDuration": "PT5H", 396 | "suppressionEnabled": false, 397 | "startTimeUtc": null, 398 | "tactics": [ 399 | "PrivilegeEscalation" 400 | ], 401 | "techniques": [], 402 | "alertRuleTemplateName": null, 403 | "incidentConfiguration": { 404 | "createIncident": true, 405 | "groupingConfiguration": { 406 | "enabled": true, 407 | "reopenClosedIncident": false, 408 | "lookbackDuration": "PT5H", 409 | "matchingMethod": "AllEntities", 410 | "groupByEntities": [], 411 | "groupByAlertDetails": [], 412 | "groupByCustomDetails": [] 413 | } 414 | }, 415 | "eventGroupingSettings": { 416 | "aggregationKind": "SingleAlert" 417 | }, 418 | "alertDetailsOverride": null, 419 | "customDetails": null, 420 | "entityMappings": [ 421 | { 422 | "entityType": "Account", 423 | "fieldMappings": [ 424 | { 425 | "identifier": "AadUserId", 426 | "columnName": "InitiatorID" 427 | } 428 | ] 429 | }, 430 | { 431 | "entityType": "Account", 432 | "fieldMappings": [ 433 | { 434 | "identifier": "AadUserId", 435 | "columnName": "TargetID" 436 | } 437 | ] 438 | } 439 | ], 440 | "sentinelEntitiesMappings": null, 441 | "templateVersion": null 442 | } 443 | }, 444 | { 445 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4891fd6a-75e3-4b43-a5ae-33dbaaf2342e')]", 446 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4891fd6a-75e3-4b43-a5ae-33dbaaf2342e')]", 447 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 448 | "kind": "Scheduled", 449 | "apiVersion": "2022-09-01-preview", 450 | "properties": { 451 | "displayName": "CUSTOM: Brute Force ATTEMPT - Azure Active Directory", 452 | "description": "", 453 | "severity": "Medium", 454 | "enabled": true, 455 | "query": "SigninLogs\n| where ResultDescription == \"Invalid username or password or Invalid on-premise username or password.\"\n| project TimeGenerated, ResultDescription, UserPrincipalName, UserId, AppDisplayName, IPAddress, IPAddressFromResourceProvider, City = LocationDetails.city, State = LocationDetails.state, Country = LocationDetails.country, Latitude = LocationDetails.geoCoordinates.latitude, Longitude = LocationDetails.geoCoordinates.longitude", 456 | "queryFrequency": "PT10M", 457 | "queryPeriod": "PT1H", 458 | "triggerOperator": "GreaterThan", 459 | "triggerThreshold": 9, 460 | "suppressionDuration": "PT5H", 461 | "suppressionEnabled": false, 462 | "startTimeUtc": null, 463 | "tactics": [ 464 | "CredentialAccess" 465 | ], 466 | "techniques": [ 467 | "T1110" 468 | ], 469 | "alertRuleTemplateName": null, 470 | "incidentConfiguration": { 471 | "createIncident": true, 472 | "groupingConfiguration": { 473 | "enabled": true, 474 | "reopenClosedIncident": false, 475 | "lookbackDuration": "PT1H", 476 | "matchingMethod": "AllEntities", 477 | "groupByEntities": [], 478 | "groupByAlertDetails": [], 479 | "groupByCustomDetails": [] 480 | } 481 | }, 482 | "eventGroupingSettings": { 483 | "aggregationKind": "SingleAlert" 484 | }, 485 | "alertDetailsOverride": null, 486 | "customDetails": null, 487 | "entityMappings": [ 488 | { 489 | "entityType": "Account", 490 | "fieldMappings": [ 491 | { 492 | "identifier": "AadUserId", 493 | "columnName": "UserId" 494 | } 495 | ] 496 | }, 497 | { 498 | "entityType": "IP", 499 | "fieldMappings": [ 500 | { 501 | "identifier": "Address", 502 | "columnName": "IPAddress" 503 | } 504 | ] 505 | } 506 | ], 507 | "sentinelEntitiesMappings": null, 508 | "templateVersion": null 509 | } 510 | }, 511 | { 512 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b1cafe38-aa17-49a4-ac62-99198caeb3fb')]", 513 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b1cafe38-aa17-49a4-ac62-99198caeb3fb')]", 514 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 515 | "kind": "Scheduled", 516 | "apiVersion": "2022-09-01-preview", 517 | "properties": { 518 | "displayName": "CUSTOM: Possible Lateral Movement (Excessive Password Resets)", 519 | "description": "", 520 | "severity": "Medium", 521 | "enabled": true, 522 | "query": "AuditLogs\n| where OperationName startswith \"Change\" or OperationName startswith \"Reset\"\n| order by TimeGenerated\n| summarize count() by tostring(InitiatedBy)\n| project Count = count_, InitiatorId = parse_json(InitiatedBy).user.id, InitiatorUpn = parse_json(InitiatedBy).user.userPrincipalName, InitiatorIpAddress = parse_json(InitiatedBy).user.ipAddress \n| where Count >= 10\n", 523 | "queryFrequency": "PT5M", 524 | "queryPeriod": "PT5H", 525 | "triggerOperator": "GreaterThan", 526 | "triggerThreshold": 0, 527 | "suppressionDuration": "PT5H", 528 | "suppressionEnabled": false, 529 | "startTimeUtc": null, 530 | "tactics": [ 531 | "CredentialAccess", 532 | "PrivilegeEscalation" 533 | ], 534 | "techniques": [ 535 | "T1555", 536 | "T1078" 537 | ], 538 | "alertRuleTemplateName": null, 539 | "incidentConfiguration": { 540 | "createIncident": true, 541 | "groupingConfiguration": { 542 | "enabled": true, 543 | "reopenClosedIncident": false, 544 | "lookbackDuration": "PT1H", 545 | "matchingMethod": "AllEntities", 546 | "groupByEntities": [], 547 | "groupByAlertDetails": [], 548 | "groupByCustomDetails": [] 549 | } 550 | }, 551 | "eventGroupingSettings": { 552 | "aggregationKind": "SingleAlert" 553 | }, 554 | "alertDetailsOverride": null, 555 | "customDetails": null, 556 | "entityMappings": [ 557 | { 558 | "entityType": "Account", 559 | "fieldMappings": [ 560 | { 561 | "identifier": "AadUserId", 562 | "columnName": "InitiatorId" 563 | } 564 | ] 565 | }, 566 | { 567 | "entityType": "IP", 568 | "fieldMappings": [ 569 | { 570 | "identifier": "Address", 571 | "columnName": "InitiatorIpAddress" 572 | } 573 | ] 574 | } 575 | ], 576 | "sentinelEntitiesMappings": null, 577 | "templateVersion": null 578 | } 579 | }, 580 | { 581 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cf0df627-c9ba-4fa7-858d-265cd5cd3548')]", 582 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cf0df627-c9ba-4fa7-858d-265cd5cd3548')]", 583 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 584 | "kind": "Scheduled", 585 | "apiVersion": "2022-09-01-preview", 586 | "properties": { 587 | "displayName": "CUSTOM: Brute Force ATTEMPT - Linux Syslog", 588 | "description": "", 589 | "severity": "Medium", 590 | "enabled": true, 591 | "query": "// Brute Force Success Linux\nlet IpAddress_REGEX_PATTERN = @\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\";\nSyslog\n| where Facility == \"auth\" and SyslogMessage startswith \"Failed password for\"\n| where TimeGenerated > ago(1h)\n| project TimeGenerated, AttackerIP = extract(IpAddress_REGEX_PATTERN, 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type\n| summarize FailureCount = count() by AttackerIP, DestinationHostName, DestinationIP\n| where FailureCount >= 10", 592 | "queryFrequency": "PT10M", 593 | "queryPeriod": "PT1H", 594 | "triggerOperator": "GreaterThan", 595 | "triggerThreshold": 0, 596 | "suppressionDuration": "PT5H", 597 | "suppressionEnabled": false, 598 | "startTimeUtc": null, 599 | "tactics": [ 600 | "CredentialAccess" 601 | ], 602 | "techniques": [ 603 | "T1110" 604 | ], 605 | "alertRuleTemplateName": null, 606 | "incidentConfiguration": { 607 | "createIncident": true, 608 | "groupingConfiguration": { 609 | "enabled": true, 610 | "reopenClosedIncident": false, 611 | "lookbackDuration": "PT5H", 612 | "matchingMethod": "AllEntities", 613 | "groupByEntities": [], 614 | "groupByAlertDetails": [], 615 | "groupByCustomDetails": [] 616 | } 617 | }, 618 | "eventGroupingSettings": { 619 | "aggregationKind": "SingleAlert" 620 | }, 621 | "alertDetailsOverride": null, 622 | "customDetails": null, 623 | "entityMappings": [ 624 | { 625 | "entityType": "Host", 626 | "fieldMappings": [ 627 | { 628 | "identifier": "HostName", 629 | "columnName": "DestinationHostName" 630 | } 631 | ] 632 | }, 633 | { 634 | "entityType": "IP", 635 | "fieldMappings": [ 636 | { 637 | "identifier": "Address", 638 | "columnName": "AttackerIP" 639 | } 640 | ] 641 | } 642 | ], 643 | "sentinelEntitiesMappings": null, 644 | "templateVersion": null 645 | } 646 | }, 647 | { 648 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c6099513-e6c6-492f-b81a-a66d14d84445')]", 649 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c6099513-e6c6-492f-b81a-a66d14d84445')]", 650 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 651 | "kind": "Scheduled", 652 | "apiVersion": "2022-09-01-preview", 653 | "properties": { 654 | "displayName": "CUSTOM: Windows Host Firewall Tampering", 655 | "description": "", 656 | "severity": "High", 657 | "enabled": true, 658 | "query": "Event\n| where EventLog == \"Microsoft-Windows-Windows Firewall With Advanced Security/Firewall\"\n| where EventID == 2003", 659 | "queryFrequency": "PT10M", 660 | "queryPeriod": "PT1H", 661 | "triggerOperator": "GreaterThan", 662 | "triggerThreshold": 0, 663 | "suppressionDuration": "PT5H", 664 | "suppressionEnabled": false, 665 | "startTimeUtc": null, 666 | "tactics": [ 667 | "DefenseEvasion" 668 | ], 669 | "techniques": [], 670 | "alertRuleTemplateName": null, 671 | "incidentConfiguration": { 672 | "createIncident": true, 673 | "groupingConfiguration": { 674 | "enabled": true, 675 | "reopenClosedIncident": false, 676 | "lookbackDuration": "PT5H", 677 | "matchingMethod": "AllEntities", 678 | "groupByEntities": [], 679 | "groupByAlertDetails": [], 680 | "groupByCustomDetails": [] 681 | } 682 | }, 683 | "eventGroupingSettings": { 684 | "aggregationKind": "SingleAlert" 685 | }, 686 | "alertDetailsOverride": null, 687 | "customDetails": null, 688 | "entityMappings": [ 689 | { 690 | "entityType": "Host", 691 | "fieldMappings": [ 692 | { 693 | "identifier": "HostName", 694 | "columnName": "Computer" 695 | } 696 | ] 697 | } 698 | ], 699 | "sentinelEntitiesMappings": null, 700 | "templateVersion": null 701 | } 702 | }, 703 | { 704 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/afe7b0a7-d84f-462d-b751-548861bc0c5d')]", 705 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/afe7b0a7-d84f-462d-b751-548861bc0c5d')]", 706 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 707 | "kind": "Scheduled", 708 | "apiVersion": "2022-09-01-preview", 709 | "properties": { 710 | "displayName": "CUSTOM: Brute Force ATTEMPT - Windows", 711 | "description": "", 712 | "severity": "Medium", 713 | "enabled": true, 714 | "query": "// Failed logon \nSecurityEvent\n| where EventID == 4625\n| where TimeGenerated > ago(60m)\n| summarize FailureCount = count() by AttackerIP = IpAddress, EventID, Activity, DestinationHostName = Computer\n| where FailureCount >= 10", 715 | "queryFrequency": "PT15M", 716 | "queryPeriod": "PT1H", 717 | "triggerOperator": "GreaterThan", 718 | "triggerThreshold": 0, 719 | "suppressionDuration": "PT5H", 720 | "suppressionEnabled": false, 721 | "startTimeUtc": null, 722 | "tactics": [ 723 | "CredentialAccess" 724 | ], 725 | "techniques": [ 726 | "T1110" 727 | ], 728 | "alertRuleTemplateName": null, 729 | "incidentConfiguration": { 730 | "createIncident": true, 731 | "groupingConfiguration": { 732 | "enabled": true, 733 | "reopenClosedIncident": false, 734 | "lookbackDuration": "PT5H", 735 | "matchingMethod": "AllEntities", 736 | "groupByEntities": [], 737 | "groupByAlertDetails": [], 738 | "groupByCustomDetails": [] 739 | } 740 | }, 741 | "eventGroupingSettings": { 742 | "aggregationKind": "SingleAlert" 743 | }, 744 | "alertDetailsOverride": null, 745 | "customDetails": null, 746 | "entityMappings": [ 747 | { 748 | "entityType": "IP", 749 | "fieldMappings": [ 750 | { 751 | "identifier": "Address", 752 | "columnName": "AttackerIP" 753 | } 754 | ] 755 | }, 756 | { 757 | "entityType": "Host", 758 | "fieldMappings": [ 759 | { 760 | "identifier": "HostName", 761 | "columnName": "DestinationHostName" 762 | } 763 | ] 764 | } 765 | ], 766 | "sentinelEntitiesMappings": null, 767 | "templateVersion": null 768 | } 769 | }, 770 | { 771 | "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e95fd1bb-b03a-4046-843b-1453a0a95482')]", 772 | "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e95fd1bb-b03a-4046-843b-1453a0a95482')]", 773 | "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules", 774 | "kind": "Scheduled", 775 | "apiVersion": "2022-09-01-preview", 776 | "properties": { 777 | "displayName": "CUSTOM: Brute Force SUCCESS - Azure Active Directory", 778 | "description": "", 779 | "severity": "High", 780 | "enabled": true, 781 | "query": "// Failed AAD logon\nlet FailedLogons = SigninLogs\n| where Status.failureReason == \"Invalid username or password or Invalid on-premise username or password.\"\n| where TimeGenerated > ago(1h)\n| project TimeGenerated, Status = Status.failureReason, UserPrincipalName, UserId, UserDisplayName, AppDisplayName, AttackerIP = IPAddress, IPAddressFromResourceProvider, City = LocationDetails.city, State = LocationDetails.state, Country = LocationDetails.country, Latitude = LocationDetails.geoCoordinates.latitude, Longitude = LocationDetails.geoCoordinates.longitude\n| summarize FailureCount = count() by AttackerIP, UserPrincipalName;\nlet SuccessfulLogons = SigninLogs\n| where Status.errorCode == 0 \n| where TimeGenerated > ago(1h)\n| project TimeGenerated, Status = Status.errorCode, UserPrincipalName, UserId, UserDisplayName, AppDisplayName, AttackerIP = IPAddress, IPAddressFromResourceProvider, City = LocationDetails.city, State = LocationDetails.state, Country = LocationDetails.country, Latitude = LocationDetails.geoCoordinates.latitude, Longitude = LocationDetails.geoCoordinates.longitude\n| summarize SuccessCount = count() by AuthenticationSuccessTime = TimeGenerated, AttackerIP, UserPrincipalName, UserId, UserDisplayName;\nlet BruteForceSuccesses = SuccessfulLogons\n| join kind = inner FailedLogons on AttackerIP, UserPrincipalName;\nBruteForceSuccesses\n| project AttackerIP, TargetAccount = UserPrincipalName, UserId, FailureCount, SuccessCount, AuthenticationSuccessTime", 782 | "queryFrequency": "PT5M", 783 | "queryPeriod": "PT5H", 784 | "triggerOperator": "GreaterThan", 785 | "triggerThreshold": 0, 786 | "suppressionDuration": "PT5H", 787 | "suppressionEnabled": false, 788 | "startTimeUtc": null, 789 | "tactics": [], 790 | "techniques": [], 791 | "alertRuleTemplateName": null, 792 | "incidentConfiguration": { 793 | "createIncident": true, 794 | "groupingConfiguration": { 795 | "enabled": true, 796 | "reopenClosedIncident": false, 797 | "lookbackDuration": "PT5H", 798 | "matchingMethod": "AllEntities", 799 | "groupByEntities": [], 800 | "groupByAlertDetails": [], 801 | "groupByCustomDetails": [] 802 | } 803 | }, 804 | "eventGroupingSettings": { 805 | "aggregationKind": "AlertPerResult" 806 | }, 807 | "alertDetailsOverride": null, 808 | "customDetails": null, 809 | "entityMappings": [ 810 | { 811 | "entityType": "IP", 812 | "fieldMappings": [ 813 | { 814 | "identifier": "Address", 815 | "columnName": "AttackerIP" 816 | } 817 | ] 818 | }, 819 | { 820 | "entityType": "Account", 821 | "fieldMappings": [ 822 | { 823 | "identifier": "AadUserId", 824 | "columnName": "UserId" 825 | } 826 | ] 827 | } 828 | ], 829 | "sentinelEntitiesMappings": null, 830 | "templateVersion": null 831 | } 832 | } 833 | ] 834 | } -------------------------------------------------------------------------------- /Sentinel-Maps(JSON)/linux-ssh-auth-fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": 3, 3 | "content": { 4 | "version": "KqlItem/1.0", 5 | "query": "let GeoIPDB = _GetWatchlist(\"geo_ipv4\");\nlet GeoIPDB_cities = _GetWatchlist(\"geo_ipv4_cities\");\nlet GeoIPDB_FULL = GeoIPDB | join kind = leftouter GeoIPDB_cities on geoname_id;\nlet IpAddress_REGEX_PATTERN = @\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\";\nSyslog\n| where Facility == \"auth\"\n| where SyslogMessage startswith \"Failed password for\"\n| order by TimeGenerated desc\n| project TimeGenerated, SourceIP = extract(IpAddress_REGEX_PATTERN, 0, SyslogMessage), DestinationHostName = HostName, DestinationIP = HostIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type\n| evaluate ipv4_lookup(GeoIPDB_FULL, SourceIP, network)\n| project TimeGenerated, SourceIP, DestinationHostName, DestinationIP, Facility, SyslogMessage, ProcessName, SeverityLevel, Type, latitude, longitude, subdivision = subdivision_1_name, city = city_name, country = country_name, friendly_location = strcat(city_name, \" (\", country_name, \")\");", 6 | "size": 3, 7 | "timeContext": { 8 | "durationMs": 2592000000 9 | }, 10 | "queryType": 0, 11 | "resourceType": "microsoft.operationalinsights/workspaces", 12 | "visualization": "map", 13 | "mapSettings": { 14 | "locInfo": "LatLong", 15 | "locInfoColumn": "country_name", 16 | "latitude": "latitude", 17 | "longitude": "longitude", 18 | "sizeSettings": "latitude", 19 | "sizeAggregation": "Count", 20 | "opacity": 0.8, 21 | "labelSettings": "friendly_location", 22 | "legendMetric": "friendly_location", 23 | "legendAggregation": "Count", 24 | "itemColorSettings": { 25 | "nodeColorField": "latitude", 26 | "colorAggregation": "Count", 27 | "type": "heatmap", 28 | "heatmapPalette": "greenRed" 29 | } 30 | } 31 | }, 32 | "name": "query - 0" 33 | } 34 | -------------------------------------------------------------------------------- /Sentinel-Maps(JSON)/mssql-auth-fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": 3, 3 | "content": { 4 | "version": "KqlItem/1.0", 5 | "query": "let GeoIPDB = _GetWatchlist(\"geo_ipv4\");\nlet GeoIPDB_cities = _GetWatchlist(\"geo_ipv4_cities\");\nlet GeoIPDB_FULL = GeoIPDB | join kind = leftouter GeoIPDB_cities on geoname_id;\nlet IpAddress_REGEX_PATTERN = @\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\";\n// Brute Force Attempt MS SQL Server\nEvent\n| where EventLog == \"Application\"\n| where EventID == 18456\n| project TimeGenerated, AttackerIP = extract(IpAddress_REGEX_PATTERN, 0, RenderedDescription), DestinationHostName = Computer, RenderedDescription\n| evaluate ipv4_lookup(GeoIPDB_FULL, AttackerIP, network)\n| project TimeGenerated, AttackerIP, DestinationHostName, RenderedDescription, latitude, longitude, subdivision = subdivision_1_name, city = city_name, country = country_name, friendly_location = strcat(city_name, \" (\", country_name, \")\");", 6 | "size": 3, 7 | "timeContext": { 8 | "durationMs": 2592000000 9 | }, 10 | "queryType": 0, 11 | "resourceType": "microsoft.operationalinsights/workspaces", 12 | "visualization": "map", 13 | "mapSettings": { 14 | "locInfo": "LatLong", 15 | "locInfoColumn": "country_name", 16 | "latitude": "latitude", 17 | "longitude": "longitude", 18 | "sizeSettings": "latitude", 19 | "sizeAggregation": "Count", 20 | "opacity": 0.8, 21 | "labelSettings": "friendly_location", 22 | "legendMetric": "friendly_location", 23 | "legendAggregation": "Count", 24 | "itemColorSettings": { 25 | "nodeColorField": "latitude", 26 | "colorAggregation": "Sum", 27 | "type": "heatmap", 28 | "heatmapPalette": "greenRed" 29 | } 30 | } 31 | }, 32 | "name": "query - 0" 33 | } 34 | -------------------------------------------------------------------------------- /Sentinel-Maps(JSON)/nsg-malicious-allowed-in.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": 3, 3 | "content": { 4 | "version": "KqlItem/1.0", 5 | "query": "let GeoIPDB = _GetWatchlist(\"geo_ipv4\");\nlet GeoIPDB_cities = _GetWatchlist(\"geo_ipv4_cities\");\nlet GeoIPDB_FULL = GeoIPDB | join kind = leftouter GeoIPDB_cities on geoname_id;\nlet MaliciousFlows = AzureNetworkAnalytics_CL \n| where FlowType_s == \"MaliciousFlow\"\n| order by TimeGenerated desc\n| project TimeGenerated, FlowType = FlowType_s, IpAddress = SrcIP_s, DestinationIpAddress = DestIP_s, DestinationPort = DestPort_d, Protocol = L7Protocol_s, NSGRuleMatched = NSGRules_s;\nMaliciousFlows\n| evaluate ipv4_lookup(GeoIPDB_FULL, IpAddress, network)\n| project TimeGenerated, FlowType, IpAddress, DestinationIpAddress, DestinationPort, Protocol, NSGRuleMatched, latitude, longitude, subdivision = subdivision_1_name, city = city_name, country = country_name, friendly_location = strcat(city_name, \" (\", country_name, \")\")", 6 | "size": 3, 7 | "timeContext": { 8 | "durationMs": 2592000000 9 | }, 10 | "queryType": 0, 11 | "resourceType": "microsoft.operationalinsights/workspaces", 12 | "visualization": "map", 13 | "mapSettings": { 14 | "locInfo": "LatLong", 15 | "locInfoColumn": "country_name", 16 | "latitude": "latitude", 17 | "longitude": "longitude", 18 | "sizeSettings": "city", 19 | "sizeAggregation": "Count", 20 | "opacity": 0.8, 21 | "labelSettings": "friendly_location", 22 | "legendMetric": "IpAddress", 23 | "legendAggregation": "Count", 24 | "itemColorSettings": { 25 | "nodeColorField": "city", 26 | "colorAggregation": "Count", 27 | "type": "heatmap", 28 | "heatmapPalette": "greenRed" 29 | } 30 | } 31 | }, 32 | "name": "query - 0" 33 | } 34 | -------------------------------------------------------------------------------- /Sentinel-Maps(JSON)/windows-rdp-auth-fail.json: -------------------------------------------------------------------------------- 1 | { 2 | "type": 3, 3 | "content": { 4 | "version": "KqlItem/1.0", 5 | "query": "let GeoIPDB = _GetWatchlist(\"geo_ipv4\");\nlet GeoIPDB_cities = _GetWatchlist(\"geo_ipv4_cities\");\nlet GeoIPDB_FULL = GeoIPDB | join kind = leftouter GeoIPDB_cities on geoname_id;\nlet WindowsEvents = SecurityEvent;\nWindowsEvents | where EventID == 4625\n| order by TimeGenerated desc\n| evaluate ipv4_lookup(GeoIPDB_FULL, IpAddress, network)\n| project TimeGenerated, Account, AccountType, Computer, EventID, Activity, IpAddress, LogonTypeName, network, latitude, longitude, subdivision = subdivision_1_name, city = city_name, country = country_name, friendly_location = strcat(city_name, \" (\", country_name, \")\");\n", 6 | "size": 3, 7 | "timeContext": { 8 | "durationMs": 2592000000 9 | }, 10 | "queryType": 0, 11 | "resourceType": "microsoft.operationalinsights/workspaces", 12 | "visualization": "map", 13 | "mapSettings": { 14 | "locInfo": "LatLong", 15 | "locInfoColumn": "country_name", 16 | "latitude": "latitude", 17 | "longitude": "longitude", 18 | "sizeSettings": "EventID", 19 | "sizeAggregation": "Count", 20 | "opacity": 0.8, 21 | "labelSettings": "friendly_location", 22 | "legendMetric": "EventID", 23 | "legendAggregation": "Count", 24 | "itemColorSettings": { 25 | "nodeColorField": "EventID", 26 | "colorAggregation": "Sum", 27 | "type": "heatmap", 28 | "heatmapPalette": "greenRed" 29 | } 30 | } 31 | }, 32 | "name": "query - 0" 33 | } 34 | -------------------------------------------------------------------------------- /Separate-Projects/NICE.py: -------------------------------------------------------------------------------- 1 | import openai 2 | import time 3 | import csv 4 | 5 | ChatGPT_API_KEY = "xxxxxxxxxxxxxxxxxxxx" # https://platform.openai.com/api-keys) 6 | GPT_MODEL = "gpt-4-0125-preview" # API Models: https://platform.openai.com/docs/models/continuous-model-upgrades 7 | 8 | def get_csv_contents(file_path): 9 | 10 | try: 11 | with open(file_path, mode='r', encoding='utf-8') as file: 12 | reader = csv.reader(file) 13 | data = [row for row in reader] 14 | return data 15 | except Exception as e: 16 | print(f"Error:\n\n{e}\n\n——————————") 17 | 18 | def get_tsv_contents(input_file_path): 19 | all_rows = [] 20 | with open(input_file_path, mode='r', encoding='utf-8') as infile: 21 | reader = csv.reader(infile, delimiter='\t') 22 | for row in reader: 23 | all_rows.append('\t'.join(row)) 24 | return '\n'.join(all_rows) 25 | 26 | def get_text_contents(file_path): 27 | with open(file_path, 'r', encoding='utf-8') as file: 28 | contents = file.read() 29 | return contents 30 | 31 | def create_prompt(job_description, nice_framework): 32 | return f''' 33 | Based on the [NICE Cybersecurity Framework] and definition of 34 | Job roles defined below, what is the most appropriate 35 | job role listed in the spreadsheet for the job description below? 36 | Please only choose roles which appear in the "role" column of the 37 | [NICE Cybersecurity Framework]. 38 | Analyze the included content accurately to identify the most 39 | suitable role for the job description provided. Do not [Output] 40 | in any other way than what I describe below (after the Job Description section). 41 | — 42 | [Job Description]: 43 | {job_description} 44 | — 45 | [NICE Cybersecurity Framework]: 46 | {nice_framework} 47 | — 48 | [Output]: 49 | {{ 50 | "role":"((the role from the [NICE Cybersecurity Framework] that closest matches the [Job Description]", 51 | "explanation":"((justification for your selection))" 52 | }} 53 | — 54 | 55 | ''' 56 | 57 | def ask_chatgpt(key, model, prompt): 58 | # Plug the API key into the openai object 59 | openai.api_key = key 60 | 61 | print("Asking ChatGPT.") 62 | 63 | while True: 64 | try: 65 | response = openai.ChatCompletion.create( 66 | model=model, 67 | messages=[ 68 | {"role": "user", "content": prompt} 69 | ] 70 | ) 71 | 72 | response = response.choices[0].message.content 73 | return response 74 | 75 | except Exception as e: 76 | print(f"An error occurred: {e}") 77 | print("Retrying...") 78 | time.sleep(1) # Pause for a second before retrying 79 | 80 | def clean_up_response(response): 81 | cleaned_response = response.replace('\n','') 82 | return cleaned_response 83 | 84 | def dump_contents_to_text_file(new_file_name, contents): 85 | try: 86 | with open(new_file_name, 'w') as file: 87 | file.write(contents) 88 | return True 89 | except Exception as e: 90 | print(f"Error: {e}") 91 | return False 92 | 93 | # ----- SCRIPT RUNS HERE ----- # 94 | print("—") 95 | job_description = get_text_contents("internet-job-description.txt") 96 | NICE_framework = get_tsv_contents("nice-roles.tsv") 97 | prompt = create_prompt(job_description, NICE_framework) 98 | response = ask_chatgpt(ChatGPT_API_KEY, GPT_MODEL, prompt) 99 | cleaned_response = clean_up_response(response) 100 | dump_contents_to_text_file("actual-job-description.json", cleaned_response) 101 | dump_contents_to_text_file("prompt.txt", prompt) 102 | print('fin.') 103 | print("—") 104 | -------------------------------------------------------------------------------- /Special-Windows-Event-Data-Collection-Rules/Rules.txt: -------------------------------------------------------------------------------- 1 | // Windows Defender Malware Detection XPath Query 2 | Microsoft-Windows-Windows Defender/Operational!*[System[(EventID=1116 or EventID=1117)]] 3 | 4 | // Windows Firewall Tampering Detection XPath Query 5 | Microsoft-Windows-Windows Firewall With Advanced Security/Firewall!*[System[(EventID=2003)]] 6 | -------------------------------------------------------------------------------- /Storage-Account-Scripts/Blob-Upload.ps1: -------------------------------------------------------------------------------- 1 | ############################# SET THE VARIABLES BELOW ############################## 2 | # Ex: sacyberlab01 3 | $storageAccountName = "Storage Account Name Goes Here" 4 | 5 | # Ex: 0W8lxv+FmDgkOw0K3hOhNA3DNROKiAthDxHMn5nf0vi/PROTT/84HUezjL0wxclM8OI3yX4+F/K+AStiySi8Q== 6 | $storageAccountKey = "Storage Account Access Key Goes Here" 7 | 8 | # Ex: testcontainer 9 | $containerName = "Storage Account Container Name Goes Here" 10 | ############################# SET THE VARIABLES ABOVE ############################## 11 | 12 | 13 | # You can leave these alone 14 | $localFileContent = "This is a test file" 15 | $localFilePath = "$env:USERPROFILE\Desktop\testfile.txt" 16 | $blobName = "testfile.txt" 17 | 18 | #Create a local text file 19 | $localFileContent | Out-File -FilePath $localFilePath -Encoding ascii 20 | 21 | #Authenticate with your Azure account 22 | $context = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $storageAccountKey 23 | 24 | #Upload file to Azure Storage 25 | Set-AzStorageBlobContent -File $localFilePath -Container $containerName -Blob $blobName -Context $context 26 | 27 | #Confirmation message 28 | Write-Host "File uploaded successfully to $storageAccountName/$containerName/$blobName" 29 | -------------------------------------------------------------------------------- /Vulnerability-Management/Toggle-SMBv1.ps1: -------------------------------------------------------------------------------- 1 | # Script to toggle SMBv1 server on Windows 10 2 | # Check if the script is being run as an Administrator 3 | If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 4 | { 5 | Write-Warning "You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator." 6 | Break 7 | } 8 | 9 | # Toggling SMBv1 Server: 10 | # -Value 0 for off 11 | # -Value 1 for on 12 | Write-Output "Toggling SMBv1 Server" 13 | Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force 14 | 15 | # Notify user of completion 16 | Write-Output "SMBv1 Client and Server have been toggled. Please restart your system for the changes to take effect." 17 | -------------------------------------------------------------------------------- /Vulnerability-Management/Toggle-TLS-1.0-and-1.1.ps1: -------------------------------------------------------------------------------- 1 | # Script to toggle SSL 2.0 and SSL 3.0 on Windows 10 2 | 3 | # Run the PowerShell as Administrator 4 | 5 | # Check if the script is being run as an Administrator 6 | If (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) 7 | { 8 | Write-Warning "You do not have Administrator rights to run this script!`nPlease re-run this script as an Administrator." 9 | Break 10 | } 11 | 12 | # Toggle SSL 2.0 Server 13 | # 'Enabled' -value '0' for off 14 | # 'DisabledByDefault' -value '1' for off 15 | # 'Enabled' -value '1' for on 16 | # 'DisabledByDefault' -value '0' for on 17 | Write-Output "Setting SSL 2.0 Server" 18 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null 19 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null 20 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null 21 | 22 | # Toggle SSL 3.0 Server 23 | # 'Enabled' -value '0' for off 24 | # 'DisabledByDefault' -value '1' for off 25 | # 'Enabled' -value '1' for on 26 | # 'DisabledByDefault' -value '0' for on 27 | Write-Output "Setting SSL 3.0 Server" 28 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null 29 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null 30 | New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null 31 | 32 | # Toggle TLS 1.0 Server 33 | # 'Enabled' -value '0' for off 34 | # 'DisabledByDefault' -value '1' for off 35 | # 'Enabled' -value '1' for on 36 | # 'DisabledByDefault' -value '0' for on 37 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null 38 | New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force | Out-Null 39 | New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-Null 40 | 41 | # 'DisabledByDefault' -value '0' for on 42 | New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null 43 | New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force | Out-Null 44 | New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Name 'DisabledByDefault' -Value 1 -PropertyType 'DWord' -Force | Out-Null 45 | 46 | 47 | # Notify user of completion 48 | Write-Output "TLS 1.0, SSL 2.0, and SSL 3.0 have been toggled on the server. Please restart your system for the changes to take effect." 49 | --------------------------------------------------------------------------------