├── .gitignore
├── .vs
└── VSWorkspaceState.json
├── CODE_OF_CONDUCT.md
├── LICENSE
├── README.md
├── SECURITY.md
├── SUPPORT.md
├── Sentinel
├── environments
│ ├── Integration
│ │ ├── Connections
│ │ │ ├── AzureActiveDirectory
│ │ │ │ ├── Azure.AD.connection.json
│ │ │ │ └── Azure.AD.connection.parameters.json
│ │ │ └── Office365
│ │ │ │ ├── Office365.connection.json
│ │ │ │ └── Office365.connection.parameters.json
│ │ ├── Connectors
│ │ │ ├── AzureActiveDirectory.settings.json
│ │ │ ├── AzureActiveDirectoryIdentityProtection.settings.json
│ │ │ ├── AzureActivity.settings.json
│ │ │ ├── AzureSecurityCenter.settings.json
│ │ │ ├── MicrosoftCloudAppSecurity.settings.json
│ │ │ ├── Office365Defender.settings.json
│ │ │ ├── Office365Logs.settings.json
│ │ │ └── ThreatIntelligenceTaxii.settings.json
│ │ ├── Environment.Integration.Definition.json
│ │ └── Environment.json
│ ├── PreProduction
│ │ ├── Connections
│ │ │ ├── AzureActiveDirectory
│ │ │ │ ├── Azure.AD.connection.json
│ │ │ │ └── Azure.AD.connection.parameters.json
│ │ │ └── Office365
│ │ │ │ ├── Office365.connection.json
│ │ │ │ └── Office365.connection.parameters.json
│ │ ├── Connectors
│ │ │ ├── AzureActiveDirectory.settings.json
│ │ │ ├── AzureActiveDirectoryIdentityProtection.settings.json
│ │ │ ├── AzureActivity.settings.json
│ │ │ ├── AzureSecurityCenter.settings.json
│ │ │ ├── MicrosoftCloudAppSecurity.settings.json
│ │ │ ├── Office365Defender.settings.json
│ │ │ ├── Office365Logs.settings.json
│ │ │ └── ThreatIntelligenceTaxii.settings.json
│ │ ├── Environment.Integration.Definition.json
│ │ └── Environment.json
│ ├── Production
│ │ ├── Connections
│ │ │ ├── AzureActiveDirectory
│ │ │ │ ├── Azure.AD.connection.json
│ │ │ │ └── Azure.AD.connection.parameters.json
│ │ │ └── Office365
│ │ │ │ ├── Office365.connection.json
│ │ │ │ └── Office365.connection.parameters.json
│ │ ├── Connectors
│ │ │ ├── AzureActiveDirectory.settings.json
│ │ │ ├── AzureActiveDirectoryIdentityProtection.settings.json
│ │ │ ├── AzureActivity.settings.json
│ │ │ ├── AzureSecurityCenter.settings.json
│ │ │ ├── MicrosoftCloudAppSecurity.settings.json
│ │ │ ├── Office365Defender.settings.json
│ │ │ ├── Office365Logs.settings.json
│ │ │ └── ThreatIntelligenceTaxii.settings.json
│ │ └── Environment.json
│ └── Test
│ │ ├── Connections
│ │ ├── AzureActiveDirectory
│ │ │ ├── Azure.AD.connection.json
│ │ │ └── Azure.AD.connection.parameters.json
│ │ └── Office365
│ │ │ ├── Office365.connection.json
│ │ │ └── Office365.connection.parameters.json
│ │ ├── Connectors
│ │ ├── AzureActiveDirectory.settings.json
│ │ ├── AzureActiveDirectoryIdentityProtection.settings.json
│ │ ├── AzureActivity.settings.json
│ │ ├── AzureSecurityCenter.settings.json
│ │ ├── MicrosoftCloudAppSecurity.settings.json
│ │ ├── Office365Defender.settings.json
│ │ ├── Office365Logs.settings.json
│ │ └── ThreatIntelligenceTaxii.settings.json
│ │ ├── Environment.Integration.Definition.json
│ │ └── Environment.json
└── mitre-use-cases
│ ├── App Services
│ └── AnalyticRules
│ │ ├── AppServicesAVScanFailure.analytics.rule.yaml
│ │ └── AppServicesAVScanwithInfectedFiles.analytics.rule.yaml
│ ├── Azure Kubernetes
│ ├── AnalyticsRules
│ │ ├── AKSDisableCloudLogsAlerts.analytics.rule.yaml
│ │ ├── AKSDisableCloudLogsAlerts.mitre.manifest.json
│ │ ├── AKSExecutiondetection.analytics.rule.yaml
│ │ ├── AKSExecutiondetection.mitre.manifest.json
│ │ ├── AbilitytomonitorAKSContaineronAzure(PodsandClusters).analytics.rule.yaml
│ │ ├── ContainerDeploymentfromunkownIPAddress.analytics.rule.yaml
│ │ ├── ContainerDeploymentfromunkownIPAddress.mitre.manifest.json
│ │ ├── NetworkServiceScanning.analytics.rule.yaml
│ │ └── NetworkServiceScanning.mitre.manifest.json
│ └── Watchlists
│ │ ├── CIDR_Paw.csv
│ │ └── CIDR_Paw.watchlist.metadata.json
│ ├── Azure SQL
│ └── AnalyticRules
│ │ ├── SQL-Unusualexportlocation.analytics.rule.yaml
│ │ ├── SQL-UseBruteForcetoobtainvalidSQLcredentials.analytics.rule.yaml
│ │ ├── SQL-UseBruteForcetoobtainvalidSQLcredentials.mitre.manifest.json
│ │ ├── SQL-securitycenteralerts.analytics.rule.yaml
│ │ ├── SQLInjection.analytics.rule.yaml
│ │ ├── SQLInjection.mitre.manifest.json
│ │ ├── SQLSign-SQLSign-ineventfromunfamiliarlocation.mitre.manifest.json
│ │ ├── SQLSign-ineventfromasuspiciousIP.analytics.rule.yaml
│ │ ├── SQLSign-ineventfromasuspiciousIP.mitre.manifest.json
│ │ └── SQLSign-ineventfromunfamiliarlocation.analytics.rule.yaml
│ ├── AzureActiveDirectory
│ ├── AlertAndPlaybooksConnections
│ │ └── CompromisedAccounts.analytics.rule.playbooks.json
│ ├── AnalyticsRules
│ │ ├── AnomalousAzureActiveDirectoryappsbasedonauthenticationlocation.analytics.rule.yaml
│ │ ├── AnomalousAzureActiveDirectoryappsbasedonauthenticationlocation.mitre.manifest.json
│ │ ├── AttemptstosignintodisabledaccountsbyIPaddress.analytics.rule.yaml
│ │ ├── AttemptstosignintodisabledaccountsbyIPaddress.mitre.manifest.json
│ │ ├── Attemptstosignintodisabledaccountsbyaccountname.analytics.rule.yaml
│ │ ├── Attemptstosignintodisabledaccountsbyaccountname.mitre.manifest.json
│ │ ├── AttempttoLoginwithDisabledAccount.analytics.rule.yaml
│ │ ├── AttempttoLoginwithDisabledAccount.mitre.manifest.json
│ │ ├── AttempttobypassconditionalaccessruleinAzureAD.analytics.rule.yaml
│ │ ├── AttempttobypassconditionalaccessruleinAzureAD.mitre.manifest.json
│ │ ├── AzureAD-ImpossibleTravel.analytics.rule.yaml
│ │ ├── AzureActiveDirectorysigninsfromnewlocations.analytics.rule.yaml
│ │ ├── AzureActiveDirectorysigninsfromnewlocations.mitre.manifest.json
│ │ ├── AzureResourceManagementfromNonApprovedIP.analytics.rule.yaml
│ │ ├── AzureResourceManagementfromNonApprovedIP.mitre.manifest.json
│ │ ├── AzureSecurityCenter-MFAmustbeenable.analytics.rule.yaml
│ │ ├── AzureSecurityCenter-MFAmustbeenable.mitre.manifest.json
│ │ ├── BruteforceattackagainstAzurePortal.analytics.rule.yaml
│ │ ├── BruteforceattackagainstAzurePortal.mitre.manifest.json
│ │ ├── CreateincidentsbasedonAzureActiveDirectoryIdentityProtectionalerts.analytics.rule.yaml
│ │ ├── Detectbruteforceloginattemptswithgeographicinformation.analytics.rule.yaml
│ │ ├── Detectbruteforceloginattemptswithgeographicinformation.mitre.manifest.json
│ │ ├── ExcessiveLogonFailures.analytics.rule.yaml
│ │ ├── FailedattempttoaccessAzurePortal.analytics.rule.yaml
│ │ ├── FailedattempttoaccessAzurePortal.mitre.manifest.json
│ │ ├── LoginattemptbyBlockedMFAuser.analytics.rule.yaml
│ │ ├── LoginattemptbyBlockedMFAuser.mitre.manifest.json
│ │ ├── MFAdisabledforauser.analytics.rule.yaml
│ │ ├── MFAdisabledforauser.mitre.manifest.json
│ │ ├── PasswordsprayattackagainstAzureADapplication.analytics.rule.yaml
│ │ ├── PasswordsprayattackagainstAzureADapplication.mitre.manifest.json
│ │ ├── PermutationsonlogonattemptsbyUserPrincipalNamesindicatingpotentialbruteforce.analytics.rule.yaml
│ │ ├── PermutationsonlogonattemptsbyUserPrincipalNamesindicatingpotentialbruteforce.mitre.manifest.json
│ │ └── Suspiciousgrantingofpermissionstoanaccount.analytics.rule.yaml
│ ├── Playbooks
│ │ ├── Compromised_Account_Mitigation.json
│ │ ├── Compromised_Account_Mitigation.parameters.json
│ │ ├── Login_Deviation_Behavior.json
│ │ └── Login_Deviation_Behavior.parameters.json
│ └── Watchlists
│ │ ├── IP_Whitelist.csv
│ │ └── IP_Whitelist.watchlist.metadata.json
│ ├── MITRE
│ └── Workbooks
│ │ ├── MITRE.workbook.metadata.json
│ │ └── MITRE.workbook.metadata.parameters.json
│ ├── Machine Learning
│ └── AnalyticsRules
│ │ └── AdvancedMultistageAttackDetection.analytics.rule.yaml
│ ├── Office 365
│ ├── AlertAndPlaybooksConnections
│ │ └── CompromisedAccounts.analytics.rule.playbooks.json
│ ├── AnalyticsRules
│ │ ├── Auditadministratoractionsincludingmailboxcreationanddeletion.analytics.rule.yaml
│ │ ├── Auditadministratoractionsincludingmailboxcreationanddeletion.mitre.manifest.json
│ │ ├── CreateincidentsbasedonMicrosoftCloudAppSecurityalerts.analytics.rule.yaml
│ │ ├── CreateincidentsbasedonMicrosoftDefenderAdvancedThreatProtectionalerts.analytics.rule.yaml
│ │ ├── CreateincidentsbasedonOffice365AdvancedThreatProtectionalerts.analytics.rule.yaml
│ │ ├── Emailsforwardingredirectruletoexternalmailbox.analytics.rule.yaml
│ │ ├── Emailsforwardingredirectruletoexternalmailbox.mitre.manifest.json
│ │ ├── ExchangeAuditLogdisabled.analytics.rule.yaml
│ │ ├── ExchangeAuditLogdisabled.mitre.manifest.json
│ │ ├── Externaluseraddedandremovedinshorttimeframe.analytics.rule.yaml
│ │ ├── Externaluseraddedandremovedinshorttimeframe.mitre.manifest.json
│ │ ├── MailredirectviaExOtransportrule.analytics.rule.yaml
│ │ ├── MailredirectviaExOtransportrule.mitre.manifest.json
│ │ ├── MaliciousInboxRule.analytics.rule.yaml
│ │ ├── MaliciousInboxRule.mitre.manifest.json
│ │ ├── MalwareDetectionbySharePointAVEngine.analytics.rule.yaml
│ │ ├── Multipleusersemailforwardedtosamedestination.analytics.rule.yaml
│ │ ├── Multipleusersemailforwardedtosamedestination.mitre.manifest.json
│ │ ├── NewAdminaccountactivityseenwhichwasnotseenhistorically.analytics.rule.yaml
│ │ ├── NewAdminaccountactivityseenwhichwasnotseenhistorically.mitre.manifest.json
│ │ ├── RareandpotentiallyhighriskOfficeoperations.analytics.rule.yaml
│ │ ├── RareandpotentiallyhighriskOfficeoperations.mitre.manifest.json
│ │ ├── SuspiciousAuditConfigurationPolicyOperations.analytics.rule.yaml
│ │ ├── SuspiciousAuditConfigurationPolicyOperations.mitre.manifest.json
│ │ ├── SuspiciousThreatProtectionChanges.analytics.rule.yaml
│ │ ├── SuspiciousapplicationconsentsimilartoO365AttackToolkit.analytics.rule.yaml
│ │ └── SuspiciousapplicationconsentsimilartoO365AttackToolkit.mitre.manifest copy.json
│ ├── Playbooks
│ │ ├── Office365.SecurityAndCompliance.LogicApp.json
│ │ └── Office365.SecurityAndCompliance.LogicApp.parameters.json
│ └── Runbooks
│ │ ├── Office365.Compliance.Case.ps1
│ │ └── Office365.Compliance.Case.psd1
│ ├── Quickstart
│ └── AnalyticsRules
│ │ └── QuickstartRule.analytics.rule.yaml
│ ├── Readme.md
│ ├── Storage Account
│ ├── AnalyticsRules
│ │ ├── Azurestoragekeyenumeration.analytics.rule.yaml
│ │ ├── Azurestoragekeyenumeration.mitre.manifest.json
│ │ ├── DetectMalwareinblobcontainer.analytics.rule.yaml
│ │ └── DetectMalwareinblobcontainer.mitre.manifest.json
│ ├── Playbooks
│ │ ├── Remove_Malware.json
│ │ └── Remove_Malware.parameters.json
│ └── Runbooks
│ │ ├── RemoveMalware.ps1
│ │ └── RemoveMalware.psd1
│ └── Virtual Machines
│ ├── AnalyticsRules
│ ├── AnomalousRDPLoginDetections.analytics.rule.yaml
│ ├── AnomalousRDPLoginDetections.mitre.manifest.json
│ ├── CreationofexpensivecomputesinAzure.analytics.rule.yaml
│ ├── CreationofexpensivecomputesinAzure.mitre.manifest.json
│ ├── Failedlogonattemptsbyvalidaccountswithin10mins.analytics.rule.yaml
│ ├── Failedlogonattemptsbyvalidaccountswithin10mins.mitre.manifest copy.json
│ ├── HostsWithNewLogons.analytics.rule.yaml
│ ├── HostsWithNewLogons.mitre.manifest.json
│ ├── MultipleFailedFollowedBySuccess.analytics.rule.yaml
│ ├── MultipleFailedFollowedBySuccess.mitre.manifest.json
│ ├── NetworkServiceScanning.analytics.rule.yaml
│ ├── NetworkServiceScanning.mitre.manifest.json
│ ├── RDPMultipleConnectionsFromSingleSystem.analytics.rule.yaml
│ ├── RDPMultipleConnectionsFromSingleSystem.mitre.manifest.json
│ ├── RDPNesting.analytics.rule.yaml
│ ├── RDPNesting.mitre.manifest.json
│ ├── RDPRareConnection.analytics.rule.yaml
│ ├── RDPRareConnection.mitre.manifest.json
│ ├── SuspiciousResourcedeployment.analytics.rule.yaml
│ ├── SuspiciousResourcedeployment.mitre.manifest.json
│ ├── SuspiciousWindowsLoginoutsidenormalhours.analytics.rule.yaml
│ ├── SuspiciousWindowsLoginoutsidenormalhours.mitre.manifest.json
│ ├── Suspiciousnumberofresourcecreationordeploymentactivities.analytics.rule.yaml
│ └── Suspiciousnumberofresourcecreationordeploymentactivities.mitre.manifest.json
│ ├── Playbooks
│ ├── Chain_of_Custody.json
│ ├── Chain_of_Custody.parameters.json
│ ├── Sentinel_Mail_Notification.json
│ └── Sentinel_Mail_Notification.parameters.json
│ └── Runbooks
│ ├── Copy-DigitalEvidenceVmLinux.ps1
│ ├── Copy-DigitalEvidenceVmLinux.psd1
│ ├── Copy-DigitalEvidenceVmWindows.ps1
│ ├── Copy-DigitalEvidenceVmWindows.psd1
│ ├── VMBlock_IP.ps1
│ └── VMBlock_IP.psd1
└── src
├── Build
├── Artifacts
│ ├── ADO
│ │ └── Microsoft.Sentinel.Artifacts.Build.yaml
│ └── Scripts
│ │ └── Azure.Mitre.Manifest.Generation.ps1
└── Framework
│ ├── ADO
│ └── Microsoft.Sentinel.Framework.Build.yml
│ ├── Powershell.Modules.Build.ps1
│ ├── Powershell.Modules.Release.ps1
│ ├── Powershell.Nuget.Connect.ps1
│ ├── Powershell.Nuget.Credentials.ps1
│ └── Powershell.Nuget.Disconnect.ps1
├── Dev
└── Framework
│ ├── Automation.DataExportRules
│ ├── Automation.DataExportRules.ps1
│ └── Automation.DataExportRules.psd1
│ ├── Azure.Deployment.Environment
│ └── Version
│ │ └── Azure.Deployment.Environment
│ │ ├── Azure.Deployment.Environment.psd1
│ │ └── Azure.Deployment.Environment.psm1
│ ├── Kql
│ └── Azure.Kql.Powershell
│ │ ├── Azure.Kql.Powershell.Tests
│ │ ├── Azure.Kql.Powershell.Tests.csproj
│ │ └── KqlPowershellTests.cs
│ │ ├── Azure.Kql.Powershell.sln
│ │ ├── Azure.Kql.Powershell
│ │ ├── Azure.Kql.Powershell.csproj
│ │ ├── KqlValidationException.cs
│ │ └── KqlValidatorCommand.cs
│ │ └── Module
│ │ └── Azure.Kql.Powershell
│ │ └── Version
│ │ └── Azure.Kql.Powershell
│ │ └── Azure.Kql.Powershell.psd1
│ ├── Microsoft.Sentinel.Automation
│ └── Version
│ │ └── Microsoft.Sentinel.Automation
│ │ ├── Microsoft.Sentinel.Automation.psd1
│ │ └── Microsoft.Sentinel.Automation.psm1
│ ├── Microsoft.Sentinel.Connectors.Management
│ └── Version
│ │ └── Microsoft.Sentinel.Connectors.Management
│ │ ├── Microsoft.Sentinel.Connectors.Management.psd1
│ │ └── Microsoft.Sentinel.Connectors.Management.psm1
│ ├── Microsoft.Sentinel.Connectors
│ └── Version
│ │ └── Microsoft.Sentinel.Connectors
│ │ ├── Connectors
│ │ ├── Azure.Activity.Connector.psm1
│ │ ├── Microsoft.Connectors.Common.psm1
│ │ ├── Microsoft.Sentinel.AzureAD.Connector.psm1
│ │ ├── Microsoft.Sentinel.AzureADIdentityProtection.Connector.psm1
│ │ ├── Microsoft.Sentinel.MicrosoftDefenderCloud.Connector.psm1
│ │ ├── Microsoft.Sentinel.ThreatIntelligence.Connector.psm1
│ │ ├── Microsoft365.Defender.Connectors.psm1
│ │ ├── Microsoft365.Logs.Connectors.psm1
│ │ ├── MicrosoftDefenderCloudApp.Connectors.psm1
│ │ └── ThreatIntelligenceTaxii.Connector.psm1
│ │ ├── Microsoft.Sentinel.Connectors.psd1
│ │ └── Microsoft.Sentinel.Connectors.psm1
│ ├── Microsoft.Sentinel.Playbooks
│ └── Version
│ │ └── Microsoft.Sentinel.Playbooks
│ │ ├── Microsoft.Sentinel.Playbooks.psd1
│ │ └── Microsoft.Sentinel.Playbooks.psm1
│ ├── Microsoft.Sentinel.Rules
│ └── Version
│ │ └── Microsoft.Sentinel.Rules
│ │ ├── Microsoft.Sentinel.Rules.psd1
│ │ └── Microsoft.Sentinel.Rules.psm1
│ ├── Microsoft.Sentinel.Watchlist
│ └── Version
│ │ └── Microsoft.Sentinel.Watchlist
│ │ ├── Microsoft.Sentinel.Watchlist.psd1
│ │ └── Microsoft.Sentinel.Watchlist.psm1
│ └── Microsoft.Sentinel.Workbooks
│ └── Version
│ └── Microsoft.Sentinel.Workbooks
│ ├── Microsoft.Sentinel.Workbooks.psd1
│ ├── Microsoft.Sentinel.Workbooks.psm1
│ └── Microsoft.Sentinel.Workbooks.template.json
└── Release
├── Artifacts Deployment
├── ADO
│ ├── Microsoft.Sentinel.Artifacts.Deployment.yml
│ └── Microsoft.Sentinel.Artifacts.Export.yml
└── Scripts
│ ├── Azure.Automation.Runbooks.Deployment.ps1
│ ├── Microsoft.Sentinel.Alerts.Rules.Deployment.ps1
│ ├── Microsoft.Sentinel.Alerts.RulesPlaybookConnection.Deployment.ps1
│ ├── Microsoft.Sentinel.Automation.Rules.Deployment.ps1
│ ├── Microsoft.Sentinel.Export.ps1
│ ├── Microsoft.Sentinel.Hunting.Rules.Deployment.ps1
│ ├── Microsoft.Sentinel.Playbooks.Deployment.ps1
│ ├── Microsoft.Sentinel.Watchlist.Deployment.ps1
│ └── Microsoft.Sentinel.Workbooks.Deployment.ps1
├── Common
├── Azure.Deployment.Environment.ps1
├── Azure.Deployment.Location.ps1
├── Azure.Deployment.Resource.Check.ps1
├── Azure.DevOps.Extensions.psm1
├── Azure.Environments.ps1
└── Azure.Subscription.ps1
└── Sentinel Deployment
├── ADO
├── Microsoft.Sentinel.Environment.Deployment.yml
└── Microsoft.Sentinel.Environment.Destroy.yml
├── Resources
├── Automation
│ ├── Azure.Automation.LogicApp.Connection.json
│ ├── Azure.Automation.Roles.Deployment.json
│ ├── Azure.Automation.Runbooks.Deployment.ps1
│ └── Azure.Automation.json
├── Databricks
│ ├── Azure.Databricks.Cluster.Deployment.ps1
│ ├── Azure.Databricks.Cluster.Deployment.psm1
│ └── Azure.Databricks.Deployment.json
├── Defender
│ ├── Azure.Defender.Configuration.Contacts.ps1
│ └── Azure.Defender.Provisioning.ps1
├── EventHub
│ ├── Azure.EventHubNamespace.Deployment.json
│ └── Azure.EventHubNamespace.Roles.Deployment.json
├── KeyVault
│ ├── Azure.KeyVault.Deployment.json
│ └── Azure.KeyVault.LogicApp.Connection.json
├── LAW
│ └── Azure.LogAnalytics.Workspace.json
├── Sentinel
│ ├── Azure.Sentinel.LogicApp.Connection.json
│ ├── LogAnalyticsAndSentinel.template.json
│ ├── Managed.Identity.json
│ └── Sentinel.template.json
└── StorageAccount
│ ├── Azure.StorageAccount.Roles.Deployment.json
│ └── Azure.StorageAccout.Deployment.json
└── Scripts
├── Microsoft.Sentinel.DataConnectors.Runtime.ps1
├── Microsoft.Sentinel.Integration.Deployment.ps1
├── Microsoft.Sentinel.Playbooks.Connections.Deployment.ps1
└── Microsoft.Sentinel.Remove.ps1
/.gitignore:
--------------------------------------------------------------------------------
1 | **/**.manifest
2 | **/**.testlog
3 | **/.suo
4 | **/**.dtbcache.v2
5 | **/**.cache
6 | **/bin/**
7 | **/obj/**
8 | *.sqlite
9 |
--------------------------------------------------------------------------------
/.vs/VSWorkspaceState.json:
--------------------------------------------------------------------------------
1 | {
2 | "ExpandedNodes": [
3 | "",
4 | "\\src",
5 | "\\src\\Dev"
6 | ],
7 | "SelectedNode": "\\src\\Dev\\Kql",
8 | "PreviewInSolutionExplorer": false
9 | }
--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Microsoft Open Source Code of Conduct
2 |
3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
4 |
5 | Resources:
6 |
7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
10 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) Microsoft Corporation.
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE
22 |
--------------------------------------------------------------------------------
/SUPPORT.md:
--------------------------------------------------------------------------------
1 | # TODO: The maintainer of this repo has not yet edited this file
2 |
3 | **REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project?
4 |
5 | - **No CSS support:** Fill out this template with information about how to file issues and get help.
6 | - **Yes CSS support:** Fill out an intake form at [aka.ms/spot](https://aka.ms/spot). CSS will work with/help you to determine next steps. More details also available at [aka.ms/onboardsupport](https://aka.ms/onboardsupport).
7 | - **Not sure?** Fill out a SPOT intake as though the answer were "Yes". CSS will help you decide.
8 |
9 | *Then remove this first heading from this SUPPORT.MD file before publishing your repo.*
10 |
11 | # Support
12 |
13 | ## How to file issues and get help
14 |
15 | This project uses GitHub Issues to track bugs and feature requests. Please search the existing
16 | issues before filing new issues to avoid duplicates. For new issues, file your bug or
17 | feature request as a new Issue.
18 |
19 | For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE
20 | FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER
21 | CHANNEL. WHERE WILL YOU HELP PEOPLE?**.
22 |
23 | ## Microsoft Support Policy
24 |
25 | Support for this **PROJECT or PRODUCT** is limited to the resources listed above.
26 |
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connections/AzureActiveDirectory/Azure.AD.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuread')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connections/AzureActiveDirectory/Azure.AD.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-weazuread-connection"
7 | },
8 | "account": {
9 | "value": "contoso@contoso.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connections/Office365/Office365.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/office365')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connections/Office365/Office365.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-weoffice365-connection"
7 | },
8 | "account": {
9 | "value": "contoso@contoso.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/AzureActiveDirectory.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "SignInLogs": true,
3 | "AuditLogs": true,
4 | "NonInteractiveUserSignInLogs": true,
5 | "ServicePrincipalSignInLogs": true,
6 | "ManagedIdentitySignInLogs": true,
7 | "ProvisioningLogs": true,
8 | "KeyVault": "socdap-test-sentinel-kv",
9 | "SecretName": "ImpersonationCredentials",
10 | "ImpersonationEnabled": true
11 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/AzureActiveDirectoryIdentityProtection.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "socdap-test-sentinel-kv",
4 | "SecretName": "ImpersonationCredentials",
5 | "ImpersonationEnabled": true
6 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/AzureActivity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "9e69aea0-07b2-41b4-8925-db3dd01c7c4f"
4 | ],
5 | "KeyVault": "socdap-test-sentinel-kv",
6 | "SecretName": "ImpersonationCredentials",
7 | "ImpersonationEnabled": false
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/AzureSecurityCenter.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "9e69aea0-07b2-41b4-8925-db3dd01c7c4f"
4 | ],
5 | "KeyVault": "socdap-test-sentinel-kv",
6 | "SecretName": "Credential",
7 | "ImpersonationEnabled": false
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/MicrosoftCloudAppSecurity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "ProvisioningLogs": "Enabled",
3 | "Alerts": "Enabled",
4 | "KeyVault": "socdap-test-sentinel-kv",
5 | "SecretName": "ImpersonationCredentials",
6 | "ImpersonationEnabled": true
7 | }
8 |
9 |
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/Office365Defender.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "socdap-test-sentinel-kv",
4 | "SecretName": "ImpersonationCredentials",
5 | "ImpersonationEnabled": true
6 | }
7 |
8 |
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/Office365Logs.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Sharepoint": "Enabled",
3 | "Exchange" : "Enabled",
4 | "Teams": "Enabled",
5 | "KeyVault": "socdap-test-sentinel-kv",
6 | "SecretName": "ImpersonationCredentials",
7 | "ImpersonationEnabled": true
8 | }
9 |
10 |
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Connectors/ThreatIntelligenceTaxii.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "TaxiiClient": "Enabled",
3 | "TaxiiServer" : "https://contoso-dev.threatconnect.com/api/services/taxii2/v1/tc_taxii",
4 | "CollectionId": "9db1b55a-d303-5d82-b285-277712f5b03c",
5 | "PoolingFrequency": "OnePerHour",
6 | "FriendlyName": "Taxii",
7 | "KeyVault": "socdap-test-sentinel-kv",
8 | "SecretName": "ThreatConnectTaxi",
9 | "ImpersonationEnabled": true
10 | }
11 |
12 |
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Environment.Integration.Definition.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Container": {
4 | "ResourceGroupName" : "socdap-wepreprodsiem-rg",
5 | "Name" : "socdap-wepreprodsiem-eh001",
6 | "Kind" : "EventHub",
7 | "Tables": [
8 | "OfficeActivity",
9 | "SecurityAlert",
10 | "SecurityIncident",
11 | "SigninLogs",
12 | "AuditLogs"
13 | ],
14 | "Capture" : {
15 | "StorageAccountResourceId" : "/subscriptions/9e69aea0-07b2-41b4-8925-db3dd01c7c4f/resourceGroups/socdap-wepreprodsiem-rg/providers/Microsoft.Storage/storageAccounts/socdapwepreprodsiemsta"
16 | }
17 | }
18 | }
19 | ]
--------------------------------------------------------------------------------
/Sentinel/environments/Integration/Environment.json:
--------------------------------------------------------------------------------
1 | {
2 | "SubscriptionId": "d75695ac-29e2-4d42-b940-d5281eb6bd08",
3 | "Name" : "Int",
4 | "NamingConvention" : "soc-{Prefix}contoso{EnvironmentName}-{Suffix}",
5 | "Location": "westeurope",
6 | "ResourceGroup" : {
7 | "Type" : "Automatic"
8 | },
9 | "Resources" :
10 | {
11 | "Sentinel":
12 | {
13 | "Type" : "Literal",
14 | "LogAnalyticsWorkspaceName" : "soc-wecontosoint-log",
15 | "ManagedIdentityName" : "soc-wecontosoint-managedid",
16 | "SentinelConnectionName" : "soc-wecontosoint-sentinelconnection",
17 | "KeyVaultName" : "socwecontosointakv",
18 | "KeyVaultConnectionName" : "socwecontosointakvconnection"
19 | },
20 | "Automation":
21 | {
22 | "Type" : "Automatic"
23 | },
24 | "Integration":
25 | {
26 | "Type" : "Literal",
27 | "EventHubNamespaces" : [
28 | "soc-wecontosoint-eh001"
29 | ],
30 | "StorageAccountName" : "socwecontosointsta"
31 | }
32 | }
33 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connections/AzureActiveDirectory/Azure.AD.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuread')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connections/AzureActiveDirectory/Azure.AD.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-weazuread-connection"
7 | },
8 | "account": {
9 | "value": "contoso@contoso.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connections/Office365/Office365.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/office365')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connections/Office365/Office365.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-weoffice365-connection"
7 | },
8 | "account": {
9 | "value": "contoso@contoso.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/AzureActiveDirectory.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "SignInLogs": true,
3 | "AuditLogs": true,
4 | "NonInteractiveUserSignInLogs": true,
5 | "ServicePrincipalSignInLogs": true,
6 | "ManagedIdentitySignInLogs": true,
7 | "ProvisioningLogs": true,
8 | "KeyVault": "socdap-test-sentinel-kv",
9 | "SecretName": "ImpersonationCredentials",
10 | "ImpersonationEnabled": true
11 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/AzureActiveDirectoryIdentityProtection.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "socdap-test-sentinel-kv",
4 | "SecretName": "ImpersonationCredentials",
5 | "ImpersonationEnabled": true
6 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/AzureActivity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "9e69aea0-07b2-41b4-8925-db3dd01c7c4f"
4 | ],
5 | "KeyVault": "socdap-test-sentinel-kv",
6 | "SecretName": "ImpersonationCredentials",
7 | "ImpersonationEnabled": false
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/AzureSecurityCenter.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "9e69aea0-07b2-41b4-8925-db3dd01c7c4f"
4 | ],
5 | "KeyVault": "socdap-test-sentinel-kv",
6 | "SecretName": "Credential",
7 | "ImpersonationEnabled": false
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/MicrosoftCloudAppSecurity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "ProvisioningLogs": "Enabled",
3 | "Alerts": "Enabled",
4 | "KeyVault": "socdap-test-sentinel-kv",
5 | "SecretName": "ImpersonationCredentials",
6 | "ImpersonationEnabled": true
7 | }
8 |
9 |
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/Office365Defender.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "socdap-test-sentinel-kv",
4 | "SecretName": "ImpersonationCredentials",
5 | "ImpersonationEnabled": true
6 | }
7 |
8 |
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/Office365Logs.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Sharepoint": "Enabled",
3 | "Exchange" : "Enabled",
4 | "Teams": "Enabled",
5 | "KeyVault": "socdap-test-sentinel-kv",
6 | "SecretName": "ImpersonationCredentials",
7 | "ImpersonationEnabled": true
8 | }
9 |
10 |
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Connectors/ThreatIntelligenceTaxii.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "TaxiiClient": "Enabled",
3 | "TaxiiServer" : "https://contoso-dev.threatconnect.com/api/services/taxii2/v1/tc_taxii",
4 | "CollectionId": "9db1b55a-d303-5d82-b285-277712f5b03c",
5 | "PoolingFrequency": "OnePerHour",
6 | "FriendlyName": "Taxii",
7 | "KeyVault": "socdap-test-sentinel-kv",
8 | "SecretName": "ThreatConnectTaxi",
9 | "ImpersonationEnabled": true
10 | }
11 |
12 |
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Environment.Integration.Definition.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Container": {
4 | "ResourceGroupName" : "socdap-wepreprodsiem-rg",
5 | "Name" : "socdap-wepreprodsiem-eh001",
6 | "Kind" : "EventHub",
7 | "Tables": [
8 | "OfficeActivity",
9 | "SecurityAlert",
10 | "SecurityIncident",
11 | "SigninLogs",
12 | "AuditLogs"
13 | ],
14 | "Capture" : {
15 | "StorageAccountResourceId" : "/subscriptions/9e69aea0-07b2-41b4-8925-db3dd01c7c4f/resourceGroups/socdap-wepreprodsiem-rg/providers/Microsoft.Storage/storageAccounts/socdapwepreprodsiemsta"
16 | }
17 | }
18 | }
19 | ]
--------------------------------------------------------------------------------
/Sentinel/environments/PreProduction/Environment.json:
--------------------------------------------------------------------------------
1 | {
2 | "SubscriptionId": "d75695ac-29e2-4d42-b940-d5281eb6bd08",
3 | "Name" : "Pre",
4 | "NamingConvention" : "soc-{Prefix}contoso{EnvironmentName}-{Suffix}",
5 | "Location": "westeurope",
6 | "ResourceGroup" : {
7 | "Type" : "Automatic"
8 | },
9 | "Resources" :
10 | {
11 | "Sentinel":
12 | {
13 | "Type" : "Automatic"
14 | },
15 | "Automation":
16 | {
17 | "Type" : "Automatic"
18 | },
19 | "Integration":
20 | {
21 | "Type" : "Automatic",
22 | "MaxEventHubNamespaces" : 5
23 | }
24 | }
25 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connections/AzureActiveDirectory/Azure.AD.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuread')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connections/AzureActiveDirectory/Azure.AD.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-weazuread-connection"
7 | },
8 | "account": {
9 | "value": "contoso@contoso.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connections/Office365/Office365.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/office365')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connections/Office365/Office365.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-weoffice365-connection"
7 | },
8 | "account": {
9 | "value": "contoso@contoso.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/AzureActiveDirectory.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "SignInLogs": true,
3 | "AuditLogs": true,
4 | "NonInteractiveUserSignInLogs": true,
5 | "ServicePrincipalSignInLogs": true,
6 | "ManagedIdentitySignInLogs": true,
7 | "ProvisioningLogs": true,
8 | "KeyVault": "socdapweprodsentinelakv",
9 | "SecretName": "ImpersonationCredentials",
10 | "ImpersonationEnabled": true
11 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/AzureActiveDirectoryIdentityProtection.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "socdapweprodsentinelakv",
4 | "SecretName": "ImpersonationCredentials",
5 | "ImpersonationEnabled": true
6 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/AzureActivity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "9e69aea0-07b2-41b4-8925-db3dd01c7c4f"
4 | ],
5 | "KeyVault": "socdapweprodsentinelakv",
6 | "SecretName": "ImpersonationCredentials",
7 | "ImpersonationEnabled": false
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/AzureSecurityCenter.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "9e69aea0-07b2-41b4-8925-db3dd01c7c4f"
4 | ],
5 | "KeyVault": "socdapweprodsentinelakv",
6 | "SecretName": "Credential",
7 | "ImpersonationEnabled": false
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/MicrosoftCloudAppSecurity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "ProvisioningLogs": "Enabled",
3 | "Alerts": "Enabled",
4 | "KeyVault": "socdapweprodsentinelakv",
5 | "SecretName": "ImpersonationCredentials",
6 | "ImpersonationEnabled": true
7 | }
8 |
9 |
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/Office365Defender.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "socdapweprodsentinelakv",
4 | "SecretName": "ImpersonationCredentials",
5 | "ImpersonationEnabled": true
6 | }
7 |
8 |
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/Office365Logs.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Sharepoint": "Enabled",
3 | "Exchange" : "Enabled",
4 | "Teams": "Enabled",
5 | "KeyVault": "socdapweprodsentinelakv",
6 | "SecretName": "ImpersonationCredentials",
7 | "ImpersonationEnabled": true
8 | }
9 |
10 |
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Connectors/ThreatIntelligenceTaxii.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "TaxiiClient": "Enabled",
3 | "TaxiiServer" : "https://contoso-dev.threatconnect.com/api/services/taxii2/v1/tc_taxii",
4 | "CollectionId": "9db1b55a-d303-5d82-b285-277712f5b03c",
5 | "PoolingFrequency": "OnePerHour",
6 | "FriendlyName": "Taxii",
7 | "KeyVault": "socdapweprodsentinelakv",
8 | "SecretName": "ThreatConnectTaxi"
9 | }
10 |
11 |
--------------------------------------------------------------------------------
/Sentinel/environments/Production/Environment.json:
--------------------------------------------------------------------------------
1 | {
2 | "SubscriptionId": "30ecb500-972c-46a3-9d0f-e2d2c384c47e",
3 | "Name" : "Pro",
4 | "NamingConvention" : "soc-{Prefix}contoso{EnvironmentName}-{Suffix}",
5 | "Location": "westeurope",
6 | "ResourceGroup" : {
7 | "Type" : "Automatic"
8 | },
9 | "Resources" :
10 | {
11 | "Sentinel":
12 | {
13 | "Type" : "Automatic"
14 | },
15 | "Automation":
16 | {
17 | "Type" : "Automatic"
18 | },
19 | "Integration":
20 | {
21 | "Type" : "Automatic",
22 | "MaxEventHubNamespaces" : 5
23 | }
24 | }
25 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connections/AzureActiveDirectory/Azure.AD.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuread')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connections/AzureActiveDirectory/Azure.AD.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "soc-azuread-connection"
7 | },
8 | "account": {
9 | "value": "sentineluser@cloudmcs.onmicrosoft.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connections/Office365/Office365.connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "account": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "defaultValue": "[resourceGroup().location]",
13 | "type": "string"
14 | }
15 | },
16 | "resources": [
17 | {
18 | "type": "Microsoft.Web/connections",
19 | "apiVersion": "2016-06-01",
20 | "name": "[parameters('name')]",
21 | "location": "[parameters('location')]",
22 | "kind": "V1",
23 | "properties": {
24 | "displayName": "[parameters('account')]",
25 | "customParameterValues": {},
26 | "api": {
27 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/office365')]"
28 | }
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connections/Office365/Office365.connection.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "soc-office365-connection"
7 | },
8 | "account": {
9 | "value": "sentineluser@cloudmcs.onmicrosoft.com"
10 | }
11 | }
12 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/AzureActiveDirectory.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "SignInLogs": true,
3 | "AuditLogs": true,
4 | "NonInteractiveUserSignInLogs": true,
5 | "ServicePrincipalSignInLogs": true,
6 | "ManagedIdentitySignInLogs": true,
7 | "ProvisioningLogs": true,
8 | "KeyVault": "managementakv",
9 | "SecretName": "Credential",
10 | "ImpersonationEnabled": true
11 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/AzureActiveDirectoryIdentityProtection.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "managementakv",
4 | "SecretName": "Credential",
5 | "ImpersonationEnabled": true
6 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/AzureActivity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "d75695ac-29e2-4d42-b940-d5281eb6bd08"
4 | ],
5 | "KeyVault": "managementakv",
6 | "SecretName": "Credential",
7 | "ImpersonationEnabled": true
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/AzureSecurityCenter.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Subscriptions": [
3 | "d75695ac-29e2-4d42-b940-d5281eb6bd08"
4 | ],
5 | "KeyVault": "managementakv",
6 | "SecretName": "Credential",
7 | "ImpersonationEnabled": true
8 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/MicrosoftCloudAppSecurity.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "ProvisioningLogs": "Enabled",
3 | "Alerts": "Enabled",
4 | "KeyVault": "managementakv",
5 | "SecretName": "Credential",
6 | "ImpersonationEnabled": true
7 | }
8 |
9 |
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/Office365Defender.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Alerts": "Enabled",
3 | "KeyVault": "managementakv",
4 | "SecretName": "Credential",
5 | "ImpersonationEnabled": true
6 | }
7 |
8 |
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/Office365Logs.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "Sharepoint": "Enabled",
3 | "Exchange" : "Enabled",
4 | "Teams": "Enabled",
5 | "KeyVault": "managementakv",
6 | "SecretName": "Credential",
7 | "ImpersonationEnabled": true
8 | }
9 |
10 |
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Connectors/ThreatIntelligenceTaxii.settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "TaxiiClient": "Enabled",
3 | "TaxiiServer" : "https://contoso-dev.threatconnect.com/api/services/taxii2/v1/tc_taxii",
4 | "CollectionId": "9db1b55a-d303-5d82-b285-277712f5b03c",
5 | "FriendlyName": "Taxii",
6 | "PoolingFrequency": "OnePerHour",
7 | "KeyVault": "socdap-wepre2siem-akv",
8 | "SecretName": "ThreatConnectTaxi"
9 | }
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Environment.Integration.Definition.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Container": {
4 | "ResourceGroupName" : "soc-wecontososiem-rg",
5 | "Name" : "soc-wecontososiem-eh001",
6 | "Kind" : "EventHub",
7 | "Tables": [
8 | "AzureActivity",
9 | "DeviceLogonEvents",
10 | "SecurityIncident"
11 | ],
12 | "Capture" : {
13 | "StorageAccountResourceId" : "/subscriptions/d75695ac-29e2-4d42-b940-d5281eb6bd08/resourceGroups/soc-wecontososiem-rg/providers/Microsoft.Storage/storageAccounts/socwecontososiemsta"
14 | }
15 | }
16 | },
17 | {
18 | "Container": {
19 | "ResourceGroupName" : "soc-wecontososiem-rg",
20 | "Name" : "soc-wecontososiem-eh002",
21 | "Kind" : "EventHub",
22 | "Tables": [
23 | "HuntingBookmark",
24 | "AppServicePlatformLogs"
25 | ],
26 | "Capture" : {
27 | "StorageAccountResourceId" : "/subscriptions/d75695ac-29e2-4d42-b940-d5281eb6bd08/resourceGroups/soc-wecontososiem-rg/providers/Microsoft.Storage/storageAccounts/socwecontososiemsta"
28 | }
29 | }
30 | },
31 | {
32 | "Container": {
33 | "ResourceGroupName" : "soc-wecontososiem-rg",
34 | "Name" : "socwecontososiemsta",
35 | "Kind" : "StorageAccount",
36 | "Tables": [
37 | "HuntingBookmark",
38 | "AppServicePlatformLogs"
39 | ]
40 | }
41 | }
42 | ]
--------------------------------------------------------------------------------
/Sentinel/environments/Test/Environment.json:
--------------------------------------------------------------------------------
1 | {
2 | "SubscriptionId": "d75695ac-29e2-4d42-b940-d5281eb6bd08",
3 | "Name" : "Test",
4 | "NamingConvention" : "soc-{Prefix}contoso{EnvironmentName}-{Suffix}",
5 | "Location": "westeurope",
6 | "ResourceGroup" : {
7 | "Type" : "Automatic"
8 | },
9 | "Resources" :
10 | {
11 | "Sentinel":
12 | {
13 | "Type" : "Automatic"
14 | },
15 | "Automation":
16 | {
17 | "Type" : "Automatic"
18 | },
19 | "Integration":
20 | {
21 | "Type" : "Automatic",
22 | "MaxEventHubNamespaces" : 1
23 | }
24 | }
25 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/App Services/AnalyticRules/AppServicesAVScanFailure.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 89baa1a3-ba39-4471-8b83-0e311116ba10
3 | Enabled: true
4 | DisplayName: AppServices AV Scan Failure
5 | Description: Identifies if an AV scan fails in Azure App Services.
6 | Query: |2-
7 | let timeframe = ago(1d);
8 | AppServiceAntivirusScanAuditLogs
9 | | where ScanStatus == "Failed"
10 | | extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated
11 | SeveritiesFilter:
12 | Severity: Informational
13 | QueryFrequency: PT5H
14 | QueryPeriod: PT5H
15 | TriggerOperator: GreaterThan
16 | TriggerThreshold: 0
17 | Tactics: []
18 | EventGroupSettings:
19 | aggregationKind: SingleAlert
20 | SuppressionDuration: PT5H
21 | SuppressionEnabled: false
22 | IncidentConfiguration:
23 | createIncident: true
24 | groupingConfiguration:
25 | enabled: false
26 | reopenClosedIncident: false
27 | lookbackDuration: PT5H
28 | entitiesMatchingMethod: All
29 | groupByEntities: []
30 | EntityMappings:
31 | Kind: Scheduled
32 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/App Services/AnalyticRules/AppServicesAVScanwithInfectedFiles.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: f34ce2f6-e444-43d5-aa8a-8196a588b0b2
3 | Enabled: true
4 | DisplayName: AppServices AV Scan with Infected Files
5 | Description: Identifies if an AV scan finds infected files in Azure App Services.
6 | Query: |-
7 | let timeframe = ago(1d);
8 | AppServiceAntivirusScanAuditLogs
9 | | where NumberOfInfectedFiles > 0
10 | | extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated
11 | SeveritiesFilter:
12 | Severity: Informational
13 | QueryFrequency: PT5H
14 | QueryPeriod: PT5H
15 | TriggerOperator: GreaterThan
16 | TriggerThreshold: 0
17 | Tactics: []
18 | EventGroupSettings:
19 | aggregationKind: SingleAlert
20 | SuppressionDuration: PT5H
21 | SuppressionEnabled: false
22 | IncidentConfiguration:
23 | createIncident: true
24 | groupingConfiguration:
25 | enabled: false
26 | reopenClosedIncident: false
27 | lookbackDuration: PT5H
28 | entitiesMatchingMethod: All
29 | groupByEntities: []
30 | EntityMappings:
31 | Kind: Scheduled
32 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/AKSDisableCloudLogsAlerts.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 86e02060-da02-4b2f-8272-db948e5adf6c
3 | Enabled: true
4 | DisplayName: AKS Disable Cloud Logs Alerts
5 | Description: ""
6 | Query: "AzureActivity \r\n|sort by TimeGenerated desc\r\n| where (\r\n (\r\n OperationName == \"Create or update resource diagnostic setting\"\r\n and \r\n ActivityStatus == \"Started\"\r\n and (tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).logs))[0].enabled) == \"false\"\r\n or \r\n tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).logs))[1].enabled) == \"false\"))\r\n or (OperationName == \"Delete resource diagnostic setting\"\r\n and ActivityStatus == \"Started\"\r\n )\r\n ) \r\n\r\n"
7 | SeveritiesFilter:
8 | Severity: High
9 | QueryFrequency: PT2H
10 | QueryPeriod: PT2H
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - DefenseEvasion
15 | EventGroupSettings:
16 | aggregationKind: AlertPerResult
17 | SuppressionDuration: PT5H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5H
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | - entityType: IP
29 | fieldMappings:
30 | - identifier: Address
31 | columnName: CallerIpAddress
32 | - entityType: Account
33 | fieldMappings:
34 | - identifier: Name
35 | columnName: Caller
36 | - entityType: AzureResource
37 | fieldMappings:
38 | - identifier: ResourceId
39 | columnName: ResourceId
40 | Kind: Scheduled
41 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/AKSDisableCloudLogsAlerts.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "DefenseEvasion",
4 | "Techniques": [
5 | "T1562.008"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/AKSExecutiondetection.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 7272d050-fba2-4622-b397-4cc565845c78
3 | Enabled: true
4 | DisplayName: AKS Execution detection
5 | Description: ""
6 | Query: |-
7 | SecurityAlert
8 | | where ProductName == "Azure Security Center"
9 | | where Tactics == "Execution"
10 | | where CompromisedEntity has "KubernetesService"
11 | SeveritiesFilter:
12 | Severity: Medium
13 | QueryFrequency: PT5M
14 | QueryPeriod: PT56M
15 | TriggerOperator: GreaterThan
16 | TriggerThreshold: 0
17 | Tactics:
18 | - Execution
19 | EventGroupSettings:
20 | aggregationKind: SingleAlert
21 | SuppressionDuration: PT5H
22 | SuppressionEnabled: false
23 | IncidentConfiguration:
24 | createIncident: true
25 | groupingConfiguration:
26 | enabled: false
27 | reopenClosedIncident: false
28 | lookbackDuration: PT5H
29 | entitiesMatchingMethod: All
30 | groupByEntities: []
31 | EntityMappings:
32 | - entityType: AzureResource
33 | fieldMappings:
34 | - identifier: ResourceId
35 | columnName: ResourceId
36 | Kind: Scheduled
37 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/AKSExecutiondetection.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "DefenseEvasion",
4 | "Techniques": [
5 | "T1204",
6 | "T1053"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/AbilitytomonitorAKSContaineronAzure(PodsandClusters).analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: a1d4fd58-3c38-448a-856c-1494fa438c04
3 | Enabled: true
4 | DisplayName: Ability to monitor AKS / Container on Azure (Pods and Clusters)
5 | Description: IMP_ Ability to monitor AKS / Container on Azure (Pods and Clusters)
6 | Query: |-
7 | AzureDiagnostics
8 | | where ResourceType == "MICROSOFT.CONTAINERSERVICE"
9 | SeveritiesFilter:
10 | Severity: Medium
11 | QueryFrequency: PT5M
12 | QueryPeriod: PT5M
13 | TriggerOperator: GreaterThan
14 | TriggerThreshold: 0
15 | Tactics:
16 | EventGroupSettings:
17 | SuppressionDuration: PT1H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5M
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | Kind: Scheduled
29 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/ContainerDeploymentfromunkownIPAddress.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: c6f11675-f031-47a5-80fa-4487ba5b6a46
3 | Enabled: true
4 | DisplayName: Container Deployment from unkown IPAddress
5 | Description: ""
6 | Query: "let lookup = toscalar(_GetWatchlist('CIDR_Paw')|project IP_Address |summarize l=make_list(IP_Address));\r\nAzureActivity \r\n| where OperationName == \"Create or Update Container Registry\"\r\n| where ActivityStatus == \"Started\"\r\n| mv-apply l=lookup to typeof(string) on\r\n(\r\n where ipv4_is_match (CallerIpAddress, l)\r\n)\r\n|join kind= anti (AzureActivity) on $left.EventDataId ==$right.EventDataId"
7 | SeveritiesFilter:
8 | Severity: High
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - DefenseEvasion
15 | EventGroupSettings:
16 | aggregationKind: AlertPerResult
17 | SuppressionDuration: PT5H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5H
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | - entityType: IP
29 | fieldMappings:
30 | - identifier: Address
31 | columnName: CallerIpAddress
32 | - entityType: AzureResource
33 | fieldMappings:
34 | - identifier: ResourceId
35 | columnName: ResourceId
36 | - entityType: Account
37 | fieldMappings:
38 | - identifier: Name
39 | columnName: Caller
40 | Kind: Scheduled
41 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/ContainerDeploymentfromunkownIPAddress.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Execution",
4 | "Techniques": [
5 | "T1036.005"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/NetworkServiceScanning.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 4ff141aa-ffae-4d58-a554-539b1ac386a7
3 | Enabled: true
4 | DisplayName: Network Service Scanning
5 | Description: Possible outgoing port scanning activity detected
6 | Query: |-
7 | SecurityAlert
8 | | where ProductName == "Azure Security Center"
9 | | where AlertName == "Possible outgoing port scanning activity detected"
10 | SeveritiesFilter:
11 | Severity: Medium
12 | QueryFrequency: PT5M
13 | QueryPeriod: PT6M
14 | TriggerOperator: GreaterThan
15 | TriggerThreshold: 0
16 | Tactics:
17 | - Discovery
18 | EventGroupSettings:
19 | aggregationKind: SingleAlert
20 | SuppressionDuration: PT5H
21 | SuppressionEnabled: false
22 | IncidentConfiguration:
23 | createIncident: true
24 | groupingConfiguration:
25 | enabled: false
26 | reopenClosedIncident: false
27 | lookbackDuration: PT5H
28 | entitiesMatchingMethod: All
29 | groupByEntities: []
30 | EntityMappings:
31 | - entityType: AzureResource
32 | fieldMappings:
33 | - identifier: ResourceId
34 | columnName: ResourceId
35 | Kind: Scheduled
36 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/AnalyticsRules/NetworkServiceScanning.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Discovery",
4 | "Techniques": [
5 | "T1046"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/Watchlists/CIDR_Paw.csv:
--------------------------------------------------------------------------------
1 | IP_Address, Location
2 | 82.158.139.106, Source1
3 | 81.37.37.88, Source2
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure Kubernetes/Watchlists/CIDR_Paw.watchlist.metadata.json:
--------------------------------------------------------------------------------
1 | {
2 | "Name" : "CIDR_Paw",
3 | "Description" : "Priviledge Access Workstations IPs",
4 | "Source" : "CIDR_Paw.csv",
5 | "Provider" : "Contoso"
6 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQL-Unusualexportlocation.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: d47169c8-6f99-49b5-839b-3d7c5e87a0ac
3 | Enabled: true
4 | DisplayName: SQL - Unusual export location
5 | Description: Someone has extracted a massive amount of data from your SQL Server to an unusual location.
6 | Query: |-
7 | SecurityAlert
8 | | where ProductName == "Azure Security Center"
9 | | where CompromisedEntity has "SQL"
10 | | where parse_json(ExtendedProperties).resourceType == "SQL Database"
11 | | where AlertType has "DataExfiltration.ImportExportLocationAnomaly"
12 | | extend Client_IP_Address_ = tostring(parse_json(ExtendedProperties).["Client IP Address"])
13 | | extend Client_Application_ = tostring(parse_json(ExtendedProperties).["Client Application"])
14 | | extend Client_Principal_Name_ = tostring(parse_json(ExtendedProperties).["Client Principal Name"])
15 | | extend Storage_Name_ = tostring(parse_json(ExtendedProperties).["Storage Name"])
16 | SeveritiesFilter:
17 | Severity: Medium
18 | QueryFrequency: PT5M
19 | QueryPeriod: PT6M
20 | TriggerOperator: GreaterThan
21 | TriggerThreshold: 0
22 | Tactics:
23 | - Exfiltration
24 | EventGroupSettings:
25 | aggregationKind: AlertPerResult
26 | SuppressionDuration: PT5H
27 | SuppressionEnabled: false
28 | IncidentConfiguration:
29 | createIncident: true
30 | groupingConfiguration:
31 | enabled: false
32 | reopenClosedIncident: false
33 | lookbackDuration: PT5H
34 | entitiesMatchingMethod: All
35 | groupByEntities: []
36 | EntityMappings:
37 | - entityType: AzureResource
38 | fieldMappings:
39 | - identifier: ResourceId
40 | columnName: ResourceId
41 | - entityType: Account
42 | fieldMappings:
43 | - identifier: Name
44 | columnName: Client_Principal_Name_
45 | - entityType: CloudApplication
46 | fieldMappings:
47 | - identifier: Name
48 | columnName: Client_Application_
49 | - identifier: InstanceName
50 | columnName: Storage_Name_
51 | - entityType: IP
52 | fieldMappings:
53 | - identifier: Address
54 | columnName: Client_IP_Address_
55 | Kind: Scheduled
56 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQL-UseBruteForcetoobtainvalidSQLcredentials.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 825dd589-32ac-436b-91fb-a99f0c233894
3 | Enabled: true
4 | DisplayName: SQL - Use Brute Force to obtain valid SQL credentials
5 | Description: ""
6 | Query: |-
7 | SecurityAlert
8 | | where ProductName == "Azure Security Center"
9 | | where CompromisedEntity has "SQL"
10 | | where parse_json(ExtendedProperties).resourceType == "SQL Database"
11 | | where AlertName has "SQL Brute Force"
12 | | where Type == "SecurityAlert"
13 | | extend Address_ = tostring(parse_json(Entities)[0].Address)
14 | | extend City_ = tostring(parse_json(tostring(parse_json(Entities)[0].Location)).City)
15 | | extend CountryName_ = tostring(parse_json(tostring(parse_json(Entities)[0].Location)).CountryName)
16 | | extend Client_Principal_Name_ = tostring(parse_json(ExtendedProperties).["Client Principal Name"])
17 | | extend Client_Application_ = tostring(parse_json(ExtendedProperties).["Client Application"])
18 | SeveritiesFilter:
19 | Severity: High
20 | QueryFrequency: PT5M
21 | QueryPeriod: PT6M
22 | TriggerOperator: GreaterThan
23 | TriggerThreshold: 0
24 | Tactics:
25 | - CredentialAccess
26 | EventGroupSettings:
27 | aggregationKind: AlertPerResult
28 | SuppressionDuration: PT5H
29 | SuppressionEnabled: false
30 | IncidentConfiguration:
31 | createIncident: true
32 | groupingConfiguration:
33 | enabled: false
34 | reopenClosedIncident: false
35 | lookbackDuration: PT5H
36 | entitiesMatchingMethod: All
37 | groupByEntities: []
38 | EntityMappings:
39 | - entityType: AzureResource
40 | fieldMappings:
41 | - identifier: ResourceId
42 | columnName: ResourceId
43 | - entityType: IP
44 | fieldMappings:
45 | - identifier: Address
46 | columnName: Address_
47 | - entityType: Account
48 | fieldMappings:
49 | - identifier: Name
50 | columnName: Client_Principal_Name_
51 | Kind: Scheduled
52 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQL-UseBruteForcetoobtainvalidSQLcredentials.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQL-securitycenteralerts.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: de3c4f3c-8943-4eba-b58c-0cf78d589ef7
3 | Enabled: true
4 | DisplayName: SQL-security center alerts
5 | Description: ""
6 | Query: |-
7 | SecurityAlert
8 | | where ProductName == "Azure Security Center"
9 | | where CompromisedEntity has "SQL"
10 | | extend Client_IP_Address_ = tostring(parse_json(ExtendedProperties).["Client IP Address"])
11 | | extend Client_Principal_Name_ = tostring(parse_json(ExtendedProperties).["Client Principal Name"])
12 | SeveritiesFilter:
13 | Severity: Medium
14 | QueryFrequency: PT5M
15 | QueryPeriod: PT6M
16 | TriggerOperator: GreaterThan
17 | TriggerThreshold: 0
18 | Tactics:
19 | - Exfiltration
20 | EventGroupSettings:
21 | aggregationKind: AlertPerResult
22 | SuppressionDuration: PT5H
23 | SuppressionEnabled: false
24 | IncidentConfiguration:
25 | createIncident: true
26 | groupingConfiguration:
27 | enabled: false
28 | reopenClosedIncident: false
29 | lookbackDuration: PT5H
30 | entitiesMatchingMethod: All
31 | groupByEntities: []
32 | EntityMappings:
33 | - entityType: AzureResource
34 | fieldMappings:
35 | - identifier: ResourceId
36 | columnName: ResourceId
37 | - entityType: IP
38 | fieldMappings:
39 | - identifier: Address
40 | columnName: Client_IP_Address_
41 | - entityType: Account
42 | fieldMappings:
43 | - identifier: AadUserId
44 | columnName: Client_Principal_Name_
45 | Kind: Scheduled
46 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQLInjection.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Defense Evasion",
4 | "Techniques": [
5 | "T1055"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQLSign-SQLSign-ineventfromunfamiliarlocation.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQLSign-ineventfromasuspiciousIP.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 587ed7ec-78c6-4efc-9502-274da7dbad81
3 | Enabled: true
4 | DisplayName: SQL Sign-in event from a suspicious IP
5 | Description: ""
6 | Query: |-
7 | SecurityAlert
8 | | where CompromisedEntity has "SQL"
9 | | where AlertName has "from a suspicious IP"
10 | | where parse_json(ExtendedProperties).resourceType == "SQL Database"
11 | | extend Client_Hostname_ = tostring(parse_json(ExtendedProperties).["Client Hostname"])
12 | | extend Client_IP_Address_ = tostring(parse_json(ExtendedProperties).["Client IP Address"])
13 | | extend Client_IP_Location_ = tostring(parse_json(ExtendedProperties).["Client IP Location"])
14 | | extend Client_Principal_Name_ = tostring(parse_json(ExtendedProperties).["Client Principal Name"])
15 | | where parse_json(ExtendedProperties).resourceType == "SQL Database"
16 | | extend 0_ = tostring(parse_json(RemediationSteps)[0])
17 | | extend City_ = tostring(parse_json(tostring(parse_json(Entities)[0].Location)).City)
18 | | extend CountryName_ = tostring(parse_json(tostring(parse_json(Entities)[0].Location)).CountryName)
19 | SeveritiesFilter:
20 | Severity: Medium
21 | QueryFrequency: PT5M
22 | QueryPeriod: PT6M
23 | TriggerOperator: GreaterThan
24 | TriggerThreshold: 0
25 | Tactics:
26 | - InitialAccess
27 | EventGroupSettings:
28 | aggregationKind: SingleAlert
29 | SuppressionDuration: PT5H
30 | SuppressionEnabled: false
31 | IncidentConfiguration:
32 | createIncident: true
33 | groupingConfiguration:
34 | enabled: false
35 | reopenClosedIncident: false
36 | lookbackDuration: PT5H
37 | entitiesMatchingMethod: All
38 | groupByEntities: []
39 | EntityMappings:
40 | - entityType: AzureResource
41 | fieldMappings:
42 | - identifier: ResourceId
43 | columnName: ResourceId
44 | - entityType: Account
45 | fieldMappings:
46 | - identifier: Name
47 | columnName: Client_Principal_Name_
48 | - entityType: Host
49 | fieldMappings:
50 | - identifier: HostName
51 | columnName: Client_Hostname_
52 | - entityType: IP
53 | fieldMappings:
54 | - identifier: Address
55 | columnName: Client_IP_Address_
56 | Kind: Scheduled
57 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQLSign-ineventfromasuspiciousIP.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Azure SQL/AnalyticRules/SQLSign-ineventfromunfamiliarlocation.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 8cdfdf14-e80d-4a09-b97d-1628c583c5a7
3 | Enabled: true
4 | DisplayName: SQL Sign-in event from unfamiliar location
5 | Description: ""
6 | Query: |-
7 | SecurityAlert
8 | | where CompromisedEntity has "SQL"
9 | | where AlertName has "Logon from an unusual location"
10 | | where parse_json(ExtendedProperties).resourceType == "SQL Database"
11 | | where AlertType has "GeoAnomaly"
12 | | extend Client_Hostname_ = tostring(parse_json(ExtendedProperties).["Client Hostname"])
13 | | extend Client_IP_Address_ = tostring(parse_json(ExtendedProperties).["Client IP Address"])
14 | | extend Client_IP_Location_ = tostring(parse_json(ExtendedProperties).["Client IP Location"])
15 | | extend Client_Principal_Name_ = tostring(parse_json(ExtendedProperties).["Client Principal Name"])
16 | | where parse_json(ExtendedProperties).resourceType == "SQL Database"
17 | | extend 0_ = tostring(parse_json(RemediationSteps)[0])
18 | | extend City_ = tostring(parse_json(tostring(parse_json(Entities)[0].Location)).City)
19 | | extend CountryName_ = tostring(parse_json(tostring(parse_json(Entities)[0].Location)).CountryName)
20 | SeveritiesFilter:
21 | Severity: Medium
22 | QueryFrequency: PT5M
23 | QueryPeriod: PT6M
24 | TriggerOperator: GreaterThan
25 | TriggerThreshold: 0
26 | Tactics:
27 | - InitialAccess
28 | EventGroupSettings:
29 | aggregationKind: SingleAlert
30 | SuppressionDuration: PT5H
31 | SuppressionEnabled: false
32 | IncidentConfiguration:
33 | createIncident: true
34 | groupingConfiguration:
35 | enabled: false
36 | reopenClosedIncident: false
37 | lookbackDuration: PT5H
38 | entitiesMatchingMethod: All
39 | groupByEntities: []
40 | EntityMappings:
41 | - entityType: AzureResource
42 | fieldMappings:
43 | - identifier: ResourceId
44 | columnName: ResourceId
45 | - entityType: Account
46 | fieldMappings:
47 | - identifier: Name
48 | columnName: Client_Principal_Name_
49 | - entityType: Host
50 | fieldMappings:
51 | - identifier: HostName
52 | columnName: Client_Hostname_
53 | - entityType: IP
54 | fieldMappings:
55 | - identifier: Address
56 | columnName: Client_IP_Address_
57 | Kind: Scheduled
58 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AlertAndPlaybooksConnections/CompromisedAccounts.analytics.rule.playbooks.json:
--------------------------------------------------------------------------------
1 | {
2 | "ActionId" : "NonValidIPsAzureAD",
3 | "AlertRuleId" : "c75150d3-73be-4bad-884d-58a2c0146569",
4 | "Playbook" : "socdap-wecompromisedaccount-playbook"
5 | }
6 |
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AnomalousAzureActiveDirectoryappsbasedonauthenticationlocation.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 46497b01-4c42-454e-9097-948c7d170181
3 | Enabled: true
4 | DisplayName: Anomalous Azure Active Directory apps based on authentication location
5 | Description: Anomalous Azure Active Directory apps based on authentication location
6 | Query: "let timeRange=ago(14d);\nlet azureSignIns = \nSigninLogs\n| where TimeGenerated >= timeRange\n| where SourceSystem == \"Azure AD\"\n| where OperationName == \"Sign-in activity\"\n| project TimeGenerated, OperationName, AppDisplayName , Identity, UserId, UserPrincipalName, Location, LocationDetails, \nClientAppUsed, DeviceDetail, ConditionalAccessPolicies;\nazureSignIns\n| extend locationString = strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", \ntostring(LocationDetails[\"state\"]), \"/\", tostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"]))\n| summarize rawSigninCount = count(), countByAccount = dcount(UserId), locationCount = dcount(locationString) by AppDisplayName\n// tail - pick a threshold to rule out the very-high volume Azure AD apps\n| where rawSigninCount < 1000\n// more locations than accounts\n| where locationCount>countByAccount\n// almost as many / more locations than sign-ins!\n| where 1.0*rawSigninCount / locationCount > 0.8 \n| order by rawSigninCount desc\n| join kind = leftouter (\n azureSignIns \n) on AppDisplayName \n| project AppDisplayName, TimeGenerated , Identity, rawSigninCount, countByAccount, locationCount, \nlocationString = strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", \ntostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"])), UserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName \n| order by AppDisplayName, TimeGenerated desc"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - CredentialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AnomalousAzureActiveDirectoryappsbasedonauthenticationlocation.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1528"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AttemptstosignintodisabledaccountsbyIPaddress.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: f384b9ee-f954-449e-88f0-25a9e4710719
3 | Enabled: true
4 | DisplayName: Attempts to sign in to disabled accounts by IP address
5 | Description: Attempts to sign in to disabled accounts by IP address
6 | Query: "let timeRange = 14d;\nSigninLogs \n| where TimeGenerated >= ago(timeRange)\n| where ResultType == \"50057\" \n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), numberAccountsTargeted = dcount(UserPrincipalName), \nnumberApplicationsTargeted = dcount(AppDisplayName), accountSet = makeset(UserPrincipalName), applicationSet=makeset(AppDisplayName), \nnumberLoginAttempts = count() by IPAddress\n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress\n| order by numberLoginAttempts desc"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - Persistence
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AttemptstosignintodisabledaccountsbyIPaddress.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/Attemptstosignintodisabledaccountsbyaccountname.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 142171b9-e3b1-4d4a-9587-de7afb640eed
3 | Enabled: true
4 | DisplayName: Attempts to sign in to disabled accounts by account name
5 | Description: Attempts to sign in to disabled accounts by account name
6 | Query: "let timeRange = 14d;\nSigninLogs \n| where TimeGenerated >= ago(timeRange)\n| where ResultType == \"50057\" \n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by AppDisplayName, UserPrincipalName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName\n| order by count_ desc"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - CredentialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/Attemptstosignintodisabledaccountsbyaccountname.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "CredentialAccess",
4 | "Techniques": [
5 | "T1110",
6 | "T1110.003"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AttempttoLoginwithDisabledAccount.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: c617a351-ba2f-4641-b0a2-79be4cf2a44a
3 | Enabled: true
4 | DisplayName: Attempt to Login with Disabled Account
5 | Description: ""
6 | Query: |-
7 | SigninLogs
8 | |where ResultType == 50057
9 | | project IPCustomEntity = IPAddress, HostCustomEntity = AppDisplayName , AccountCustomEntity = UserPrincipalName
10 | SeveritiesFilter:
11 | Severity: Medium
12 | QueryFrequency: PT5M
13 | QueryPeriod: PT5M
14 | TriggerOperator: GreaterThan
15 | TriggerThreshold: 0
16 | Tactics:
17 | - InitialAccess
18 | - CredentialAccess
19 | EventGroupSettings:
20 | aggregationKind: SingleAlert
21 | SuppressionDuration: PT5H
22 | SuppressionEnabled: false
23 | IncidentConfiguration:
24 | createIncident: true
25 | groupingConfiguration:
26 | enabled: false
27 | reopenClosedIncident: false
28 | lookbackDuration: PT5H
29 | entitiesMatchingMethod: All
30 | groupByEntities: []
31 | EntityMappings:
32 | Kind: Scheduled
33 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AttempttoLoginwithDisabledAccount.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | },
9 | {
10 | "Tactic" : "Persistence",
11 | "Techniques": [
12 | "T1078.001",
13 | "T1078.004"
14 | ]
15 | }
16 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AttempttobypassconditionalaccessruleinAzureAD.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: d43c1718-1df1-45d4-bd19-2052bbece412
3 | Enabled: true
4 | DisplayName: Attempt to bypass conditional access rule in Azure AD
5 | Description: Attempt to bypass conditional access rule in Azure AD
6 | Query: "let timeRange = ago(1d);\nlet threshold = 1;\nSigninLogs\n| where TimeGenerated >= timeRange\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser \n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\n| extend Status = strcat(StatusCode, \": \", ResultDescription) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Status = makelist(Status), StatusDetails = makelist(StatusDetails), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress) , CorrelationIds = makelist(CorrelationId) by UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = makeset(IPAddresses), Status = makeset(Status), CorrelationIds = makeset(CorrelationIds) by StartTimeUtc, EndTimeUtc, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), Location, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - InitialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AttempttobypassconditionalaccessruleinAzureAD.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | },
9 | {
10 | "Tactic" : "Persistence",
11 | "Techniques": [
12 | "T1078.001",
13 | "T1078.004"
14 | ]
15 | }
16 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AzureAD-ImpossibleTravel.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: c75150d3-73be-4bad-884d-58a2c0146569
3 | Enabled: true
4 | DisplayName: Azure AD - Impossible Travel
5 | Description: ""
6 | Query: |2-
7 | SigninLogs
8 | | where ResultType == 0
9 | | summarize CountOfLocations = dcount(Location), ips = make_list(IPAddress) ,Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName
10 | | where CountOfLocations > 1
11 | | extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName
12 | SeveritiesFilter:
13 | Severity: Medium
14 | QueryFrequency: PT5M
15 | QueryPeriod: PT5M
16 | TriggerOperator: GreaterThan
17 | TriggerThreshold: 0
18 | Tactics:
19 | - InitialAccess
20 | - DefenseEvasion
21 | - CredentialAccess
22 | - PreAttack
23 | EventGroupSettings:
24 | aggregationKind: SingleAlert
25 | SuppressionDuration: PT5H
26 | SuppressionEnabled: false
27 | IncidentConfiguration:
28 | createIncident: true
29 | groupingConfiguration:
30 | enabled: false
31 | reopenClosedIncident: false
32 | lookbackDuration: PT5H
33 | entitiesMatchingMethod: All
34 | groupByEntities: []
35 | EntityMappings:
36 | Kind: Scheduled
37 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AzureActiveDirectorysigninsfromnewlocations.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 378426db-f836-408f-a362-afc2e706d345
3 | Enabled: true
4 | DisplayName: Azure Active Directory signins from new locations
5 | Description: Azure Active Directory signins from new locations
6 | Query: "let starttime = 14d;\nlet endtime = 1d;\nlet countThreshold = 1;\nSigninLogs\n| where TimeGenerated >= ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), perIdentityAuthCount = count() \nby Identity, locationString = strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", \ntostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"]))\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), distinctAccountCount = count(), identityList=makeset(Identity) by locationString\n| extend identityList = iff(distinctAccountCount<10, identityList, \"multiple (>10)\")\n| join kind= anti (\nSigninLogs\n | where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n | project locationString= strcat(tostring(LocationDetails[\"countryOrRegion\"]), \"/\", tostring(LocationDetails[\"state\"]), \"/\", \n tostring(LocationDetails[\"city\"]), \";\" , tostring(LocationDetails[\"geoCoordinates\"]))\n | summarize priorCount = count() by locationString\n) \non locationString\n// select threshold above which #new accounts from a new location is deemed suspicious\n| where distinctAccountCount > countThreshold\n| extend timestamp = StartTimeUtc"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - InitialAccess
15 | - CredentialAccess
16 | EventGroupSettings:
17 | SuppressionDuration: PT1H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5M
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | Kind: Scheduled
29 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AzureActiveDirectorysigninsfromnewlocations.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | },
9 | {
10 | "Tactic" : "Persistence",
11 | "Techniques": [
12 | "T1078.001",
13 | "T1078.004"
14 | ]
15 | }
16 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AzureResourceManagementfromNonApprovedIP.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 55730c81-1710-4659-b365-31021e50e05b
3 | Enabled: true
4 | DisplayName: Azure Resource Management from Non Approved IP
5 | Description: ""
6 | Query: |-
7 | let iplist =_GetWatchlist('IP_Whitelist');
8 | AzureActivity
9 | |where ActivitySubstatus <> ""
10 | | join kind=leftantisemi iplist on ($left.CallerIpAddress == $right.IP_Address)
11 | | extend AccountCustomEntity = Caller
12 | | extend IPCustomEntity = CallerIpAddress
13 | | extend HostCustomEntity = SourceSystem
14 | SeveritiesFilter:
15 | Severity: Medium
16 | QueryFrequency: PT5M
17 | QueryPeriod: PT5M
18 | TriggerOperator: GreaterThan
19 | TriggerThreshold: 0
20 | Tactics:
21 | - Impact
22 | EventGroupSettings:
23 | aggregationKind: AlertPerResult
24 | SuppressionDuration: PT5H
25 | SuppressionEnabled: false
26 | IncidentConfiguration:
27 | createIncident: true
28 | groupingConfiguration:
29 | enabled: true
30 | reopenClosedIncident: false
31 | lookbackDuration: PT1H
32 | entitiesMatchingMethod: All
33 | groupByEntities: []
34 | EntityMappings:
35 | Kind: Scheduled
36 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AzureResourceManagementfromNonApprovedIP.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Impact",
4 | "Techniques": [
5 | "T1499.004"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AzureSecurityCenter-MFAmustbeenable.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName: 90586451-7ba8-4c1e-9904-7d1b7c3cc4d6
2 | Id: b48f6c23-9474-485f-9c60-5c428d6f7355
3 | Enabled: true
4 | DisplayName: Azure Security Center - MFA must be enable
5 | Description: Create incidents based on all alerts generated in Azure Security Center
6 | SeveritiesFilter:
7 | DisplayNamesExcludeFilter:
8 | DisplayNamesFilter:
9 | - MFA should be enabled on accounts
10 | ProductFilter: Azure Security Center
11 | Tactics:
12 | - InitialAccess
13 | Kind: MicrosoftSecurityIncidentCreation
14 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/AzureSecurityCenter-MFAmustbeenable.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/BruteforceattackagainstAzurePortal.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: a8a74e6a-23bc-4861-a440-2af4dbffa8ad
3 | Enabled: true
4 | DisplayName: Brute force attack against Azure Portal
5 | Description: Brute force attack against Azure Portal
6 | Query: "let failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet timeRange = 1d;\nlet authenticationWindow = 20m;\nSigninLogs\n| where TimeGenerated >= ago(timeRange)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n| where AppDisplayName contains \"Azure Portal\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress "
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - CredentialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/BruteforceattackagainstAzurePortal.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/CreateincidentsbasedonAzureActiveDirectoryIdentityProtectionalerts.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName: 532c1811-79ee-4d9f-8d4d-6304c840daa1
2 | Id: aecb0ccf-af13-4c47-822d-63f39b54785d
3 | Enabled: true
4 | DisplayName: Create incidents based on Azure Active Directory Identity Protection alerts
5 | Description: Create incidents based on all alerts generated in Azure Active Directory Identity Protection
6 | SeveritiesFilter:
7 | - High
8 | DisplayNamesExcludeFilter:
9 | DisplayNamesFilter:
10 | ProductFilter: Azure Active Directory Identity Protection
11 | Tactics:
12 | Kind: MicrosoftSecurityIncidentCreation
13 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/Detectbruteforceloginattemptswithgeographicinformation.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/FailedattempttoaccessAzurePortal.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: f4557840-fba6-4f0e-80d2-f121e97314a4
3 | Enabled: true
4 | DisplayName: Failed attempt to access Azure Portal
5 | Description: Failed attempt to access Azure Portal
6 | Query: "let timeRange=ago(7d);\nSigninLogs\n| where TimeGenerated >= timeRange\n| where AppDisplayName contains \"Azure Portal\"\n// 50126 - Invalid username or password, or invalid on-premises username or password.\n// 50020? - The user doesn't exist in the tenant.\n| where ResultType in ( \"50126\" , \"50020\")\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress), \nmakeset(OS), makeset(Browser), makeset(City), AttemptCount = count() \nby UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName\n| sort by AttemptCount"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - CredentialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/FailedattempttoaccessAzurePortal.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1528"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/LoginattemptbyBlockedMFAuser.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 361678fa-94e9-433b-91c1-fd97d97e200c
3 | Enabled: true
4 | DisplayName: Login attempt by Blocked MFA user
5 | Description: Login attempt by Blocked MFA user
6 | Query: "let timeframe = 5m;\nAuditLogs \n| where TimeGenerated >= ago(timeframe) \n| where OperationName =~ \"Disable Strong Authentication\"\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - InitialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/LoginattemptbyBlockedMFAuser.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/MFAdisabledforauser.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 4e43380d-2ba5-4e59-af7a-5ffae5fd25df
3 | Enabled: true
4 | DisplayName: MFA disabled for a user
5 | Description: MFA disabled for a user
6 | Query: "let timeframe = 5m;\n(union isfuzzy=true\n(AuditLogs \n| where TimeGenerated >= ago(timeframe) \n| where OperationName =~ \"Disable Strong Authentication\"\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\n),\n(AWSCloudTrail\n| where TimeGenerated >= ago(timeframe)\n| where EventName in~ (\"DeactivateMFADevice\", \"DeleteVirtualMFADevice\") \n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\n)\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | EventGroupSettings:
15 | SuppressionDuration: PT1H
16 | SuppressionEnabled: false
17 | IncidentConfiguration:
18 | createIncident: true
19 | groupingConfiguration:
20 | enabled: false
21 | reopenClosedIncident: false
22 | lookbackDuration: PT5M
23 | entitiesMatchingMethod: All
24 | groupByEntities: []
25 | EntityMappings:
26 | Kind: Scheduled
27 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/MFAdisabledforauser.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.001",
6 | "T1078.004"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/PasswordsprayattackagainstAzureADapplication.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/PermutationsonlogonattemptsbyUserPrincipalNamesindicatingpotentialbruteforce.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/AnalyticsRules/Suspiciousgrantingofpermissionstoanaccount.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 54adbbd7-46e4-4886-bab8-424c51d4db7f
3 | Enabled: true
4 | DisplayName: Suspicious granting of permissions to an account
5 | Description: Suspicious granting of permissions to an account
6 | Query: "let starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet createRoleAssignmentActivity = AzureActivity\n| where OperationName == \"Create role assignment\";\ncreateRoleAssignmentActivity \n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \ncreateRoleAssignmentActivity\n| where TimeGenerated > ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus), \nOperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count() \nby ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup\n) on CallerIpAddress, Caller\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | EventGroupSettings:
15 | SuppressionDuration: PT1H
16 | SuppressionEnabled: false
17 | IncidentConfiguration:
18 | createIncident: true
19 | groupingConfiguration:
20 | enabled: false
21 | reopenClosedIncident: false
22 | lookbackDuration: PT5M
23 | entitiesMatchingMethod: All
24 | groupByEntities: []
25 | EntityMappings:
26 | Kind: Scheduled
27 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/Playbooks/Compromised_Account_Mitigation.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-[settings('location').Id]compromisedaccount-playbook"
7 | },
8 | "SentinelConnectionId": {
9 | "value": "[settings('azuresentinel').Id]"
10 | },
11 | "SentinelManagedIdentity": {
12 | "value": "[settings('managedidentity').Name]"
13 | },
14 | "AzureADConnectionId": {
15 | "value": "[settings('azuread').Id]"
16 | },
17 | "Microsoft365ConnectionId": {
18 | "value": "[settings('office365').Id]"
19 | },
20 | "Location": {
21 | "value": "[settings('location').Name]"
22 | }
23 | }
24 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/Playbooks/Login_Deviation_Behavior.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-[settings('location').Id]logindeviationbehavior-playbook"
7 | },
8 | "sentinelConnectionId": {
9 | "value": "[settings('azuresentinel').Id]"
10 | },
11 | "emailNotification": {
12 | "value": "contoso@Contoso.com"
13 | },
14 | "sentinelManagedIdentity": {
15 | "value": "[settings('managedidentity').Name]"
16 | },
17 | "azureADConnectionId": {
18 | "value": "[settings('azuread').Id]"
19 | },
20 | "microsoft365ConnectionId": {
21 | "value": "[settings('office365').Id]"
22 | },
23 | "keyVaultConnectionId": {
24 | "value": "[settings('keyvault').Id]"
25 | },
26 | "location": {
27 | "value": "[settings('location').Name]"
28 | }
29 | }
30 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/Watchlists/IP_Whitelist.csv:
--------------------------------------------------------------------------------
1 | IP_Address, Location
2 | 82.158.139.106, Source1
3 | 81.37.37.88, Source2
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/AzureActiveDirectory/Watchlists/IP_Whitelist.watchlist.metadata.json:
--------------------------------------------------------------------------------
1 | {
2 | "Name" : "IP_Whitelist",
3 | "Description" : "Whitelist for Non-Approval IPs",
4 | "Source" : "IP_Whitelist.csv",
5 | "Provider" : "Contoso"
6 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/MITRE/Workbooks/MITRE.workbook.metadata.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "Name" : "MITRE ATT&CK Workbook",
3 | "WorkbookId": "f8b67c5a-c698-4efe-b763-9144bdd04a01"
4 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Machine Learning/AnalyticsRules/AdvancedMultistageAttackDetection.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName: f71aba3d-28fb-450b-b192-4e76a83015c8
2 | Id: c2d0b297-720b-4b47-bf5f-0bf872f27a1b
3 | DisplayName: Advanced Multistage Attack Detection
4 | Description: |-
5 | Using Fusion technology based on machine learning, Azure Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.
6 |
7 | There are a total of 90 Fusion incident types detected by Azure Sentinel.
8 |
9 | To detect these multistage attacks, the following data connectors must be configured:
10 | - Azure Active Directory Identity Protection.
11 | - Microsoft Cloud App Security.
12 | - Microsoft Defender for Endpoint.
13 | - Azure Defender.
14 | - Palo Alto Networks.
15 |
16 | For a full list and description of each scenario that is supported for these multistage attacks, go to https://aka.ms/SentinelFusion.
17 | Severity: High
18 | Enabled: true
19 | Kind: Fusion
20 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AlertAndPlaybooksConnections/CompromisedAccounts.analytics.rule.playbooks.json:
--------------------------------------------------------------------------------
1 | {
2 | "ActionId" : "NonValidIPsOffice365",
3 | "AlertRuleId" : "c75150d3-73be-4bad-884d-58a2c0146569",
4 | "Playbook" : "socdap-[settings('location').Id]m365exportcontent-playbook"
5 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/Auditadministratoractionsincludingmailboxcreationanddeletion.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: c899fef1-e6ca-4b26-805b-ab6684118f07
3 | Enabled: true
4 | DisplayName: Audit administrator actions, including mailbox creation and deletion.
5 | Description: ""
6 | Query: "let starttime = 14d;\r\n let endtime = 1d;\r\n let historicalActivity=\r\n OfficeActivity\r\n | where TimeGenerated between(ago(starttime)..ago(endtime))\r\n | where RecordType==\"ExchangeAdmin\" and UserType in (\"Admin\",\"DcAdmin\")\r\n | summarize historicalCount=count() by UserId;\r\n let recentActivity = OfficeActivity\r\n | where TimeGenerated > ago(endtime)\r\n | where UserType in (\"Admin\",\"DcAdmin\")\r\n | summarize recentCount=count() by UserId;\r\n recentActivity | join kind = leftanti (\r\n historicalActivity\r\n ) on UserId\r\n | project UserId,recentCount\r\n | order by recentCount asc, UserId\r\n | join kind = rightsemi \r\n (OfficeActivity \r\n | where TimeGenerated >= ago(endtime) \r\n | where RecordType == \"ExchangeAdmin\" | where UserType in (\"Admin\",\"DcAdmin\")) \r\n on UserId\r\n | summarize count(), min(TimeGenerated), max(TimeGenerated) by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus\r\n | extend timestamp = min_TimeGenerated, AccountCustomEntity = UserId\r\n"
7 | SeveritiesFilter:
8 | Severity: High
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 5
13 | Tactics:
14 | - Persistence
15 | EventGroupSettings:
16 | aggregationKind: SingleAlert
17 | SuppressionDuration: PT5H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5H
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | Kind: Scheduled
29 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/Auditadministratoractionsincludingmailboxcreationanddeletion.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1098.002"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/CreateincidentsbasedonMicrosoftCloudAppSecurityalerts.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName: b3cfc7c0-092c-481c-a55b-34a3979758cb
2 | Id: 23e6e9d9-cf57-4c0b-9e3b-add82ba40444
3 | Enabled: true
4 | DisplayName: Create incidents based on Microsoft Cloud App Security alerts
5 | Description: Create incidents based on all alerts generated in Microsoft Cloud App Security
6 | SeveritiesFilter:
7 | - Medium
8 | - High
9 | DisplayNamesExcludeFilter:
10 | DisplayNamesFilter:
11 | ProductFilter: Microsoft Cloud App Security
12 | Tactics:
13 | Kind: MicrosoftSecurityIncidentCreation
14 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/CreateincidentsbasedonMicrosoftDefenderAdvancedThreatProtectionalerts.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName: 327cd4ed-ca42-454b-887c-54e1c91363c6
2 | Id: fb9d207e-998a-4f59-bccd-d1c27aa31705
3 | Enabled: true
4 | DisplayName: Create incidents based on Microsoft Defender Advanced Threat Protection alerts
5 | Description: Create incidents based on all alerts generated in Microsoft Defender Advanced Threat Protection
6 | SeveritiesFilter:
7 | - High
8 | - Medium
9 | DisplayNamesExcludeFilter:
10 | DisplayNamesFilter:
11 | ProductFilter: Microsoft Defender Advanced Threat Protection
12 | Tactics:
13 | Kind: MicrosoftSecurityIncidentCreation
14 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/CreateincidentsbasedonOffice365AdvancedThreatProtectionalerts.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName: ee1d718b-9ed9-4a71-90cd-a483a4f008df
2 | Id: d90a23e3-d0e2-4623-abc9-c6768a0f8970
3 | Enabled: true
4 | DisplayName: Create incidents based on Office 365 Advanced Threat Protection alerts
5 | Description: Create incidents based on all alerts generated in Office 365 Advanced Threat Protection
6 | SeveritiesFilter:
7 | DisplayNamesExcludeFilter:
8 | DisplayNamesFilter:
9 | ProductFilter: Office 365 Advanced Threat Protection
10 | Tactics:
11 | Kind: MicrosoftSecurityIncidentCreation
12 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/Emailsforwardingredirectruletoexternalmailbox.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: fafe9bc0-6615-40d4-9d92-fd7fe5132038
3 | Enabled: true
4 | DisplayName: Emails forwarding / redirect rule to external mailbox
5 | Description: ""
6 | Query: "let timeframe = 14d;\r\n OfficeActivity\r\n | where TimeGenerated >= ago(timeframe)\r\n | where (Operation =~ \"Set-Mailbox\" and Parameters contains 'ForwardingSmtpAddress') \r\n or (Operation =~ 'New-InboxRule' and Parameters contains 'ForwardTo')\r\n | extend parsed=parse_json(Parameters)\r\n | extend fwdingDestination_initial = (iif(Operation=~\"Set-Mailbox\", tostring(parsed[1].Value), tostring(parsed[2].Value)))\r\n | where isnotempty(fwdingDestination_initial)\r\n | extend fwdingDestination = iff(fwdingDestination_initial has \"smtp\", (split(fwdingDestination_initial,\":\")[1]), fwdingDestination_initial )\r\n | parse fwdingDestination with * '@' ForwardedtoDomain \r\n | parse UserId with *'@' UserDomain\r\n | extend subDomain = ((split(strcat(tostring(split(UserDomain, '.')[-2]),'.',tostring(split(UserDomain, '.')[-1])), '.') [0]))\r\n | where ForwardedtoDomain !contains subDomain\r\n | extend Result = iff( ForwardedtoDomain != UserDomain ,\"Mailbox rule created to forward to External Domain\", \"Forward rule for Internal domain\")\r\n | extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\r\n | extend Port = case(\r\n ClientIP has \".\", (split(ClientIP,\":\")[1]),\r\n ClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\r\n ClientIP\r\n )\r\n | project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination\r\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer\r\n"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 3
13 | Tactics:
14 | - Collection
15 | EventGroupSettings:
16 | aggregationKind: SingleAlert
17 | SuppressionDuration: PT5H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: true
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5M
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | Kind: Scheduled
29 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/Emailsforwardingredirectruletoexternalmailbox.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Collection",
4 | "Techniques": [
5 | "T1114.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/ExchangeAuditLogdisabled.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 3170d27d-0a2e-4bb1-8dc7-05a39fc8e3f4
3 | Enabled: true
4 | DisplayName: Exchange AuditLog disabled
5 | Description: |-
6 | Identifies when the exchange audit logging has been disabled which may be an adversary attempt
7 | to evade detection or avoid other defenses.
8 | Query: "OfficeActivity\r\n | where UserType in~ (\"Admin\",\"DcAdmin\") \r\n // Only admin or global-admin can disable audit logging\r\n | where Operation =~ \"Set-AdminAuditLogConfig\" \r\n | extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\r\n | where AdminAuditLogEnabledValue =~ \"False\" \r\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\r\n | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP "
9 | SeveritiesFilter:
10 | Severity: Medium
11 | QueryFrequency: P1D
12 | QueryPeriod: P1D
13 | TriggerOperator: GreaterThan
14 | TriggerThreshold: 0
15 | Tactics:
16 | - DefenseEvasion
17 | EventGroupSettings:
18 | aggregationKind: SingleAlert
19 | SuppressionDuration: PT5H
20 | SuppressionEnabled: false
21 | IncidentConfiguration:
22 | createIncident: true
23 | groupingConfiguration:
24 | enabled: false
25 | reopenClosedIncident: false
26 | lookbackDuration: PT5H
27 | entitiesMatchingMethod: All
28 | groupByEntities: []
29 | EntityMappings:
30 | Kind: Scheduled
31 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/ExchangeAuditLogdisabled.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Defense Evation",
4 | "Techniques": [
5 | "T1550.001",
6 | "T1550.004"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/Externaluseraddedandremovedinshorttimeframe.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 90d06c44-e575-4fc1-a258-9890b27c2073
3 | Enabled: true
4 | DisplayName: External user added and removed in short timeframe
5 | Description: |-
6 | This detection flags the occurances of external user accounts that are added to a Team and then removed within
7 | one hour.
8 | Query: |-
9 | OfficeActivity
10 | | where OfficeWorkload =~ "MicrosoftTeams"
11 | | where Operation =~ "MemberAdded"
12 | | extend UPN = tostring(parse_json(Members)[0].UPN)
13 | | where UPN contains ("#EXT#")
14 | | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName
15 | | join (
16 | OfficeActivity
17 | | where OfficeWorkload =~ "MicrosoftTeams"
18 | | where Operation =~ "MemberRemoved"
19 | | extend UPN = tostring(parse_json(Members)[0].UPN)
20 | | where UPN contains ("#EXT#")
21 | | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName
22 | ) on UPN
23 | | where TimeDeleted > TimeAdded
24 | | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName
25 | | extend timestamp = TimeAdded, AccountCustomEntity = UPN
26 | SeveritiesFilter:
27 | Severity: Medium
28 | QueryFrequency: PT1H
29 | QueryPeriod: PT1H
30 | TriggerOperator: GreaterThan
31 | TriggerThreshold: 0
32 | Tactics:
33 | - Persistence
34 | EventGroupSettings:
35 | aggregationKind: SingleAlert
36 | SuppressionDuration: PT5H
37 | SuppressionEnabled: false
38 | IncidentConfiguration:
39 | createIncident: true
40 | groupingConfiguration:
41 | enabled: false
42 | reopenClosedIncident: false
43 | lookbackDuration: PT5H
44 | entitiesMatchingMethod: All
45 | groupByEntities: []
46 | EntityMappings:
47 | - entityType: Account
48 | fieldMappings:
49 | - identifier: FullName
50 | columnName: AccountCustomEntity
51 | Kind: Scheduled
52 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/Externaluseraddedandremovedinshorttimeframe.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1098.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/MailredirectviaExOtransportrule.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 04f1c8cd-c62d-456b-9f92-5a172a35ff79
3 | Enabled: true
4 | DisplayName: Mail redirect via ExO transport rule
5 | Description: |-
6 | Identifies when Exchange Online transport rule configured to forward emails.
7 | This could be an adversary mailbox configured to collect mail from multiple user accounts.
8 | Query: " OfficeActivity\r\n | where OfficeWorkload == \"Exchange\"\r\n | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\r\n | extend p = parse_json(Parameters)\r\n | extend RuleName = case(\r\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\r\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\r\n \"Unknown\"\r\n ) \r\n | mvexpand p\r\n | where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\r\n | extend RedirectTo = p.Value\r\n | extend ClientIPOnly = case( \r\n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP,\":\")[0]), \r\n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP,\"-\")[0]), \r\n ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\r\n ClientIP\r\n ) \r\n | extend Port = case(\r\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP,\":\")[1]),\r\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP,\"-\")[1]),\r\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP,\"]:\")[1]),\r\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP,\"]-\")[1]),\r\n ClientIP\r\n )\r\n | extend ClientIP = ClientIPOnly\r\n | project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\r\n | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP "
9 | SeveritiesFilter:
10 | Severity: Medium
11 | QueryFrequency: P1D
12 | QueryPeriod: P1D
13 | TriggerOperator: GreaterThan
14 | TriggerThreshold: 0
15 | Tactics:
16 | - Collection
17 | - Exfiltration
18 | EventGroupSettings:
19 | aggregationKind: SingleAlert
20 | SuppressionDuration: PT5H
21 | SuppressionEnabled: false
22 | IncidentConfiguration:
23 | createIncident: true
24 | groupingConfiguration:
25 | enabled: false
26 | reopenClosedIncident: false
27 | lookbackDuration: PT5H
28 | entitiesMatchingMethod: All
29 | groupByEntities: []
30 | EntityMappings:
31 | Kind: Scheduled
32 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/MailredirectviaExOtransportrule.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Collection",
4 | "Techniques": [
5 | "T1114.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/MaliciousInboxRule.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 2a062032-e7b6-4e14-a981-b4493e5ef4e1
3 | Enabled: true
4 | DisplayName: Malicious Inbox Rule
5 | Description: "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\n Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/"
6 | Query: "let Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\r\n OfficeActivity\r\n | where Operation =~ \"New-InboxRule\"\r\n | where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" \r\n | extend Events=todynamic(Parameters)\r\n | parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\r\n | parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\r\n | parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\r\n | where SubjectContainsWords has_any (Keywords)\r\n or BodyContainsWords has_any (Keywords)\r\n or SubjectOrBodyContainsWords has_any (Keywords)\r\n | extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\r\n | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\r\n | extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\r\n | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\r\n | extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: P1D
10 | QueryPeriod: P1D
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - Persistence
15 | EventGroupSettings:
16 | aggregationKind: SingleAlert
17 | SuppressionDuration: PT5H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5H
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | Kind: Scheduled
29 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/MaliciousInboxRule.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1137.005"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/MalwareDetectionbySharePointAVEngine.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: dde4bf65-fc1d-4b09-9c65-b939eef2bd82
3 | Enabled: true
4 | DisplayName: 'Malware Detection by SharePoint AV Engine '
5 | Description: 'Malware Detection by SharePoint AV Engine '
6 | Query: OfficeActivity | where (Operation == "FileMalwareDetected")
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | EventGroupSettings:
15 | SuppressionDuration: PT1H
16 | SuppressionEnabled: false
17 | IncidentConfiguration:
18 | createIncident: true
19 | groupingConfiguration:
20 | enabled: false
21 | reopenClosedIncident: false
22 | lookbackDuration: PT5M
23 | entitiesMatchingMethod: All
24 | groupByEntities: []
25 | EntityMappings:
26 | Kind: Scheduled
27 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/Multipleusersemailforwardedtosamedestination.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Collection",
4 | "Techniques": [
5 | "T1114.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/NewAdminaccountactivityseenwhichwasnotseenhistorically.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 73e5ebb3-8b1e-4bf1-97bf-167935601a0b
3 | Enabled: true
4 | DisplayName: New Admin account activity seen which was not seen historically
5 | Description: New Admin account activity seen which was not seen historically
6 | Query: "let starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity=\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType==\"ExchangeAdmin\" and UserType in (\"Admin\",\"DcAdmin\")\n| summarize historicalCount=count() by UserId;\nlet recentActivity = OfficeActivity\n| where TimeGenerated > ago(endtime)\n| where UserType in (\"Admin\",\"DcAdmin\")\n| summarize recentCount=count() by UserId;\nrecentActivity | join kind = leftanti (\n historicalActivity\n) on UserId\n| project UserId,recentCount\n| order by recentCount asc, UserId\n| join kind = rightsemi \n(OfficeActivity \n| where TimeGenerated >= ago(endtime) \n| where RecordType == \"ExchangeAdmin\" | where UserType in (\"Admin\",\"DcAdmin\")) \non UserId\n| summarize count(), min(TimeGenerated), max(TimeGenerated) by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus\n| extend timestamp = min_TimeGenerated, AccountCustomEntity = UserId"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - Persistence
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/NewAdminaccountactivityseenwhichwasnotseenhistorically.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1098.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/RareandpotentiallyhighriskOfficeoperations.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 93506ad6-ad82-451e-97d6-f277db2799b7
3 | Enabled: true
4 | DisplayName: Rare and potentially high-risk Office operations
5 | Description: ""
6 | Query: |-
7 | OfficeActivity
8 | | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment")
9 | and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
10 | | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
11 | SeveritiesFilter:
12 | Severity: Medium
13 | QueryFrequency: P1D
14 | QueryPeriod: P1D
15 | TriggerOperator: GreaterThan
16 | TriggerThreshold: 0
17 | Tactics:
18 | - Collection
19 | - Persistence
20 | EventGroupSettings:
21 | aggregationKind: SingleAlert
22 | SuppressionDuration: PT5H
23 | SuppressionEnabled: false
24 | IncidentConfiguration:
25 | createIncident: true
26 | groupingConfiguration:
27 | enabled: false
28 | reopenClosedIncident: false
29 | lookbackDuration: PT5H
30 | entitiesMatchingMethod: All
31 | groupByEntities: []
32 | EntityMappings:
33 | Kind: Scheduled
34 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/RareandpotentiallyhighriskOfficeoperations.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1098.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/SuspiciousAuditConfigurationPolicyOperations.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: b55ebc27-68cb-4a26-acad-dde8d87ef041
3 | Enabled: true
4 | DisplayName: Suspicious Audit Configuration Policy Operations
5 | Description: ""
6 | Query: |-
7 | OfficeActivity | where (Operation == "Remove-AuditConfigurationPolicy")
8 | SeveritiesFilter:
9 | Severity: Medium
10 | QueryFrequency: PT15M
11 | QueryPeriod: PT15M
12 | TriggerOperator: GreaterThan
13 | TriggerThreshold: 3
14 | Tactics:
15 | - Persistence
16 | EventGroupSettings:
17 | aggregationKind: SingleAlert
18 | SuppressionDuration: PT5H
19 | SuppressionEnabled: false
20 | IncidentConfiguration:
21 | createIncident: true
22 | groupingConfiguration:
23 | enabled: true
24 | reopenClosedIncident: false
25 | lookbackDuration: PT15M
26 | entitiesMatchingMethod: All
27 | groupByEntities: []
28 | EntityMappings:
29 | Kind: Scheduled
30 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/SuspiciousAuditConfigurationPolicyOperations.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1098.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/SuspiciousThreatProtectionChanges.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 56f6cb42-3025-433f-a5a3-1afc06c4cf02
3 | Enabled: true
4 | DisplayName: Suspicious Threat Protection Changes
5 | Description: ""
6 | Query: |-
7 | OfficeActivity | where (Operation == "Disable-AntiPhishRule" or Operation == "Disable-SafeAttachmentRule" or Operation == "Disable-SafeLinksRule" or Operation == "Remove-AntiPhishPolicy" or Operation == "Remove-AntiPhishRule" or Operation == "Remove-SafeAttachmentPolicy" or Operation == "Remove-SafeAttachmentRule" or Operation == "Remove-SafeLinksPolicy" or Operation == "Remove-SafeLinksRule")
8 | SeveritiesFilter:
9 | Severity: High
10 | QueryFrequency: PT1H
11 | QueryPeriod: PT1H
12 | TriggerOperator: GreaterThan
13 | TriggerThreshold: 0
14 | Tactics: []
15 | EventGroupSettings:
16 | aggregationKind: SingleAlert
17 | SuppressionDuration: PT5H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5H
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | Kind: Scheduled
29 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/AnalyticsRules/SuspiciousapplicationconsentsimilartoO365AttackToolkit.mitre.manifest copy.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Lateral Movement",
4 | "Techniques": [
5 | "T1550.001"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/Playbooks/Office365.SecurityAndCompliance.LogicApp.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "Name": {
6 | "value": "socdap-[settings('location').Id]m365exportcontent-playbook"
7 | },
8 | "AutomationAccount" : {
9 | "value": "[settings('azureautomation').Name]"
10 | },
11 | "SentinelConnectionId": {
12 | "value": "[settings('azuresentinel').Id]"
13 | },
14 | "SentinelManagedIdentity": {
15 | "value": "[settings('managedidentity').Name]"
16 | },
17 | "Location": {
18 | "value": "[settings('location').Name]"
19 | }
20 | }
21 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/Runbooks/Office365.Compliance.Case.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $AccountUserPrincipalName,
6 | [Parameter(Mandatory = $false)]
7 | [datetime]
8 | $StartDate = (Get-Date).AddDays(-1),
9 | [Parameter(Mandatory = $false)]
10 | [datetime]
11 | $EndDate = (Get-Date)
12 | )
13 |
14 | Get-PSSession | Remove-PSSession
15 | $Credential = Get-Credential
16 | Connect-IPPSSession -Credential $Credential
17 |
18 | try {
19 | $SearchName = "Search for Compromised Account $($AccountUserPrincipalName) between $StartDate and $EndDate"
20 | $OnlyMailsMatchQuery = "(sent>=`"$($StartDate)`" AND sent<`"$($EndDate)`") OR (received>=`"$($StartDate)`" AND received<`"$($EndDate)`")"
21 | $Locations = @($AccountUserPrincipalName)
22 | $Search = Get-ComplianceSearch -Identity $SearchName -ErrorAction SilentlyContinue
23 | if($null -ne $Search) {
24 | Stop-ComplianceSearch -Identity $SearchName -ErrorAction SilentlyContinue -Force
25 | Remove-ComplianceSearch -Identity $SearchName -Confirm:$false -ErrorAction SilentlyContinue
26 | }
27 |
28 | New-ComplianceSearch -Name $SearchName -ExchangeLocation $Locations -ContentMatchQuery $OnlyMailsMatchQuery -Force -AllowNotFoundExchangeLocationsEnabled $true -ErrorAction Stop
29 | Start-ComplianceSearch -Identity $SearchName
30 | }
31 | finally {
32 | Get-PSSession | Remove-PSSession
33 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Office 365/Runbooks/Office365.Compliance.Case.psd1:
--------------------------------------------------------------------------------
1 | @{
2 | Name = 'Office 365 Search'
3 | Type = 'PowerShell'
4 | Description = ''
5 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Quickstart/AnalyticsRules/QuickstartRule.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: d7278191-3928-4aea-805d-e3a88e1abeb3
3 | Enabled: true
4 | DisplayName: Quickstart Rule
5 | Description: Description text
6 | Query: |+
7 | SigninLogs
8 | SeveritiesFilter:
9 | Severity: Medium
10 | QueryFrequency: PT5H
11 | QueryPeriod: PT5H
12 | TriggerOperator: GreaterThan
13 | TriggerThreshold: 0
14 | Tactics:
15 | - Execution
16 | - DefenseEvasion
17 | EventGroupSettings:
18 | aggregationKind: SingleAlert
19 | SuppressionDuration: PT5H
20 | SuppressionEnabled: false
21 | IncidentConfiguration:
22 | createIncident: true
23 | groupingConfiguration:
24 | enabled: false
25 | reopenClosedIncident: false
26 | lookbackDuration: PT5H
27 | entitiesMatchingMethod: All
28 | groupByEntities: []
29 | EntityMappings:
30 | Kind: Scheduled
31 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Readme.md:
--------------------------------------------------------------------------------
1 | ## Sentinel Scenarios based on Threat Scenarios
2 |
3 | The scenarios are defined around the concepts marked by MITRE.
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Storage Account/AnalyticsRules/Azurestoragekeyenumeration.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 61589c93-1f81-45e1-b83f-fb2fbc5d3036
3 | Enabled: true
4 | DisplayName: Azure storage key enumeration
5 | Description: Azure storage key enumeration
6 | Query: "let timeframe = 5m;\nAzureActivity\n| where TimeGenerated >= ago(timeframe)\n| where OperationName == \"List Storage Account Keys\"\n| where ActivityStatus == \"Succeeded\" \n| join kind= inner (\n AzureActivity\n | where TimeGenerated >= ago(timeframe)\n | where OperationName == \"List Storage Account Keys\"\n | where ActivityStatus == \"Succeeded\" \n | project ExpectedIpAddress=CallerIpAddress, Caller \n | evaluate autocluster()\n) on Caller \n| where CallerIpAddress != ExpectedIpAddress\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ResourceIds = makeset(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationName, Caller, CallerIpAddress\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - Discovery
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Storage Account/AnalyticsRules/Azurestoragekeyenumeration.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Discovery",
4 | "Techniques": [
5 | "T1526"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Storage Account/AnalyticsRules/DetectMalwareinblobcontainer.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: ec86e96a-530b-423e-90c9-b1db976da348
3 | Enabled: true
4 | DisplayName: Detect Malware in blob container
5 | Description: ""
6 | Query: |-
7 | SecurityAlert
8 | | where ProductName == "Azure Security Center"
9 | | where AlertName == "Potential malware uploaded to a storage blob container"
10 | | extend Address_ = tostring(parse_json(Entities)[1].Address)
11 | |extend fileURL = strcat("https://", CompromisedEntity ,".blob.core.windows.net/", tostring(parse_json(Entities)[3].Directory) ,"/", tostring(parse_json(Entities)[3].Name) )
12 | | extend AccountCustomEntity = ResourceId
13 | | extend IPCustomEntity = Address_
14 | | extend URLCustomEntity = fileURL
15 | SeveritiesFilter:
16 | Severity: High
17 | QueryFrequency: PT5M
18 | QueryPeriod: PT5M
19 | TriggerOperator: GreaterThan
20 | TriggerThreshold: 0
21 | Tactics:
22 | - Impact
23 | EventGroupSettings:
24 | aggregationKind: AlertPerResult
25 | SuppressionDuration: PT5H
26 | SuppressionEnabled: false
27 | IncidentConfiguration:
28 | createIncident: true
29 | groupingConfiguration:
30 | enabled: false
31 | reopenClosedIncident: false
32 | lookbackDuration: PT5H
33 | entitiesMatchingMethod: All
34 | groupByEntities: []
35 | EntityMappings:
36 | Kind: Scheduled
37 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Storage Account/AnalyticsRules/DetectMalwareinblobcontainer.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Persistence",
4 | "Techniques": [
5 | "T1525"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Storage Account/Playbooks/Remove_Malware.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-[settings('location').Id]removemalware-playbook"
7 | },
8 | "SentinelConnectionId": {
9 | "value": "[settings('azuresentinel').Id]"
10 | },
11 | "SentinelManagedIdentity": {
12 | "value": "[settings('managedidentity').Name]"
13 | },
14 | "AutomationAccount": {
15 | "value": "[settings('azureautomation').Name]"
16 | },
17 | "Location": {
18 | "value": "[settings('location').Name]"
19 | }
20 | }
21 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Storage Account/Runbooks/RemoveMalware.psd1:
--------------------------------------------------------------------------------
1 | @{
2 | Name = 'Remove Malware'
3 | Type = 'PowerShell'
4 | Description = 'Remove Malware'
5 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/AnomalousRDPLoginDetections.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName: 737a2ce1-70a3-4968-9e90-3e6aca836abf
2 | Id: c0563a32-e799-48af-8fe7-ff991d772c7c
3 | Enabled: true
4 | DisplayName: (Preview) Anomalous RDP Login Detections
5 | Description: |-
6 | This detection uses machine learning (ML) to identify anomalous Remote Desktop Protocol (RDP) login activity, based on Windows Security Event data. Scenarios include:
7 |
8 | * Unusual IP - This IP address has not or has rarely been seen in last 30 days.
9 | * Unusual Geo - The IP address, city, country and ASN have not (or rarely) been seen in last 30 days.
10 | * New user - A new user logs in from an IP address and geo location, both or either of which are not expected to be seen in the last 30 days.
11 |
12 | Allow 7 days after this alert is enabled for Azure Sentinel to build a profile of normal activity for your environment.
13 |
14 | This detection requires a specific configuration of the data source. [Learn more](https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events)
15 | Severity: Medium
16 | Tactics:
17 | - InitialAccess
18 | Kind: MLBehaviorAnalytics
19 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/AnomalousRDPLoginDetections.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.003",
6 | "T1078.002"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/CreationofexpensivecomputesinAzure.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 6519a26a-0662-46f9-98f3-572afe1a33f8
3 | Enabled: true
4 | DisplayName: Creation of expensive computes in Azure
5 | Description: "Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\n Adversary may create new or update existing virtual machines sizes to evade defenses \n or use it for cryptomining purposes.\n For Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \n Azure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions"
6 | Query: "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\r\n let operationList = dynamic([\"Create or Update Virtual Machine\", \"Create Deployment\"]);\r\n AzureActivity\r\n | where OperationName in (operationList)\r\n | where ActivityStatus == \"Accepted\" \r\n | where isnotempty(Properties)\r\n | extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\r\n | where isnotempty(vmSize)\r\n | where vmSize has_any (tokens) \r\n | extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\r\n | extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\r\n | project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSize\r\n | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: P1D
10 | QueryPeriod: P1D
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 1
13 | Tactics:
14 | - DefenseEvasion
15 | EventGroupSettings:
16 | aggregationKind: SingleAlert
17 | SuppressionDuration: PT5H
18 | SuppressionEnabled: false
19 | IncidentConfiguration:
20 | createIncident: true
21 | groupingConfiguration:
22 | enabled: false
23 | reopenClosedIncident: false
24 | lookbackDuration: PT5H
25 | entitiesMatchingMethod: All
26 | groupByEntities: []
27 | EntityMappings:
28 | - entityType: Account
29 | fieldMappings:
30 | - identifier: FullName
31 | columnName: AccountCustomEntity
32 | - entityType: IP
33 | fieldMappings:
34 | - identifier: Address
35 | columnName: IPCustomEntity
36 | Kind: Scheduled
37 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/CreationofexpensivecomputesinAzure.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Defense Evation",
4 | "Techniques": [
5 | "T1078.002"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/Failedlogonattemptsbyvalidaccountswithin10mins.mitre.manifest copy.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/HostsWithNewLogons.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 6a3e9f5c-348a-4c2e-a8ef-ffab8653b24f
3 | Enabled: true
4 | DisplayName: Hosts With New Logons
5 | Description: Hosts With New Logons
6 | Query: "let starttime = 7d;\n let endtime = 1d;\n let LogonEvents=() { \n let logonSuccess=SecurityEvent \n | where EventID==4624 \n | project TimeGenerated, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='Logon';\n let logonFail=SecurityEvent \n | where EventID==4625 \n | project TimeGenerated, ComputerName=Computer, AccountName=TargetUserName, AccountDomain=TargetDomainName, IpAddress, ActionType='LogonFailure';\n logonFail \n | union logonSuccess\n };\n LogonEvents \n | where TimeGenerated > ago(endtime) \n | where ActionType == 'Logon' \n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by ComputerName, AccountName \n | join kind=leftanti ( \n LogonEvents \n | where TimeGenerated between(ago(starttime)..ago(endtime)) \n | where ActionType == 'Logon' \n | summarize count() by ComputerName, AccountName \n ) on ComputerName, AccountName \n | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), HostCount=dcount(ComputerName), HostSet=makeset(ComputerName, 10) by AccountName, ComputerName\n | extend timestamp = StartTimeUtc, AccountCustomEntity = AccountName"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - CredentialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/HostsWithNewLogons.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/MultipleFailedFollowedBySuccess.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 072e9bab-0252-486d-8392-6ab31aa2875f
3 | Enabled: true
4 | DisplayName: Multiple Failed Followed By Success
5 | Description: Multiple Failed Followed By Success
6 | Query: "let timeRange = 6h;\n let authenticationWindow = 1h;\n let authenticationThreshold = 5;\n SecurityEvent\n | where TimeGenerated > ago(timeRange)\n | where EventID == 4624 or EventID == 4625\n | where IpAddress != \"-\" and isnotempty(Account)\n | extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n // bin outcomes into 5 minute windows to reduce the volume of data\n | summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\n | project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n // sort ready for sessionizing - by account and time of the authentication outcome\n | sort by Account asc, TimeGenerated asc\n | serialize \n // sessionize into failure groupings until either the account changes or there is a success\n | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \"Success\")\n // count the failures in each session\n | summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\n // the session must not start with a success, and must end with one\n | where array_index_of(list_Outcome, \"Success\") != 0\n | where array_index_of(list_Outcome, \"Success\") == array_length(list_Outcome) - 1\n | project-away SessionStartedUtc, list_Outcome \n // where the number of failures before the success is above the threshold \n | where FailureCountBeforeSuccess >= authenticationThreshold\n // expand out ip and computer for customer entity assignment\n | mvexpand set_IpAddress, set_Computer\n | extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n | extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - CredentialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/MultipleFailedFollowedBySuccess.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/NetworkServiceScanning.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 4ff141aa-ffae-4d58-a554-539b1ac386a7
3 | Enabled: true
4 | DisplayName: Network Service Scanning
5 | Description: Possible outgoing port scanning activity detected
6 | Query: |-
7 | SecurityAlert
8 | | where ProductName == "Azure Security Center"
9 | | where AlertName == "Possible outgoing port scanning activity detected"
10 | SeveritiesFilter:
11 | Severity: Medium
12 | QueryFrequency: PT5M
13 | QueryPeriod: PT6M
14 | TriggerOperator: GreaterThan
15 | TriggerThreshold: 0
16 | Tactics:
17 | - Discovery
18 | EventGroupSettings:
19 | SuppressionDuration: PT5H
20 | SuppressionEnabled: false
21 | IncidentConfiguration:
22 | createIncident: true
23 | groupingConfiguration:
24 | enabled: false
25 | reopenClosedIncident: false
26 | lookbackDuration: PT5H
27 | entitiesMatchingMethod: All
28 | groupByEntities: []
29 | EntityMappings:
30 | - entityType: AzureResource
31 | fieldMappings:
32 | - identifier: ResourceId
33 | columnName: ResourceId
34 | Kind: Scheduled
35 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/NetworkServiceScanning.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Discovery",
4 | "Techniques": [
5 | "T1049"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/RDPMultipleConnectionsFromSingleSystem.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: efa5ab1a-26ce-463b-ae5d-f62d9ab63341
3 | Enabled: true
4 | DisplayName: RDP Multiple Connections From Single System
5 | Description: RDP Multiple Connections From Single System
6 | Query: "let endtime = 1d;\n let starttime = 8d;\n let threshold = 2.0;\n SecurityEvent\n | where TimeGenerated >= ago(endtime) \n | where EventID == 4624 and LogonType == 10\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \n by Account, IpAddress, AccountType, Activity, LogonTypeName\n | join kind=inner (\n SecurityEvent\n | where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n | where EventID == 4624 and LogonType == 10\n | summarize ComputerCountPrev7Days = dcount(Computer) by Account, IpAddress\n ) on Account, IpAddress\n | extend Ratio = ComputerCountToday/(ComputerCountPrev7Days*1.0)\n // Where the ratio of today to previous 7 days is more than double.\n | where Ratio > threshold\n | project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\n | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - InitialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/RDPMultipleConnectionsFromSingleSystem.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.003",
6 | "T1078.002"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/RDPNesting.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.003",
6 | "T1078.002"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/RDPRareConnection.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 0e047e8c-0ae3-4687-982a-bb8cedc0f589
3 | Enabled: true
4 | DisplayName: RDP Rare Connection
5 | Description: RDP Rare Connection
6 | Query: "let starttime = 14d;\n let endtime = 1d;\n SecurityEvent\n | where TimeGenerated >= ago(endtime) \n | where EventID == 4624 and LogonType == 10\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \n by Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n // use left anti to exclude anything from the previous 14 days that is not rare\n | join kind=leftanti (\n SecurityEvent\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | where EventID == 4624\n | summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\n ) on Account, Computer\n | summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \n by Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - InitialAccess
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/RDPRareConnection.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Initial Access",
4 | "Techniques": [
5 | "T1078.003",
6 | "T1078.002"
7 | ]
8 | }
9 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/SuspiciousResourcedeployment.analytics.rule.yaml:
--------------------------------------------------------------------------------
1 | AlertRuleTemplateName:
2 | Id: 363ae7ee-27ef-4861-be00-0deacce439f6
3 | Enabled: true
4 | DisplayName: Suspicious Resource deployment
5 | Description: Suspicious Resource deployment
6 | Query: "let szOperationNames = dynamic([\"Create or Update Virtual Machine\", \"Create Deployment\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet RareCaller = AzureActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName in~ (szOperationNames)\n| project ResourceGroup, Caller, OperationName, CallerIpAddress\n| join kind=rightantisemi (\nAzureActivity\n| where TimeGenerated > ago(endtime)\n| where OperationName in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatus = makeset(ActivityStatus), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \nby ResourceId, Caller, OperationName, Resource, ResourceGroup\n) on Caller, ResourceGroup \n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress);\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\n| sort by ActivityCountByCaller desc nulls last"
7 | SeveritiesFilter:
8 | Severity: Medium
9 | QueryFrequency: PT5M
10 | QueryPeriod: PT5M
11 | TriggerOperator: GreaterThan
12 | TriggerThreshold: 0
13 | Tactics:
14 | - Impact
15 | EventGroupSettings:
16 | SuppressionDuration: PT1H
17 | SuppressionEnabled: false
18 | IncidentConfiguration:
19 | createIncident: true
20 | groupingConfiguration:
21 | enabled: false
22 | reopenClosedIncident: false
23 | lookbackDuration: PT5M
24 | entitiesMatchingMethod: All
25 | groupByEntities: []
26 | EntityMappings:
27 | Kind: Scheduled
28 |
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/SuspiciousResourcedeployment.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Impact",
4 | "Techniques": [
5 | "T1499"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/SuspiciousWindowsLoginoutsidenormalhours.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Credential Access",
4 | "Techniques": [
5 | "T1110.003"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/AnalyticsRules/Suspiciousnumberofresourcecreationordeploymentactivities.mitre.manifest.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "Tactic" : "Impact",
4 | "Techniques": [
5 | "T1499"
6 | ]
7 | }
8 | ]
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/Playbooks/Chain_of_Custody.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-[settings('location').Id]chainofcustody-playbook"
7 | },
8 | "AutomationAccount" : {
9 | "value": "[settings('azureautomation').Name]"
10 | },
11 | "sentinelConnectionId": {
12 | "value": "[settings('azuresentinel').Id]"
13 | },
14 | "sentinelManagedIdentity": {
15 | "value": "[settings('managedidentity').Name]"
16 | },
17 | "office365ConnectionId": {
18 | "value": "[settings('office365').Id]"
19 | },
20 | "location": {
21 | "value": "[settings('location').Name]"
22 | },
23 | "keyVaultConnectionId": {
24 | "value": "[settings('keyvault').Id]"
25 | }
26 | }
27 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/Playbooks/Sentinel_Mail_Notification.parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "value": "socdap-[settings('location').Id]sentinelmailnotification-playbook"
7 | },
8 | "SentinelConnectionId": {
9 | "value": "[settings('azuresentinel').Id]"
10 | },
11 | "SentinelManagedIdentity": {
12 | "value": "[settings('managedidentity').Name]"
13 | },
14 | "AzureADConnectionId": {
15 | "value": "[settings('azuread').Id]"
16 | },
17 | "Microsoft365ConnectionId": {
18 | "value": "[settings('office365').Id]"
19 | },
20 | "EmailNotification": {
21 | "value": "contoso@Contoso.com"
22 | },
23 | "Location": {
24 | "value": "[settings('location').Name]"
25 | }
26 | }
27 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/Runbooks/Copy-DigitalEvidenceVmLinux.psd1:
--------------------------------------------------------------------------------
1 | @{
2 | Name = 'Copy-DigitalEvidenceVmLinux'
3 | Type = 'PowerShell'
4 | Description = 'Copy Digital Evidence Linux'
5 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/Runbooks/Copy-DigitalEvidenceVmWindows.psd1:
--------------------------------------------------------------------------------
1 | @{
2 | Name = 'Copy-DigitalEvidenceVmWindows'
3 | Type = 'PowerShell'
4 | Description = 'Copy Digital Evidence Windows'
5 | }
--------------------------------------------------------------------------------
/Sentinel/mitre-use-cases/Virtual Machines/Runbooks/VMBlock_IP.psd1:
--------------------------------------------------------------------------------
1 | @{
2 | Name = 'Block VM IP'
3 | Type = 'PowerShell'
4 | Description = 'Block VM IP'
5 | }
--------------------------------------------------------------------------------
/src/Build/Artifacts/Scripts/Azure.Mitre.Manifest.Generation.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $OutputPath,
9 | [Parameter(Mandatory = $false)]
10 | [switch]
11 | $ShowReport
12 | )
13 |
14 | $ManifestItems = Get-ChildItem -Path $Path -Include @("*.mitre.manifest.json") -Recurse
15 | $ManifestArray = @()
16 | $ManifestItems | ForEach-Object {
17 | $File = $_
18 | $ManifestItem = Get-Content -Path $File.FullName -Raw | ConvertFrom-Json
19 | $ManifestItem | ForEach-Object {
20 | $Manifest = $_
21 | $Manifest.Techniques | ForEach-Object {
22 | $Row = [PSCustomObject]@{
23 | Scenario = $File.Directory.Parent.Name
24 | Kind = (Split-Path $File.Directory -Leaf)
25 | Artifact = $File.Name
26 | Name = $File.Name.Replace(".mitre.manifest.json", [string]::Empty)
27 | Tactic = $Manifest.Tactic
28 | Technique = $_
29 | }
30 | $ManifestArray += $Row
31 | }
32 | }
33 | }
34 |
35 | if($ShowReport){
36 | $ManifestArray | Format-Table Scenario,Name,Tactic,Technique
37 | }
38 |
39 | $ManifestArray | ConvertTo-Csv -Delimiter "," -NoTypeInformation | Out-File -FilePath $OutputPath
--------------------------------------------------------------------------------
/src/Build/Framework/Powershell.Modules.Build.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $OutputPath,
9 | [Parameter(Mandatory = $true)]
10 | [int]
11 | $MajorVersion,
12 | [Parameter(Mandatory = $false)]
13 | [int]
14 | $MinorVersion = 0,
15 | [Parameter(Mandatory = $false)]
16 | [string]
17 | $Build = 0,
18 | [Parameter(Mandatory = $false)]
19 | [switch]
20 | $PreRelease,
21 | [Parameter(Mandatory = $false)]
22 | [string]
23 | $PreReleasePrefix = "pre"
24 | )
25 |
26 | if($PreRelease) {
27 | $Version = "$($MajorVersion).$($MinorVersion).$($Build)-$($PreReleasePrefix)"
28 | }
29 | else {
30 | $Version = "$($MajorVersion).$($MinorVersion).$($Build)"
31 | }
32 |
33 | $AlreadyExists = Test-Path -LiteralPath $OutputPath
34 | if($true -eq $AlreadyExists)
35 | {
36 | Remove-Item -LiteralPath $OutputPath -Recurse -Force
37 | }
38 |
39 | $SourcePathItem = Get-Item -LiteralPath $Path
40 | $Destination = Join-Path $OutputPath $SourcePathItem.Name
41 | Copy-Item -Path $Path -Filter *.* -Destination $Destination -Recurse -Force
42 | $Directory = Get-ChildItem -Path $Destination -Filter "Version" -Recurse | Select-Object -First 1
43 | Rename-Item -LiteralPath $Directory.FullName -NewName $Version -Force
44 | $Items = Get-ChildItem -LiteralPath $Destination -Filter "*.psd1" -Recurse
45 | $Items | ForEach-Object {
46 | $ManifestVersion = Get-Content $_.FullName
47 | $ManifestVersion = $ManifestVersion.Replace("[Version]", $Version)
48 | $ManifestVersion = $ManifestVersion.Replace("0.0.0", $Version)
49 | if($PreRelease) {
50 | $ManifestVersion = $ManifestVersion.Replace("# [PRE-RELEASE] ", [string]::Empty)
51 | }
52 | $ManifestVersion | Set-Content $_.FullName
53 | }
54 | Get-ChildItem -LiteralPath $OutputPath -Recurse | ForEach-Object { Write-Host $_.FullName }
--------------------------------------------------------------------------------
/src/Build/Framework/Powershell.Modules.Release.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Name,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $Path,
9 | [Parameter(Mandatory = $true)]
10 | [string]
11 | $NuGetApiKey,
12 | [Parameter(Mandatory = $false)]
13 | [switch]
14 | $PreRelease
15 | )
16 |
17 | $Item = Get-ChildItem -Path $Path -Filter "*.psd1" -Recurse | Select-Object -First 1
18 | if($null -ne $Item) {
19 | $Directory = $Item.Directory
20 | if($PreRelease){
21 | $env:PSModulePath = $env:PSModulePath + "$([System.IO.Path]::PathSeparator)$($Directory.FullName)"
22 | Publish-Module -Name $Directory.Name -Exclude @("README.md") -Repository $Name -NuGetApiKey $NuGetApiKey -Credential $Credentials -Force -AllowPrerelease:$PreRelease
23 | }
24 | else {
25 | Publish-Module -Path $Directory.FullName -Repository $Name -NuGetApiKey $NuGetApiKey -Credential $Credentials -Force
26 | }
27 | }
28 | else {
29 | throw "Module PSD Manifest not found"
30 | }
--------------------------------------------------------------------------------
/src/Build/Framework/Powershell.Nuget.Connect.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Name,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $NuGetApiKey,
9 | [Parameter(Mandatory = $true)]
10 | [string]
11 | $Location
12 | )
13 |
14 | $SecureNuGetApiKey = ConvertTo-SecureString -String $NuGetApiKey -AsPlainText -Force
15 | $Credentials = New-Object System.Management.Automation.PSCredential("[NO INFORMED]", $SecureNuGetApiKey)
16 | $PSRepository = Get-PSRepository -Name $Name -ErrorAction SilentlyContinue
17 | if($null -eq $PSRepository -or [string]::Empty -eq $PSRepository) {
18 | Register-PSRepository -Name $Name -SourceLocation $Location -PublishLocation $Location -InstallationPolicy Trusted -Credential $Credentials
19 | }
--------------------------------------------------------------------------------
/src/Build/Framework/Powershell.Nuget.Credentials.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter()]
4 | [string]
5 | $NuGetApiKey
6 | )
7 |
8 | $SecurePatToken = ConvertTo-SecureString -String $NuGetApiKey -AsPlainText -Force
9 | return New-Object System.Management.Automation.PSCredential("[NO INFORMED]", $SecurePatToken)
10 |
--------------------------------------------------------------------------------
/src/Build/Framework/Powershell.Nuget.Disconnect.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Name
6 | )
7 |
8 | Unregister-PSRepository -Name $Name
--------------------------------------------------------------------------------
/src/Dev/Framework/Automation.DataExportRules/Automation.DataExportRules.psd1:
--------------------------------------------------------------------------------
1 | @{
2 | Name = "Azure Sentinel Data Export Rules"
3 | Type = "PowerShell"
4 | Description = "Manage the Data Export Rules based on the Definition by Environment"
5 | Modules = @{
6 | "Az.Accounts" = "2.2.8"
7 | "Az.EventHub" = "1.7.2"
8 | "Az.Resources" = "3.5.0"
9 | "Az.Storage" = "3.6.0"
10 | }
11 | }
--------------------------------------------------------------------------------
/src/Dev/Framework/Kql/Azure.Kql.Powershell/Azure.Kql.Powershell.Tests/Azure.Kql.Powershell.Tests.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | net5.0
5 |
6 | false
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
--------------------------------------------------------------------------------
/src/Dev/Framework/Kql/Azure.Kql.Powershell/Azure.Kql.Powershell.Tests/KqlPowershellTests.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.VisualStudio.TestTools.UnitTesting;
2 | using System.Diagnostics;
3 | using System.Linq;
4 | using System.Management.Automation;
5 |
6 | namespace Azure.Kql.Powershell.Tests
7 | {
8 | [TestClass]
9 | public class KqlPowershellTests
10 | {
11 | [TestMethod]
12 | public void TestCaseWellExpression()
13 | {
14 | KqlValidatorCommand command = new KqlValidatorCommand()
15 | {
16 | KQLExpression = "T | project a = a + b | where a > 10.0"
17 | };
18 |
19 | command.Invoke().OfType().ToList();
20 | }
21 |
22 | [TestMethod]
23 | public void TestCaseBadExpression()
24 | {
25 | KqlValidatorCommand command = new KqlValidatorCommand()
26 | {
27 | KQLExpression = "T | proyect a = a + b | whee a > 10.0"
28 | };
29 |
30 | Assert.ThrowsException(() => command.Invoke().OfType().ToList());
31 | }
32 |
33 | [TestMethod]
34 | public void TestCaseNullExpression()
35 | {
36 | KqlValidatorCommand command = new KqlValidatorCommand()
37 | {
38 | KQLExpression = null
39 | };
40 |
41 | Assert.ThrowsException(() => command.Invoke().OfType().ToList());
42 | }
43 |
44 | [TestMethod]
45 | public void TestCaseEmptyExpression()
46 | {
47 | KqlValidatorCommand command = new KqlValidatorCommand()
48 | {
49 | KQLExpression = ""
50 | };
51 |
52 | Assert.ThrowsException(() => command.Invoke().OfType().ToList());
53 | }
54 | }
55 | }
--------------------------------------------------------------------------------
/src/Dev/Framework/Kql/Azure.Kql.Powershell/Azure.Kql.Powershell.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31205.134
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Azure.Kql.Powershell", "Azure.Kql.Powershell\Azure.Kql.Powershell.csproj", "{8850EA06-BD1D-4513-BF80-7FC3E9E1C345}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Azure.Kql.Powershell.Tests", "Azure.Kql.Powershell.Tests\Azure.Kql.Powershell.Tests.csproj", "{EF0C74A6-80AC-4EDC-BF60-7A88ECC8DB65}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Release|Any CPU = Release|Any CPU
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {8850EA06-BD1D-4513-BF80-7FC3E9E1C345}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {8850EA06-BD1D-4513-BF80-7FC3E9E1C345}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {8850EA06-BD1D-4513-BF80-7FC3E9E1C345}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | {8850EA06-BD1D-4513-BF80-7FC3E9E1C345}.Release|Any CPU.Build.0 = Release|Any CPU
20 | {EF0C74A6-80AC-4EDC-BF60-7A88ECC8DB65}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {EF0C74A6-80AC-4EDC-BF60-7A88ECC8DB65}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {EF0C74A6-80AC-4EDC-BF60-7A88ECC8DB65}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {EF0C74A6-80AC-4EDC-BF60-7A88ECC8DB65}.Release|Any CPU.Build.0 = Release|Any CPU
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {DB75AD4B-CA1B-4BB9-AFB3-E6F70F7865F0}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/src/Dev/Framework/Kql/Azure.Kql.Powershell/Azure.Kql.Powershell/Azure.Kql.Powershell.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | net5.0
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
--------------------------------------------------------------------------------
/src/Dev/Framework/Kql/Azure.Kql.Powershell/Azure.Kql.Powershell/KqlValidationException.cs:
--------------------------------------------------------------------------------
1 | using Kusto.Language;
2 | using System;
3 | using System.Collections.Generic;
4 | using System.Linq;
5 | using System.Text;
6 | using System.Threading.Tasks;
7 |
8 | namespace Azure.Kql.Powershell
9 | {
10 | public class KqlValidationException : Exception
11 | {
12 | #region · Public ·
13 | public KqlValidationException(Diagnostic diagnostic) : base($"{diagnostic.Code}: {diagnostic.Message} {Environment.NewLine} {diagnostic.Description} in position {diagnostic.Start} - {diagnostic.End}")
14 | {
15 |
16 | }
17 | #endregion
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/src/Dev/Framework/Kql/Azure.Kql.Powershell/Azure.Kql.Powershell/KqlValidatorCommand.cs:
--------------------------------------------------------------------------------
1 | using Kusto.Language;
2 | using System;
3 | using System.Linq;
4 | using System.Collections.Generic;
5 | using System.Management.Automation;
6 |
7 | namespace Azure.Kql.Powershell
8 | {
9 | [Cmdlet("Invoke", "KqlValidator")]
10 | public class KqlValidatorCommand : Cmdlet
11 | {
12 | #region · Public ·
13 | public KqlValidatorCommand()
14 | {
15 |
16 | }
17 |
18 | [Parameter(Mandatory = true)]
19 | [ValidateNotNullOrEmpty]
20 | public string KQLExpression
21 | {
22 | get;
23 | set;
24 | }
25 |
26 | #endregion
27 | #region · Protected ·
28 |
29 | protected override void ProcessRecord()
30 | {
31 | base.ProcessRecord();
32 | if (!string.IsNullOrEmpty(KQLExpression) && !string.IsNullOrWhiteSpace(KQLExpression))
33 | {
34 | KustoCode kustoCode = KustoCode.Parse(KQLExpression);
35 | IReadOnlyCollection diagnostics = kustoCode.GetDiagnostics();
36 | foreach (Diagnostic diagnostic in diagnostics)
37 | {
38 | string severity = diagnostic.Severity;
39 | switch (severity)
40 | {
41 | case "Error":
42 | ErrorRecord errorRecord = new ErrorRecord(new KqlValidationException(diagnostic), diagnostic.Code, ErrorCategory.ParserError, severity);
43 | this.WriteError(errorRecord);
44 | break;
45 | case "Warning":
46 | this.WriteWarning($"{diagnostic.Code}: {diagnostic.Message} {Environment.NewLine} {diagnostic.Description} in position {diagnostic.Start} - {diagnostic.End}");
47 | break;
48 | default:
49 | this.WriteInformation($"{diagnostic.Code}: {diagnostic.Message} {Environment.NewLine} {diagnostic.Description} in position {diagnostic.Start} - {diagnostic.End}", null);
50 | break;
51 | }
52 | }
53 | }
54 | else
55 | {
56 | throw new CmdletInvocationException("Kql Expression is null or empty");
57 | }
58 | }
59 | #endregion
60 | }
61 | }
62 |
--------------------------------------------------------------------------------
/src/Dev/Framework/Microsoft.Sentinel.Connectors/Version/Microsoft.Sentinel.Connectors/Connectors/Microsoft.Sentinel.ThreatIntelligence.Connector.psm1:
--------------------------------------------------------------------------------
1 | $Module = Get-Module -Name Az.SecurityInsights -ListAvailable
2 | if($null -eq $Module) {
3 | Install-Module -Name Az.SecurityInsights -Force
4 | }
5 |
6 | class ThreatIntelligenceDataConnector : DataConnector {
7 |
8 | ThreatIntelligenceDataConnector () {
9 |
10 | }
11 |
12 | [void] Invoke ([string]$ResourceGroup, [string]$Workspace, [ConnectorAction] $Action, [Hashtable] $Parameters) {
13 | switch ($Action) {
14 | "Enable" {
15 | New-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $Workspace -ThreatIntelligence -Indicators $Parameters.Indicators
16 | }
17 | "Update" {
18 | $Connector = Get-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $Workspace | Where-Object { $_.Kind -eq "ThreatIntelligence" }
19 | Write-Output $Connector
20 | if($null -ne $Connector) {
21 | Update-AzSentinelDataConnector -DataConnectorId $Connector.Name -ResourceGroupName $ResourceGroup -WorkspaceName $Workspace -ThreatIntelligence -Indicators $Parameters.Indicators | Out-Null
22 | }
23 | else {
24 | Write-Error "Connector cannot be found"
25 | }
26 | }
27 | "Disable" {
28 | $Connector = Get-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $Workspace | Where-Object { $_.Kind -eq "ThreatIntelligence" }
29 | if($null -ne $Connector) {
30 | Remove-AzSentinelDataConnector -DataConnectorId $Connector.Name -ResourceGroupName $ResourceGroup -WorkspaceName $Workspace
31 | }
32 | else {
33 | Write-Error "Connector cannot be found"
34 | }
35 | }
36 | "Check" {
37 | $Connector = Get-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $Workspace | Where-Object { $_.Kind -eq "ThreatIntelligence" }
38 | Write-Output $Connector
39 | }
40 | Default {
41 | throw "Unexepected Action Requested"
42 | }
43 | }
44 | }
45 | }
--------------------------------------------------------------------------------
/src/Dev/Framework/Microsoft.Sentinel.Connectors/Version/Microsoft.Sentinel.Connectors/Microsoft.Sentinel.Connectors.psm1:
--------------------------------------------------------------------------------
1 | function Get-AzSentinelConnectorsLocation{
2 | $ConnectoreModuleBasePath = (Get-Module -Name Microsoft.Sentinel.Connectors -ListAvailable).Path | Split-Path -Parent
3 | return Join-Path -Path $ConnectoreModuleBasePath -ChildPath "Connectors"
4 | }
--------------------------------------------------------------------------------
/src/Dev/Framework/Microsoft.Sentinel.Workbooks/Version/Microsoft.Sentinel.Workbooks/Microsoft.Sentinel.Workbooks.template.json:
--------------------------------------------------------------------------------
1 | {
2 | "contentVersion": "1.0.0.0",
3 | "parameters": {
4 | "workbookDisplayName": {
5 | "type": "string",
6 | "metadata": {
7 | "description": "The friendly name for the workbook that is used in the Gallery or Saved List. This name must be unique within a resource group."
8 | }
9 | },
10 | "workbookType": {
11 | "type": "string",
12 | "defaultValue": "sentinel",
13 | "metadata": {
14 | "description": "The gallery that the workbook will been shown under. Supported values include workbook, tsg, etc. Usually, this is 'workbook'"
15 | }
16 | },
17 | "workbookSourceId": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "The id of resource instance to which the workbook will be associated"
21 | }
22 | },
23 | "workbookId": {
24 | "type": "string",
25 | "metadata": {
26 | "description": "The unique guid for this workbook instance"
27 | }
28 | },
29 | "workbookData": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "Workbook metadata"
33 | }
34 | }
35 | },
36 | "resources": [
37 | {
38 | "name": "[parameters('workbookId')]",
39 | "type": "microsoft.insights/workbooks",
40 | "location": "[resourceGroup().location]",
41 | "apiVersion": "2021-03-08",
42 | "dependsOn": [],
43 | "kind": "shared",
44 | "properties": {
45 | "displayName": "[parameters('workbookDisplayName')]",
46 | "description": "Sample Description",
47 | "serializedData": "[parameters('workbookData')]",
48 | "version": "1.0",
49 | "sourceId": "[parameters('workbookSourceId')]",
50 | "category": "[parameters('workbookType')]"
51 | }
52 | }
53 | ],
54 | "outputs": {
55 | "workbookId": {
56 | "type": "string",
57 | "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]"
58 | }
59 | },
60 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
61 | }
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Azure.Automation.Runbooks.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $SettingsFile
9 | )
10 |
11 | Deploy-AzAutomationRunbook -Path $Path -SettingsFile $SettingsFile
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Alerts.Rules.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory)]
4 | [string]
5 | $ResourceGroup,
6 | [Parameter(Mandatory)]
7 | [string]
8 | $Workspace,
9 | [Parameter(Mandatory)]
10 | [string]
11 | $Path,
12 | [Parameter(Mandatory = $true)]
13 | [ValidateSet("Json", "Yaml", "All")]
14 | [string]
15 | $Format
16 | )
17 |
18 | try {
19 | Import-AzSentinelAnalyticRules -ResourceGroup $ResourceGroup -Workspace $Workspace -Path $Path -Format $Format
20 | }
21 | catch {
22 | Write-Host "##vso[task.logissue type=warning;result=SucceededWithIssues]$_"
23 | }
24 |
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Alerts.RulesPlaybookConnection.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory)]
4 | [string]
5 | $ResourceGroup,
6 | [Parameter(Mandatory)]
7 | [string]
8 | $Workspace,
9 | [Parameter(Mandatory)]
10 | [string]
11 | $Path,
12 | [Parameter(Mandatory = $true)]
13 | [ValidateSet("Json", "Yaml", "All")]
14 | [string]
15 | $Format,
16 | [Parameter(Mandatory = $true)]
17 | [string]
18 | $SettingsFile
19 |
20 | )
21 |
22 | try {
23 | Import-AzPlaybookAndRuleConnections -ResourceGroup $ResourceGroup -Workspace $Workspace -Path $Path -Format $Format -SettingsFile $SettingsFile
24 | }
25 | catch {
26 | Write-Host "##vso[task.logissue type=warning;result=SucceededWithIssues]$_"
27 | }
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Automation.Rules.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory)]
4 | [string]
5 | $ResourceGroup,
6 | [Parameter(Mandatory)]
7 | [string]
8 | $Workspace,
9 | [Parameter(Mandatory)]
10 | [string]
11 | $Path,
12 | [Parameter(Mandatory = $true)]
13 | [ValidateSet("Json", "Yaml", "All")]
14 | [string]
15 | $Format,
16 | [Parameter(Mandatory = $true)]
17 | [string]
18 | $SettingsFile
19 | )
20 |
21 | try {
22 | Import-AzSentinelAutomationRules -ResourceGroup $ResourceGroup -Workspace $Workspace -Path $Path -Format $Format -SettingsFile $SettingsFile
23 | }
24 | catch {
25 | Write-Host "##vso[task.logissue type=warning;result=SucceededWithIssues]$_"
26 | }
27 |
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Export.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $WorkspaceName,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $ResourceGroupName,
9 | [Parameter(Mandatory = $true)]
10 | [string]
11 | $AutomationAccountName,
12 | [Parameter(Mandatory = $true)]
13 | [string]
14 | $Path,
15 | [Parameter(Mandatory = $true)]
16 | [ValidateSet("Json", "Yaml")]
17 | [string]
18 | $Format,
19 | [Parameter(Mandatory = $false)]
20 | [switch]
21 | $ClearBeforeIfExists
22 | )
23 |
24 | if(($ClearBeforeIfExists -eq $true) -and (Test-Path -Path $Path)) {
25 | Remove-Item -Path $Path -Recurse -Force
26 | }
27 |
28 | Write-Host "Exporting Runbooks"
29 | $RunbooksPath = Join-Path -Path $Path -ChildPath "Runbooks"
30 | Export-AzureAutomationRunbook -ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName -Path $RunbooksPath
31 | Write-Host "Exporting Connections"
32 | $PlaybookConnectionsPath = Join-Path -Path $Path -ChildPath "Connections"
33 | Export-AzSentinelPlaybookConnections -ResourceGroupName $ResourceGroupName -Path $PlaybookConnectionsPath
34 | Write-Host "Exporting Playbooks"
35 | $PlaybooksPath = Join-Path -Path $Path -ChildPath "Playbooks"
36 | Export-AzSentinelPlaybook -ResourceGroupName $ResourceGroupName -Path $PlaybooksPath
37 | Write-Host "Exporting Hunting Rules"
38 | $HuntingRulesPath = Join-Path -Path $Path -ChildPath "HuntingRules"
39 | Export-AzSentinelHuntingRules -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Path $HuntingRulesPath -Format $Format
40 | Write-Host "Exporting Analytics Rules"
41 | $AnalyticsRulesPath = Join-Path -Path $Path -ChildPath "AnalyticsRules"
42 | Export-AzSentinelAnalyticsRules -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Path $AnalyticsRulesPath -Format $Format
43 | Write-Host "Exporting Alert & Playbooks Connections"
44 | $AlertAndPlaybooksConnectionsPath = Join-Path -Path $Path -ChildPath "AlertAndPlaybooksConnections"
45 | Export-AzPlaybookAndRuleConnections -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Path $AlertAndPlaybooksConnectionsPath -Format $Format
46 | Write-Host "Exporting Automation Rules"
47 | $AutomationRulesPath = Join-Path -Path $Path -ChildPath "AutomationRules"
48 | Export-AzSentinelAutomationRules -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Path $AutomationRulesPath -Format $Format
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Hunting.Rules.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $WorkspaceName,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $ResourceGroup,
9 | [Parameter(Mandatory = $true)]
10 | [string]
11 | $Path,
12 | [Parameter(Mandatory = $true)]
13 | [ValidateSet("Json", "Yaml", "All")]
14 | [string]
15 | $Format
16 | )
17 |
18 | try{
19 | Import-AzSentinelHuntingRules -WorkspaceName $WorkspaceName -ResourceGroup $ResourceGroup -Path $Path -Format Yaml
20 | }
21 | catch {
22 | Write-Host "##vso[task.logissue type=warning;result=SucceededWithIssues]$_"
23 | }
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Playbooks.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $SettingsFile
9 | )
10 |
11 | try {
12 | Import-AzSentinelPlaybooks -SettingsFile $SettingsFile -Path $Path
13 | }
14 | catch {
15 | Write-Host "##vso[task.logissue type=warning;result=SucceededWithIssues]$_"
16 | }
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Watchlist.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $ResourceGroupName,
9 | [Parameter(Mandatory = $true)]
10 | [string]
11 | $WorkspaceName
12 | )
13 |
14 |
15 | try {
16 | Import-AzSentinelWatchlists -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -Path $Path
17 | }
18 | catch {
19 | Write-Host "##vso[task.logissue type=warning;result=SucceededWithIssues]$_"
20 | }
--------------------------------------------------------------------------------
/src/Release/Artifacts Deployment/Scripts/Microsoft.Sentinel.Workbooks.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $ResourceGroupName,
9 | [Parameter(Mandatory = $true)]
10 | [string]
11 | $WorkspaceName
12 | )
13 |
14 | Import-AzSentinelWorkbook -ResourceGroup $ResourceGroupName -Workspace $WorkspaceName -Path $Path
--------------------------------------------------------------------------------
/src/Release/Common/Azure.Deployment.Environment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $ResourceGroupName,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $Path
9 | )
10 |
11 | Export-ContextSettings -ResourceGroupName $ResourceGroupName -Path $Path
--------------------------------------------------------------------------------
/src/Release/Common/Azure.Deployment.Location.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Location,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $VariableName
9 | )
10 |
11 | Write-Debug "Resolving the Location requested: $($Location) over destination variable: $($VariableName)"
12 | if($null -ne $Location) {
13 | Write-Debug "Location resolution complete. Checking the Location"
14 | $LocationSuffix = Get-AzLocationSuffix -Location $Location
15 | Write-Debug "Location resolution complete. Location validated"
16 | Write-Debug "Location Suffix: $($LocationSuffix)"
17 | Write-Host "##vso[task.setvariable variable=$($VariableName);issecret=false]$($LocationSuffix)"
18 | Write-Host "Setting $($VariableName) with the value: $($LocationSuffix)"
19 | }
20 | else {
21 | Write-Debug "Location not found or is Unknown"
22 | throw "Unknown Location $($Location)"
23 | }
24 |
--------------------------------------------------------------------------------
/src/Release/Common/Azure.Deployment.Resource.Check.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $false)]
4 | [string]
5 | $ResourceName,
6 | [Parameter(Mandatory = $false)]
7 | [string]
8 | $ResourceGroupName,
9 | [Parameter(Mandatory = $false)]
10 | [string]
11 | $ResourceType,
12 | [Parameter(Mandatory = $false)]
13 | [string]
14 | $VariableNameExists,
15 | [Parameter(Mandatory = $false)]
16 | [string]
17 | $VariableNameNotDefined
18 | )
19 |
20 | if(-not [string]::IsNullOrEmpty($ResourceName) -and -not [string]::IsNullOrEmpty($ResourceGroupName) -and -not [string]::IsNullOrEmpty($ResourceType)) {
21 | $Resource = Get-AzResource -Name $ResourceName -ResourceGroupName $ResourceGroupName -ResourceType $ResourceType -ErrorAction SilentlyContinue
22 | $ResourceExists = $null -ne $Resource
23 | $IsDefined = $true
24 | Write-Host "##vso[task.setvariable variable=$($VariableNameExists);issecret=false]$($ResourceExists)"
25 | Write-Host "##vso[task.setvariable variable=$($VariableNameNotDefined);issecret=false]$($IsDefined)"
26 | }
27 | else {
28 | $ResourceExists = $false
29 | $IsDefined = $false
30 | Write-Host "##vso[task.setvariable variable=$($VariableNameExists);issecret=false]$($ResourceExists)"
31 | Write-Host "##vso[task.setvariable variable=$($VariableNameNotDefined);issecret=false]$($IsDefined)"
32 | }
--------------------------------------------------------------------------------
/src/Release/Common/Azure.DevOps.Extensions.psm1:
--------------------------------------------------------------------------------
1 | function Set-AzureDevOpsVariable {
2 | [CmdletBinding()]
3 | param (
4 | [Parameter(Mandatory = $true, Position = 0)]
5 | [string]
6 | [ValidateNotNullOrEmpty]
7 | $Name,
8 | [Parameter(Mandatory=$true, Position = 1)]
9 | [ValidateSet("=")]
10 | [char]
11 | $Link,
12 | [Parameter(Mandatory = $true, Position = 2)]
13 | [object]
14 | [ValidateNotNullOrEmpty]
15 | $Value
16 | )
17 |
18 | Write-Host "##vso[task.setvariable variable=$($Name);issecret=false]$($Value)"
19 | }
20 |
21 | Set-Alias -Name dynamic -Value Set-AzureDevOpsVariable -Option ReadOnly
--------------------------------------------------------------------------------
/src/Release/Common/Azure.Environments.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $false)]
7 | [string]
8 | $EnvironmentName
9 | )
10 |
11 | return Resolve-EnvironmentDefinition -Path $Path -EnvironmentName $EnvironmentName
--------------------------------------------------------------------------------
/src/Release/Common/Azure.Subscription.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $EnvironmentName,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $Path
9 | )
10 |
11 | $EnvironmentDefinition = Get-EnvironmentDefinition -Path $Path -EnvironmentName $EnvironmentName
12 | if($null -ne $EnvironmentDefinition) {
13 | Write-Verbose $EnvironmentDefinition
14 | return $EnvironmentDefinition.Connection
15 | }
16 | else {
17 | throw "Environment $($EnvironmentName) in Path $($Path) cannot be resolved"
18 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Automation/Azure.Automation.LogicApp.Connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "location": {
9 | "type": "string",
10 | "defaultValue": "[resourceGroup().location]",
11 | "metadata": {
12 | "description": "Specifies the location in which to create the Automation account."
13 | }
14 | }
15 | },
16 | "variables": {},
17 | "resources": [
18 | {
19 | "type": "Microsoft.Web/connections",
20 | "apiVersion": "2016-06-01",
21 | "name": "[parameters('name')]",
22 | "location": "[parameters('location')]",
23 | "kind": "V1",
24 | "properties": {
25 | "displayName": "Azure Automation (Sentinel)",
26 | "customParameterValues": {},
27 | "parameterValueType": "Alternative",
28 | "api": {
29 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azureautomation')]"
30 | }
31 | }
32 | }
33 | ]
34 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Automation/Azure.Automation.Roles.Deployment.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "location": {
6 | "type": "string",
7 | "defaultValue": "[resourceGroup().location]"
8 | },
9 | "Name": {
10 | "type": "string"
11 | },
12 | "sentinelUserIdentity": {
13 | "type": "string"
14 | },
15 | "automationUserRoleAssignmentId": {
16 | "type": "string",
17 | "defaultValue": "[newGuid()]"
18 | }
19 | },
20 | "variables": {
21 | "operatorRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]"
22 | },
23 | "resources": [
24 | {
25 | "type": "Microsoft.Authorization/roleAssignments",
26 | "apiVersion": "2018-09-01-preview",
27 | "name": "[parameters('automationUserRoleAssignmentId')]",
28 | "scope": "[concat('microsoft.automation/automationaccounts/', parameters('Name'))]",
29 | "properties": {
30 | "roleDefinitionId": "[variables('operatorRoleDefinitionId')]",
31 | "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('sentinelUserIdentity')), '2018-11-30').principalId]",
32 | "principalType": "ServicePrincipal"
33 | }
34 | }
35 | ],
36 | "outputs": {}
37 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Automation/Azure.Automation.Runbooks.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Path,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $SettingsFile
9 | )
10 |
11 | Deploy-AzAutomationRunbook -Path $Path -SettingsFile $SettingsFile
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Databricks/Azure.Databricks.Cluster.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Name,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $ClusterName,
9 | [Parameter(Mandatory = $true)]
10 | [string]
11 | $Location,
12 | [Parameter(Mandatory = $true)]
13 | [string]
14 | $ResourceGroupName,
15 | [Parameter(Mandatory = $true)]
16 | [int]
17 | $MinNodes,
18 | [Parameter(Mandatory = $true)]
19 | [int]
20 | $MaxNodes
21 | )
22 |
23 | Import-Module -Name "$($PSScriptRoot)\Azure.Databricks.Cluster.Deployment.psm1" -Force
24 | $AzContext = Get-AzContext
25 | if($null -ne $AzContext)
26 | {
27 | $TenantId = $AzContext.Tenant.Id
28 | $SubscriptionId = $AzContext.Subscription.Id
29 | $Account = $AzContext.Account
30 | if($null -ne $Account)
31 | {
32 | $ClientId = $Account.Id
33 | $Secret = $Account.ExtendedProperties.ServicePrincipalSecret
34 | New-AzureDatabricksCluster -ApplicationId $ClientId -Secret $Secret -TenantId $TenantId -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -DatabricksName $Name -DatabricksClusterName "Default" -DatabrickscontosoVersion "8.1.x-scala2.12" -DatabricksPythonVersion 3 -DatabricksNodeType "Standard_D3_v2" -DatabricksMasterNodeType "Standard_D3_v2" -MinNodes $MinNodes -MaxNodes $MaxNodes -Location $Location
35 | }
36 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Databricks/Azure.Databricks.Deployment.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "disablePublicIp": {
6 | "type": "bool",
7 | "defaultValue": false,
8 | "metadata": {
9 | "description": "Specifies whether to deploy Azure Databricks workspace with Secure Cluster Connectivity (No Public IP) enabled or not"
10 | }
11 | },
12 | "Name": {
13 | "type": "string",
14 | "metadata": {
15 | "description": "The name of the Azure Databricks workspace to create."
16 | }
17 | },
18 | "pricingTier": {
19 | "type": "string",
20 | "defaultValue": "premium",
21 | "allowedValues": [
22 | "standard",
23 | "premium"
24 | ],
25 | "metadata": {
26 | "description": "The pricing tier of workspace."
27 | }
28 | },
29 | "location": {
30 | "type": "string",
31 | "defaultValue": "[resourceGroup().location]",
32 | "metadata": {
33 | "description": "Location for all resources."
34 | }
35 | }
36 | },
37 | "variables": {
38 | "managedResourceGroupName": "[concat('databricks-rg-', parameters('Name'), '-', uniqueString(parameters('Name'), resourceGroup().id))]"
39 | },
40 | "resources": [
41 | {
42 | "type": "Microsoft.Databricks/workspaces",
43 | "apiVersion": "2018-04-01",
44 | "name": "[parameters('Name')]",
45 | "location": "[parameters('location')]",
46 | "sku": {
47 | "name": "[parameters('pricingTier')]"
48 | },
49 | "properties": {
50 | "managedResourceGroupId": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('managedResourceGroupName'))]",
51 | "parameters": {
52 | "enableNoPublicIp": {
53 | "value": "[parameters('disablePublicIp')]"
54 | }
55 | }
56 | }
57 | }
58 | ],
59 | "outputs": {
60 | "workspace": {
61 | "type": "object",
62 | "value": "[reference(resourceId('Microsoft.Databricks/workspaces', parameters('Name')))]"
63 | }
64 | }
65 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Defender/Azure.Defender.Configuration.Contacts.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $Name,
6 | [Parameter(Mandatory = $false)]
7 | [switch]
8 | $AlertAdmin,
9 | [Parameter(Mandatory = $false)]
10 | [switch]
11 | $NotifyOnAlert,
12 | [Parameter(Mandatory = $false)]
13 | [string]
14 | $Phone = "",
15 | [Parameter(Mandatory = $false)]
16 | [string]
17 | $Email = ""
18 | )
19 |
20 | Set-AzSecurityContact -Name $Name -Email $Email -Phone $Phone -AlertAdmin:$AlertAdmin -NotifyOnAlert:$NotifyOnAlert
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Defender/Azure.Defender.Provisioning.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [hashtable]
5 | [ValidateNotNull()]
6 | $SecurityTierConfiguration
7 | )
8 |
9 | $Module = Get-Module -Name Az.Security -ErrorAction SilentlyContinue
10 | if($null -eq $Module){
11 | Install-Module -Name Az.Security -Force
12 | }
13 |
14 | $PricingInformationBlock = Get-AzSecurityPricing
15 | if($null -ne $PricingInformationBlock)
16 | {
17 | $PricingTiersNames = $PricingInformationBlock | ForEach-Object { $_.Name }
18 | $SecurityTierConfiguration.GetEnumerator() | ForEach-Object {
19 | $Item = $_
20 | try {
21 | $IsValid = $PricingTiersNames -contains $Item.Key
22 | if(-not $IsValid){
23 | throw "Invalid Azure Service Name"
24 | }
25 |
26 | if($Item.Value) {
27 | Set-AzSecurityPricing -Name $Item.Key -PricingTier "Standard"
28 | }
29 | else {
30 | Set-AzSecurityPricing -Name $Item.Key -PricingTier "Free"
31 | }
32 | }
33 | catch {
34 | if($Item.Value -eq $true) {
35 | Write-Error "Error while enabling Defender for $($Item.Key)"
36 | }
37 | else {
38 | Write-Error "Error while disabling Defender for $($Item.Key)"
39 | }
40 |
41 | Write-Error $_
42 | }
43 | }
44 | }
45 | else {
46 | throw "Unexpected error resolving Azure Security Center Pricings"
47 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/EventHub/Azure.EventHubNamespace.Deployment.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "Name": {
6 | "type": "string"
7 | }
8 | },
9 | "variables": {},
10 | "resources": [
11 | {
12 | "type": "Microsoft.EventHub/namespaces",
13 | "apiVersion": "2018-01-01-preview",
14 | "name": "[parameters('Name')]",
15 | "location": "West Europe",
16 | "sku": {
17 | "name": "Standard",
18 | "tier": "Standard",
19 | "capacity": 1
20 | },
21 | "properties": {
22 | "zoneRedundant": false,
23 | "isAutoInflateEnabled": true,
24 | "maximumThroughputUnits": 20,
25 | "kafkaEnabled": true
26 | }
27 | },
28 | {
29 | "type": "Microsoft.EventHub/namespaces/AuthorizationRules",
30 | "apiVersion": "2017-04-01",
31 | "name": "[concat(parameters('Name'), '/RootManageSharedAccessKey')]",
32 | "location": "West Europe",
33 | "dependsOn": [
34 | "[resourceId('Microsoft.EventHub/namespaces', parameters('Name'))]"
35 | ],
36 | "properties": {
37 | "rights": [
38 | "Listen",
39 | "Manage",
40 | "Send"
41 | ]
42 | }
43 | },
44 | {
45 | "type": "Microsoft.EventHub/namespaces/networkRuleSets",
46 | "apiVersion": "2018-01-01-preview",
47 | "name": "[concat(parameters('Name'), '/default')]",
48 | "location": "West Europe",
49 | "dependsOn": [
50 | "[resourceId('Microsoft.EventHub/namespaces', parameters('Name'))]"
51 | ],
52 | "properties": {
53 | "defaultAction": "Allow",
54 | "virtualNetworkRules": [],
55 | "ipRules": []
56 | }
57 | }
58 | ]
59 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/EventHub/Azure.EventHubNamespace.Roles.Deployment.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "Name": {
6 | "type": "string"
7 | },
8 | "automationAccount": {
9 | "type": "string"
10 | },
11 | "eventHubtRoleAssignmentId": {
12 | "type": "string",
13 | "defaultValue": "[newGuid()]"
14 | }
15 | },
16 | "variables": {
17 | "eventHubDataOwnerDefinitionId" : "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]"
18 | },
19 | "resources": [
20 | {
21 | "type": "Microsoft.Authorization/roleAssignments",
22 | "apiVersion": "2018-09-01-preview",
23 | "name": "[parameters('eventHubtRoleAssignmentId')]",
24 | "scope": "[concat('Microsoft.EventHub/namespaces/', parameters('Name'))]",
25 | "properties": {
26 | "roleDefinitionId": "[variables('eventHubDataOwnerDefinitionId')]",
27 | "principalId": "[reference(resourceId('Microsoft.Automation/automationAccounts', parameters('automationAccount')), '2020-01-13-preview', 'Full').identity.principalId]",
28 | "principalType": "ServicePrincipal"
29 | }
30 | }
31 | ]
32 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/KeyVault/Azure.KeyVault.Deployment.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string",
7 | "minLength": 3,
8 | "maxLength": 24
9 | },
10 | "location": {
11 | "type": "string",
12 | "defaultValue": "[resourceGroup().location]"
13 | }
14 | },
15 | "variables": {},
16 | "resources": [
17 | {
18 | "type": "Microsoft.KeyVault/vaults",
19 | "apiVersion": "2016-10-01",
20 | "name": "[parameters('name')]",
21 | "location": "westeurope",
22 | "properties": {
23 | "sku": {
24 | "family": "A",
25 | "name": "standard"
26 | },
27 | "tenantId": "[subscription().tenantId]",
28 | "accessPolicies": [],
29 | "enabledForDeployment": false,
30 | "enabledForDiskEncryption": false,
31 | "enabledForTemplateDeployment": false,
32 | "enableRbacAuthorization": true,
33 | "enableSoftDelete": true
34 | }
35 | }
36 | ]
37 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/KeyVault/Azure.KeyVault.LogicApp.Connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "keyvault": {
9 | "type": "string"
10 | },
11 | "location": {
12 | "type": "string",
13 | "defaultValue": "[resourceGroup().location]",
14 | "metadata": {
15 | "description": "Specifies the location in which to create the Connection."
16 | }
17 | }
18 | },
19 | "variables": {},
20 | "resources": [
21 | {
22 | "type": "Microsoft.Web/connections",
23 | "apiVersion": "2016-06-01",
24 | "name": "[parameters('name')]",
25 | "location": "[parameters('location')]",
26 | "kind": "V1",
27 | "properties": {
28 | "displayName": "Azure Key Vault Connection",
29 | "customParameterValues": {},
30 | "parameterValueType": "Alternative",
31 | "alternativeParameterValues": {
32 | "vaultName": "[parameters('keyvault')]"
33 | },
34 | "api": {
35 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/keyvault')]"
36 | }
37 | }
38 | }
39 | ]
40 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/LAW/Azure.LogAnalytics.Workspace.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Specifies the name of the workspace."
9 | }
10 | },
11 | "sku": {
12 | "type": "string",
13 | "allowedValues": [
14 | "pergb2018",
15 | "Free",
16 | "Standalone",
17 | "PerNode",
18 | "Standard",
19 | "Premium"
20 | ],
21 | "defaultValue": "pergb2018",
22 | "metadata": {
23 | "description": "Pricing tier: PerGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
24 | }
25 | },
26 | "location": {
27 | "type": "string",
28 | "allowedValues": [
29 | "australiacentral",
30 | "australiaeast",
31 | "australiasoutheast",
32 | "brazilsouth",
33 | "canadacentral",
34 | "centralindia",
35 | "centralus",
36 | "eastasia",
37 | "eastus",
38 | "eastus2",
39 | "francecentral",
40 | "japaneast",
41 | "koreacentral",
42 | "northcentralus",
43 | "northeurope",
44 | "southafricanorth",
45 | "southcentralus",
46 | "southeastasia",
47 | "uksouth",
48 | "ukwest",
49 | "westcentralus",
50 | "westeurope",
51 | "westus",
52 | "westus2"
53 | ],
54 | "metadata": {
55 | "description": "Specifies the location in which to create the workspace."
56 | }
57 | }
58 | },
59 | "resources": [
60 | {
61 | "type": "Microsoft.OperationalInsights/workspaces",
62 | "name": "[parameters('name')]",
63 | "apiVersion": "2017-03-15-preview",
64 | "location": "[parameters('location')]",
65 | "properties": {
66 | "sku": {
67 | "name": "[parameters('sku')]"
68 | },
69 | "retentionInDays": 120,
70 | "features": {
71 | "searchVersion": 1,
72 | "legacy": 0,
73 | "enableLogAccessUsingOnlyResourcePermissions": true
74 | }
75 | }
76 | }
77 | ]
78 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Sentinel/Azure.Sentinel.LogicApp.Connection.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "name": {
6 | "type": "string"
7 | },
8 | "location": {
9 | "type": "string",
10 | "defaultValue": "[resourceGroup().location]",
11 | "metadata": {
12 | "description": "Specifies the location in which to create the Automation account."
13 | }
14 | }
15 | },
16 | "variables": {},
17 | "resources": [
18 | {
19 | "type": "Microsoft.Web/connections",
20 | "apiVersion": "2016-06-01",
21 | "name": "[parameters('name')]",
22 | "location": "[parameters('location')]",
23 | "kind": "V1",
24 | "properties": {
25 | "displayName": "Sentinel",
26 | "customParameterValues": {},
27 | "parameterValueType": "Alternative",
28 | "api": {
29 | "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', parameters('location'), '/managedApis/azuresentinel')]"
30 | }
31 | }
32 | }
33 | ]
34 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Sentinel/LogAnalyticsAndSentinel.template.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "workspaceName": {
6 | "type": "string"
7 | },
8 | "location": {
9 | "type": "string",
10 | "defaultValue": "[resourceGroup().location]"
11 | }
12 | },
13 | "resources": [
14 | {
15 | "apiVersion": "2020-08-01",
16 | "type": "Microsoft.OperationalInsights/workspaces",
17 | "name": "[parameters('workspaceName')]",
18 | "location": "[parameters('location')]",
19 | "properties": {
20 | "features": {
21 | "immediatePurgeDataOn30Days": true
22 | },
23 | "sku": {
24 | "name": "pergb2018"
25 | }
26 | }
27 | },
28 | {
29 | "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]",
30 | "type": "Microsoft.OperationsManagement/solutions",
31 | "apiVersion": "2015-11-01-preview",
32 | "location": "[parameters('location')]",
33 | "dependsOn": [
34 | "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
35 | ],
36 | "properties": {
37 | "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
38 | },
39 | "plan": {
40 | "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]",
41 | "product": "OMSGallery/SecurityInsights",
42 | "publisher": "Microsoft",
43 | "promotionCode": ""
44 | }
45 | }
46 | ]
47 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/Sentinel/Sentinel.template.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "workspaceName": {
6 | "type": "string"
7 | },
8 | "location": {
9 | "type": "string",
10 | "defaultValue": "[resourceGroup().location]"
11 | }
12 | },
13 | "resources": [
14 | {
15 | "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]",
16 | "type": "Microsoft.OperationsManagement/solutions",
17 | "apiVersion": "2015-11-01-preview",
18 | "location": "[parameters('location')]",
19 | "properties": {
20 | "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
21 | },
22 | "plan": {
23 | "name": "[concat('SecurityInsights','(', parameters('workspaceName'),')')]",
24 | "product": "OMSGallery/SecurityInsights",
25 | "publisher": "Microsoft",
26 | "promotionCode": ""
27 | }
28 | }
29 | ]
30 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Resources/StorageAccount/Azure.StorageAccount.Roles.Deployment.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "location": {
6 | "type": "string",
7 | "defaultValue": "[resourceGroup().location]"
8 | },
9 | "Name": {
10 | "type": "string"
11 | },
12 | "automationAccountSystemIdentity": {
13 | "type": "string"
14 | },
15 | "sentinelUserIdentity": {
16 | "type": "string"
17 | },
18 | "storageaccountSystemRoleAssignmentId": {
19 | "type": "string",
20 | "defaultValue": "[newGuid()]"
21 | },
22 | "storageaccountUserRoleAssignmentId": {
23 | "type": "string",
24 | "defaultValue": "[newGuid()]"
25 | }
26 | },
27 | "variables": {
28 | "storageBlobDataOwnerDefinitionId" : "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]"
29 | },
30 | "resources": [
31 | {
32 | "type": "Microsoft.Authorization/roleAssignments",
33 | "apiVersion": "2018-09-01-preview",
34 | "name": "[parameters('storageaccountSystemRoleAssignmentId')]",
35 | "scope": "[concat('microsoft.storage/storageaccounts/', parameters('Name'))]",
36 | "properties": {
37 | "roleDefinitionId": "[variables('storageBlobDataOwnerDefinitionId')]",
38 | "principalId": "[reference(resourceId('Microsoft.Automation/automationAccounts', parameters('automationAccountSystemIdentity')), '2020-01-13-preview', 'Full').identity.principalId]",
39 | "principalType": "ServicePrincipal"
40 | }
41 | },
42 | {
43 | "type": "Microsoft.Authorization/roleAssignments",
44 | "apiVersion": "2018-09-01-preview",
45 | "name": "[parameters('storageaccountUserRoleAssignmentId')]",
46 | "scope": "[concat('microsoft.storage/storageaccounts/', parameters('Name'))]",
47 | "properties": {
48 | "roleDefinitionId": "[variables('storageBlobDataOwnerDefinitionId')]",
49 | "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('sentinelUserIdentity')), '2018-11-30').principalId]",
50 | "principalType": "ServicePrincipal"
51 | }
52 | }
53 | ],
54 | "outputs": {}
55 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Scripts/Microsoft.Sentinel.DataConnectors.Runtime.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $ResourceGroupName,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $Workspace,
9 | [Parameter(Mandatory = $true)]
10 | [ValidateSet("Enable", "Disable", "Update", "Check", "None")]
11 | $Action,
12 | [Parameter(Mandatory = $true)]
13 | [string]
14 | $ConnectorsPath,
15 | [Parameter(Mandatory = $true)]
16 | [string]
17 | $ConnectorSettingsPath
18 | )
19 |
20 | if($Action -ne "None") {
21 | Invoke-DataConnector -ResourceGroupName $ResourceGroupName -Workspace $Workspace -Action $Action -ConnectorsPath $ConnectorsPath -ConnectorSettingsPath $ConnectorSettingsPath
22 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Scripts/Microsoft.Sentinel.Playbooks.Connections.Deployment.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $ResourceGroupName,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $Path
9 | )
10 |
11 | if(Test-Path -Path $Path) {
12 | $ConnectionsPath = Join-Path -Path $Path -ChildPath "Connections"
13 | if(Test-Path -Path $ConnectionsPath) {
14 | $ConnectionItems = Get-ChildItem -Path $ConnectionsPath -Include "*.json" -Exclude "*.parameters.json" -File -Recurse
15 | if($null -ne $ConnectionItems -and $ConnectionItems.Length -gt 0) {
16 | $ConnectionItems | ForEach-Object {
17 | $ParametersFileItemPath = Join-Path -Path $_.Directory.FullName -ChildPath $_.Name.Replace(".json", ".parameters.json")
18 | if(Test-Path -Path $ParametersFileItemPath) {
19 | New-AzResourceGroupDeployment -Name $_.Name.ToLowerInvariant().Replace(".json", [string]::Empty) -ResourceGroupName $ResourceGroupName -Mode Incremental -TemplateFile $_.FullName -TemplateParameterFile $ParametersFileItemPath
20 | }
21 | else {
22 | New-AzResourceGroupDeployment -Name $_.Name -ResourceGroupName $ResourceGroupName -Mode Incremental -TemplateFile $_.FullName
23 | }
24 | }
25 | }
26 | else {
27 | Write-Warning "Connections not available on the specified Path"
28 | }
29 | }
30 | else {
31 | throw "Connection Path $($ConnectionsPath) cannot be resolved"
32 | }
33 | }
34 | else {
35 | throw "Path $($Path) cannot be resolved"
36 | }
--------------------------------------------------------------------------------
/src/Release/Sentinel Deployment/Scripts/Microsoft.Sentinel.Remove.ps1:
--------------------------------------------------------------------------------
1 | [CmdletBinding()]
2 | param (
3 | [Parameter(Mandatory = $true)]
4 | [string]
5 | $ResourceGroupName,
6 | [Parameter(Mandatory = $true)]
7 | [string]
8 | $WorkspaceName
9 | )
10 |
11 | Remove-AzOperationalInsightsWorkspace -ResourceGroupName $ResourceGroupName -Name $WorkspaceName -ForceDelete -Force
--------------------------------------------------------------------------------