diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
index 771a3fbf583..ba3754f15d1 100644
--- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -239,5 +239,6 @@
"InfobloxSOCInsightsDataConnector_Legacy",
"InfobloxSOCInsightsDataConnector_AMA",
"NetskopeDataConnector",
- "NetskopeWebTransactionsDataConnector"
+ "NetskopeWebTransactionsDataConnector",
+ "CiscoAsaAma"
]
\ No newline at end of file
diff --git a/Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml b/Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml
index 52e1d6a1655..00157bb97a5 100644
--- a/Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml
+++ b/Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -184,5 +190,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: Anomaly was observed with {{anomalyFieldValue}} Traffic
alertDescriptionFormat: 'Based on past data, anomaly was observed in {{anomalyFieldValue}} Traffic with a score of {{score}}.'
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml b/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml
index cf658b11d02..a7f417f8dfe 100644
--- a/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml
+++ b/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -183,5 +189,5 @@ alertDetailsOverride:
alertDescriptionFormat: '{{Description}}'
alertTacticsColumnName: Tactic
alertSeverityColumnName: Severity
-version: 1.0.1
+version: 1.0.2
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByStaticThreshold.yaml b/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByStaticThreshold.yaml
index f9268c9cbdf..2cb5da4bea3 100644
--- a/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByStaticThreshold.yaml
+++ b/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByStaticThreshold.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -143,5 +149,5 @@ alertDetailsOverride:
alertDescriptionFormat: '{{Description}}'
alertTacticsColumnName: Tactic
alertSeverityColumnName: Severity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml b/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml
index 21f1f4898bd..c6f2d6342b4 100644
--- a/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml
+++ b/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml
@@ -20,6 +20,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -44,6 +47,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -86,5 +92,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: Excessive number of failed connections from {{SrcIpAddr}}
alertDescriptionFormat: 'The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.'
-version: 1.2.6
+version: 1.2.7
kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml b/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
index 48d19e45758..1d1efa68ad0 100644
--- a/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
+++ b/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -80,5 +86,5 @@ customDetails:
alertDetailsOverride:
alertDisplayNameFormat: Network Port Sweep detected on {{DstPortNumber}}
alertDescriptionFormat: 'Network Port Sweep was detection by multiple IPs'
-version: 1.0.2
+version: 1.0.3
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Network Session Essentials/Analytic Rules/PortScan.yaml b/Solutions/Network Session Essentials/Analytic Rules/PortScan.yaml
index ab55c49b26f..2208a39dc4f 100644
--- a/Solutions/Network Session Essentials/Analytic Rules/PortScan.yaml
+++ b/Solutions/Network Session Essentials/Analytic Rules/PortScan.yaml
@@ -19,6 +19,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -43,6 +46,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -90,5 +96,5 @@ entityMappings:
customDetails:
AttemptedPortsCount: AttemptedPortsCount
-version: 1.0.5
+version: 1.0.6
kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml b/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
index e73539a73fa..b723485281c 100644
--- a/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
+++ b/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
@@ -16,6 +16,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
@@ -155,5 +161,5 @@ customDetails:
FrequencyTime: MostFrequentTimeDeltaCount
TotalDstBytes: TotalDstBytes
-version: 1.1.5
+version: 1.1.6
kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json b/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
index a278a22c3d3..9bb15de18a5 100644
--- a/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
+++ b/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
@@ -35,7 +35,7 @@
],
"WatchlistDescription": "Monitor Network Session Essentials Solution's' configurable conditions here. Choose between Detection or Hunting for Type and set Threshold type to Static or Anomaly to tune monitoring as needed",
"BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Network Session Essentials",
- "Version": "3.0.3",
+ "Version": "3.0.4",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml b/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml
index 9f709531834..b04401d841d 100644
--- a/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml
+++ b/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml
@@ -7,7 +7,7 @@ description-detailed: |
tags:
- Schema: ASimNetworkSessions
- SchemaVersion: 0.2.4
+ SchemaVersion: 0.2.5
requiredDataConnectors:
- connectorId: AWSS3
dataTypes:
@@ -18,6 +18,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -42,6 +45,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
diff --git a/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml b/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml
index 93e35863cd9..8fab4fc7e7f 100644
--- a/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml
+++ b/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml
@@ -5,7 +5,7 @@ description: |
tags:
- Schema: ASimNetworkSessions
- SchemaVersion: 0.2.4
+ SchemaVersion: 0.2.5
requiredDataConnectors:
- connectorId: AWSS3
dataTypes:
@@ -16,6 +16,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
diff --git a/Solutions/Network Session Essentials/Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml b/Solutions/Network Session Essentials/Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml
index 0e092be2dcd..61976506b05 100644
--- a/Solutions/Network Session Essentials/Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml
+++ b/Solutions/Network Session Essentials/Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml
@@ -5,7 +5,7 @@ description: |
tags:
- Schema: ASimNetworkSessions
- SchemaVersion: 0.2.4
+ SchemaVersion: 0.2.5
requiredDataConnectors:
- connectorId: AWSS3
dataTypes:
@@ -16,6 +16,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
diff --git a/Solutions/Network Session Essentials/Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml b/Solutions/Network Session Essentials/Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml
index 6d037d6c523..91f0fce3b8a 100644
--- a/Solutions/Network Session Essentials/Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml
+++ b/Solutions/Network Session Essentials/Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml
@@ -5,7 +5,7 @@ description: |
tags:
- Schema: ASimNetworkSessions
- SchemaVersion: 0.2.4
+ SchemaVersion: 0.2.5
requiredDataConnectors:
- connectorId: AWSS3
dataTypes:
@@ -16,6 +16,9 @@ requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
+ - connectorId: WindowsSecurityEvents
+ dataTypes:
+ - SecurityEvent
- connectorId: WindowsForwardedEvents
dataTypes:
- WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
+ - connectorId: CiscoAsaAma
+ dataTypes:
+ - CommonSecurityLog
- connectorId: Corelight
dataTypes:
- Corelight_CL
diff --git a/Solutions/Network Session Essentials/Package/3.0.4.zip b/Solutions/Network Session Essentials/Package/3.0.4.zip
new file mode 100644
index 00000000000..eda2d46c728
Binary files /dev/null and b/Solutions/Network Session Essentials/Package/3.0.4.zip differ
diff --git a/Solutions/Network Session Essentials/Package/createUiDefinition.json b/Solutions/Network Session Essentials/Package/createUiDefinition.json
index 745faca26f9..2acf669d0ad 100644
--- a/Solutions/Network Session Essentials/Package/createUiDefinition.json
+++ b/Solutions/Network Session Essentials/Package/createUiDefinition.json
@@ -212,7 +212,7 @@
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.
\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
+ "text": "This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
}
}
]
@@ -226,7 +226,7 @@
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
+ "text": "This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
}
}
]
@@ -240,7 +240,7 @@
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\\
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'"
+ "text": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'"
}
}
]
@@ -292,7 +292,7 @@
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This hunting query detect anomalous pattern in port usage with ASIM normalization. To tune the query to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+ "text": "This hunting query detect anomalous pattern in port usage with ASIM normalization. To tune the query to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
}
}
]
@@ -306,7 +306,7 @@
"name": "huntingquery3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "There is an normal amount of traffic that goes on a particular port in any organization. This hunting query identifies port usage higher than threshold defined in 'NetworkSession_Monitor_Configuration' watchlist to determine high port usage. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+ "text": "There is an normal amount of traffic that goes on a particular port in any organization. This hunting query identifies port usage higher than threshold defined in 'NetworkSession_Monitor_Configuration' watchlist to determine high port usage. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
}
}
]
@@ -320,7 +320,7 @@
"name": "huntingquery4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Ideally one user should be associated with one MAC ID, this hunting query will identify if same MAC ID is associated with more than one user which can be a case of MAC spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+ "text": "Ideally one user should be associated with one MAC ID, this hunting query will identify if same MAC ID is associated with more than one user which can be a case of MAC spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
}
}
]
@@ -334,7 +334,7 @@
"name": "huntingquery5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Every standard app has a port associated with it. This query will identify if destination port associated with destination app is not standard which can be a case of network spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+ "text": "Every standard app has a port associated with it. This query will identify if destination port associated with destination app is not standard which can be a case of network spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
}
}
]
diff --git a/Solutions/Network Session Essentials/Package/mainTemplate.json b/Solutions/Network Session Essentials/Package/mainTemplate.json
index 7908f79b6de..df9133f422e 100644
--- a/Solutions/Network Session Essentials/Package/mainTemplate.json
+++ b/Solutions/Network Session Essentials/Package/mainTemplate.json
@@ -49,7 +49,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Network Session Essentials",
- "_solutionVersion": "3.0.3",
+ "_solutionVersion": "3.0.4",
"solutionId": "azuresentinel.azure-sentinel-solution-networksession",
"_solutionId": "[variables('solutionId')]",
"workbookVersion1": "1.0.0",
@@ -60,11 +60,11 @@
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.0",
+ "analyticRuleVersion1": "1.0.1",
"_analyticRulecontentId1": "cd6def0d-3ef0-4d55-a7e3-faa96c46ba12",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd6def0d-3ef0-4d55-a7e3-faa96c46ba12')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd6def0d-3ef0-4d55-a7e3-faa96c46ba12')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd6def0d-3ef0-4d55-a7e3-faa96c46ba12','-', '1.0.0')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd6def0d-3ef0-4d55-a7e3-faa96c46ba12','-', '1.0.1')))]"
},
"analyticRuleObject2": {
"analyticRuleVersion2": "1.0.0",
@@ -81,46 +81,46 @@
"_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b7dc801e-1e79-48bb-91e8-2229a8e6d40b','-', '1.0.0')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.1",
+ "analyticRuleVersion4": "1.0.2",
"_analyticRulecontentId4": "cbf07406-fa2a-48b0-82b8-efad58db14ec",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cbf07406-fa2a-48b0-82b8-efad58db14ec')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cbf07406-fa2a-48b0-82b8-efad58db14ec')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cbf07406-fa2a-48b0-82b8-efad58db14ec','-', '1.0.1')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cbf07406-fa2a-48b0-82b8-efad58db14ec','-', '1.0.2')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.0",
+ "analyticRuleVersion5": "1.0.1",
"_analyticRulecontentId5": "156997bd-da0f-4729-b47a-0a3e02dd50c8",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '156997bd-da0f-4729-b47a-0a3e02dd50c8')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('156997bd-da0f-4729-b47a-0a3e02dd50c8')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','156997bd-da0f-4729-b47a-0a3e02dd50c8','-', '1.0.0')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','156997bd-da0f-4729-b47a-0a3e02dd50c8','-', '1.0.1')))]"
},
"analyticRuleObject6": {
- "analyticRuleVersion6": "1.0.2",
+ "analyticRuleVersion6": "1.0.3",
"_analyticRulecontentId6": "cd8faa84-4464-4b4e-96dc-b22f50c27541",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd8faa84-4464-4b4e-96dc-b22f50c27541')]",
"analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd8faa84-4464-4b4e-96dc-b22f50c27541')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd8faa84-4464-4b4e-96dc-b22f50c27541','-', '1.0.2')))]"
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd8faa84-4464-4b4e-96dc-b22f50c27541','-', '1.0.3')))]"
},
"analyticRuleObject7": {
- "analyticRuleVersion7": "1.2.5",
+ "analyticRuleVersion7": "1.2.7",
"_analyticRulecontentId7": "4902eddb-34f7-44a8-ac94-8486366e9494",
"analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4902eddb-34f7-44a8-ac94-8486366e9494')]",
"analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4902eddb-34f7-44a8-ac94-8486366e9494')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4902eddb-34f7-44a8-ac94-8486366e9494','-', '1.2.5')))]"
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4902eddb-34f7-44a8-ac94-8486366e9494','-', '1.2.7')))]"
},
"analyticRuleObject8": {
- "analyticRuleVersion8": "1.0.4",
+ "analyticRuleVersion8": "1.0.6",
"_analyticRulecontentId8": "1da9853f-3dea-4ea9-b7e5-26730da3d537",
"analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1da9853f-3dea-4ea9-b7e5-26730da3d537')]",
"analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1da9853f-3dea-4ea9-b7e5-26730da3d537')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1da9853f-3dea-4ea9-b7e5-26730da3d537','-', '1.0.4')))]"
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1da9853f-3dea-4ea9-b7e5-26730da3d537','-', '1.0.6')))]"
},
"analyticRuleObject9": {
- "analyticRuleVersion9": "1.1.4",
+ "analyticRuleVersion9": "1.1.6",
"_analyticRulecontentId9": "fcb9d75c-c3c1-4910-8697-f136bfef2363",
"analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fcb9d75c-c3c1-4910-8697-f136bfef2363')]",
"analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fcb9d75c-c3c1-4910-8697-f136bfef2363')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fcb9d75c-c3c1-4910-8697-f136bfef2363','-', '1.1.4')))]"
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fcb9d75c-c3c1-4910-8697-f136bfef2363','-', '1.1.6')))]"
},
"SummarizeData_NSE": "SummarizeData_NSE",
"_SummarizeData_NSE": "[variables('SummarizeData_NSE')]",
@@ -180,7 +180,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkSessionEssentials Workbook with template version 3.0.3",
+ "description": "NetworkSessionEssentials Workbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -392,7 +392,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AnomalyFoundInNetworkSessionTraffic_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "AnomalyFoundInNetworkSessionTraffic_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -420,101 +420,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CiscoAsaAma"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -534,13 +546,13 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AnomalyFieldValue": "anomalyFieldValue",
"Score": "score",
- "AnomalyFieldType": "anomalyFieldType"
+ "AnomalyFieldType": "anomalyFieldType",
+ "AnomalyFieldValue": "anomalyFieldValue"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "Based on past data, anomaly was observed in {{anomalyFieldValue}} Traffic with a score of {{score}}.",
- "alertDisplayNameFormat": "Anomaly was observed with {{anomalyFieldValue}} Traffic"
+ "alertDisplayNameFormat": "Anomaly was observed with {{anomalyFieldValue}} Traffic",
+ "alertDescriptionFormat": "Based on past data, anomaly was observed in {{anomalyFieldValue}} Traffic with a score of {{score}}."
}
}
},
@@ -595,7 +607,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Anomaly in SMB Traffic(ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "Anomaly in SMB Traffic(ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -621,6 +633,7 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
+ "requiredDataConnectors": [],
"tactics": [
"LateralMovement"
],
@@ -635,8 +648,8 @@
{
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
],
"entityType": "IP"
@@ -698,7 +711,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Remote Desktop Network Brute force (ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "Remote Desktop Network Brute force (ASIM Network Session schema)_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -724,6 +737,7 @@
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available",
+ "requiredDataConnectors": [],
"tactics": [
"CredentialAccess"
],
@@ -734,8 +748,8 @@
{
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
],
"entityType": "IP"
@@ -797,7 +811,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByAnomalyBasedDetection_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "DetectPortMisuseByAnomalyBasedDetection_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -825,101 +839,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoAsaAma"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -938,16 +964,16 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AllNetworkProtocols": "NetworkProtocols",
- "AllDvcAction": "DvcActions",
"DstPortNumber": "DstPortNumber",
- "AllNetworkDirections": "NetworkDirections"
+ "AllNetworkDirections": "NetworkDirections",
+ "AllNetworkProtocols": "NetworkProtocols",
+ "AllDvcAction": "DvcActions"
},
"alertDetailsOverride": {
- "alertTacticsColumnName": "Tactic",
+ "alertSeverityColumnName": "Severity",
"alertDisplayNameFormat": "Detected {{Name}}",
- "alertDescriptionFormat": "{{Description}}",
- "alertSeverityColumnName": "Severity"
+ "alertTacticsColumnName": "Tactic",
+ "alertDescriptionFormat": "{{Description}}"
}
}
},
@@ -1002,7 +1028,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByStaticThreshold_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "DetectPortMisuseByStaticThreshold_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1030,101 +1056,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CiscoAsaAma"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1142,16 +1180,16 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "AllNetworkProtocols": "NetworkProtocols",
- "AllDvcAction": "DvcActions",
"DstPortNumber": "DstPortNumber",
- "AllNetworkDirections": "NetworkDirections"
+ "AllNetworkDirections": "NetworkDirections",
+ "AllNetworkProtocols": "NetworkProtocols",
+ "AllDvcAction": "DvcActions"
},
"alertDetailsOverride": {
- "alertTacticsColumnName": "Tactic",
+ "alertSeverityColumnName": "Severity",
"alertDisplayNameFormat": "Detected {{Name}}",
- "alertDescriptionFormat": "{{Description}}",
- "alertSeverityColumnName": "Severity"
+ "alertTacticsColumnName": "Tactic",
+ "alertDescriptionFormat": "{{Description}}"
}
}
},
@@ -1206,7 +1244,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NetworkPortSweepFromExternalNetwork_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "NetworkPortSweepFromExternalNetwork_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -1234,101 +1272,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoAsaAma"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1341,8 +1391,8 @@
"AllDstIpAddr": "set_DstIpAddr"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "Network Port Sweep was detection by multiple IPs",
- "alertDisplayNameFormat": "Network Port Sweep detected on {{DstPortNumber}}"
+ "alertDisplayNameFormat": "Network Port Sweep detected on {{DstPortNumber}}",
+ "alertDescriptionFormat": "Network Port Sweep was detection by multiple IPs"
}
}
},
@@ -1397,7 +1447,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ExcessiveHTTPFailuresFromSource_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "ExcessiveHTTPFailuresFromSource_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -1411,7 +1461,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.
\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema",
+ "description": "This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema",
"displayName": "Excessive number of failed connections from a single source (ASIM Network Session schema)",
"enabled": false,
"query": "let threshold = 5000;\n_Im_NetworkSession(eventresult='Failure')\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\n| where Count > threshold\n| extend timestamp = TimeGenerated, threshold\n",
@@ -1425,101 +1475,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoASA"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CiscoAsaAma"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1532,8 +1594,8 @@
{
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
],
"entityType": "IP"
@@ -1543,8 +1605,8 @@
"NumberOfDenies": "Count"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.",
- "alertDisplayNameFormat": "Excessive number of failed connections from {{SrcIpAddr}}"
+ "alertDisplayNameFormat": "Excessive number of failed connections from {{SrcIpAddr}}",
+ "alertDescriptionFormat": "The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity."
}
}
},
@@ -1599,7 +1661,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PortScan_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "PortScan_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -1613,7 +1675,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema",
+ "description": "This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema",
"displayName": "Port scan detected (ASIM Network Session schema)",
"enabled": false,
"query": "let PortScanThreshold = 50;\n_Im_NetworkSession\n| where ipv4_is_private(SrcIpAddr) == False\n| where SrcIpAddr !in (\"127.0.0.1\", \"::1\")\n| summarize AttemptedPortsCount=dcount(DstPortNumber), AttemptedPorts=make_set(DstPortNumber, 100), ReportedBy=make_set(strcat(EventVendor, \"/\", EventProduct), 20) by SrcIpAddr, bin(TimeGenerated, 5m)\n| where AttemptedPortsCount > PortScanThreshold\n",
@@ -1627,101 +1689,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "SecurityEvents"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoAsaAma"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1734,8 +1808,8 @@
{
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
],
"entityType": "IP"
@@ -1745,8 +1819,8 @@
"AttemptedPortsCount": "AttemptedPortsCount"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.",
- "alertDisplayNameFormat": "Potential port scan from {{SrcIpAddr}}"
+ "alertDisplayNameFormat": "Potential port scan from {{SrcIpAddr}}",
+ "alertDescriptionFormat": "A port scan has been performed from address {{SrcIpAddr}} over {{AttemptedPortsCount}} ports within 5 minutes. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system."
}
}
},
@@ -1801,7 +1875,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "PossibleBeaconingActivity_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "PossibleBeaconingActivity_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -1815,7 +1889,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\\
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'",
+ "description": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'",
"displayName": "Potential beaconing activity (ASIM Network Session schema)",
"enabled": false,
"query": "let querystarttime = 2d;\nlet queryendtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\nlet LocalNetworks=dynamic([\"169.254.0.0/16\",\"127.0.0.0/8\"]);\n_Im_NetworkSession(starttime=ago(querystarttime), endtime=ago(queryendtime))\n| where not(ipv4_is_private(DstIpAddr))\n| where not (ipv4_is_in_any_range(DstIpAddr, LocalNetworks))\n| project \n TimeGenerated\n , SrcIpAddr\n , SrcPortNumber\n , DstIpAddr\n , DstPortNumber\n , DstBytes\n , SrcBytes\n| sort by \n SrcIpAddr asc\n , TimeGenerated asc\n , DstIpAddr asc\n , DstPortNumber asc\n| serialize\n| extend \n nextTimeGenerated = next(TimeGenerated, 1)\n , nextSrcIpAddr = next(SrcIpAddr, 1)\n| extend \n TimeDeltainSeconds = datetime_diff('second', nextTimeGenerated, TimeGenerated)\n| where SrcIpAddr == nextSrcIpAddr\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project\n TimeGenerated\n , TimeDeltainSeconds\n , SrcIpAddr\n , SrcPortNumber\n , DstIpAddr\n , DstPortNumber\n , DstBytes\n , SrcBytes\n| summarize\n count()\n , sum(DstBytes)\n , sum(SrcBytes)\n , make_list(TimeDeltainSeconds) \n by TimeDeltainSeconds\n , bin(TimeGenerated, 1h)\n , SrcIpAddr\n , DstIpAddr\n , DstPortNumber\n| summarize\n (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds)\n , TotalEvents=sum(count_)\n , TotalSrcBytes = sum(sum_SrcBytes)\n , TotalDstBytes = sum(sum_DstBytes)\n by bin(TimeGenerated, 1h)\n , SrcIpAddr\n , DstIpAddr\n , DstPortNumber\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n",
@@ -1829,101 +1903,113 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "AWSS3",
"dataTypes": [
"AWSVPCFlow"
- ]
+ ],
+ "connectorId": "AWSS3"
},
{
- "connectorId": "MicrosoftThreatProtection",
"dataTypes": [
"DeviceNetworkEvents"
- ]
+ ],
+ "connectorId": "MicrosoftThreatProtection"
+ },
+ {
+ "dataTypes": [
+ "SecurityEvent"
+ ],
+ "connectorId": "SecurityEvents"
},
{
- "connectorId": "SecurityEvents",
"dataTypes": [
"SecurityEvent"
- ]
+ ],
+ "connectorId": "WindowsSecurityEvents"
},
{
- "connectorId": "WindowsForwardedEvents",
"dataTypes": [
"WindowsEvent"
- ]
+ ],
+ "connectorId": "WindowsForwardedEvents"
},
{
- "connectorId": "Zscaler",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Zscaler"
},
{
- "connectorId": "MicrosoftSysmonForLinux",
"dataTypes": [
"Syslog"
- ]
+ ],
+ "connectorId": "MicrosoftSysmonForLinux"
},
{
- "connectorId": "PaloAltoNetworks",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "PaloAltoNetworks"
},
{
- "connectorId": "AzureMonitor(VMInsights)",
"dataTypes": [
"VMConnection"
- ]
+ ],
+ "connectorId": "AzureMonitor(VMInsights)"
},
{
- "connectorId": "AzureFirewall",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureFirewall"
},
{
- "connectorId": "AzureNSG",
"dataTypes": [
"AzureDiagnostics"
- ]
+ ],
+ "connectorId": "AzureNSG"
+ },
+ {
+ "dataTypes": [
+ "CommonSecurityLog"
+ ],
+ "connectorId": "CiscoASA"
},
{
- "connectorId": "CiscoASA",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CiscoAsaAma"
},
{
- "connectorId": "Corelight",
"dataTypes": [
"Corelight_CL"
- ]
+ ],
+ "connectorId": "Corelight"
},
{
- "connectorId": "AIVectraStream",
"dataTypes": [
"VectraStream"
- ]
+ ],
+ "connectorId": "AIVectraStream"
},
{
- "connectorId": "CheckPoint",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CheckPoint"
},
{
- "connectorId": "Fortinet",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "Fortinet"
},
{
- "connectorId": "CiscoMeraki",
"dataTypes": [
"Syslog",
"CiscoMerakiNativePoller"
- ]
+ ],
+ "connectorId": "CiscoMeraki"
}
],
"tactics": [
@@ -1937,8 +2023,8 @@
{
"fieldMappings": [
{
- "columnName": "SrcIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
}
],
"entityType": "IP"
@@ -1946,8 +2032,8 @@
{
"fieldMappings": [
{
- "columnName": "DstIpAddr",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "DstIpAddr"
}
],
"entityType": "IP"
@@ -1955,13 +2041,13 @@
],
"customDetails": {
"TotalDstBytes": "TotalDstBytes",
- "DstPortNumber": "DstPortNumber",
"FrequencyTime": "MostFrequentTimeDeltaCount",
+ "DstPortNumber": "DstPortNumber",
"FrequencyCount": "TotalSrcBytes"
},
"alertDetailsOverride": {
- "alertDescriptionFormat": "Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident.",
- "alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}"
+ "alertDisplayNameFormat": "Potential beaconing from {{SrcIpAddr}} to {{DstIpAddr}}",
+ "alertDescriptionFormat": "Potential beaconing pattern from a client at address {{SrcIpAddr}} to a server at address {{DstIpAddr}} over port {{DstPortNumber}} identified. Such potential outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/). The recurring frequency, reported as FrequencyTime in the custom details, and the total transferred volume reported as TotalDstBytes in the custom details, can help to determine the significance of this incident."
}
}
},
@@ -2016,7 +2102,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SummarizeData_NSE Playbook with template version 3.0.3",
+ "description": "SummarizeData_NSE Playbook with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -3473,7 +3559,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Detect Outbound LDAP Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "Detect Outbound LDAP Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -3558,7 +3644,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByAnomalyHunting_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "DetectPortMisuseByAnomalyHunting_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -3643,7 +3729,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectPortMisuseByStaticThresholdHunting_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "DetectPortMisuseByStaticThresholdHunting_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -3728,7 +3814,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "DetectsSeveralUsersWithTheSameMACAddress_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "DetectsSeveralUsersWithTheSameMACAddress_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -3809,7 +3895,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "MismatchBetweenDestinationAppNameAndDestinationPort_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "MismatchBetweenDestinationAppNameAndDestinationPort_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -3890,7 +3976,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Protocols passing authentication in cleartext (ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "Protocols passing authentication in cleartext (ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -3975,7 +4061,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Remote Desktop Network Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.3",
+ "description": "Remote Desktop Network Traffic(ASIM Network Session schema)_HuntingQueries Hunting Query with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -4073,7 +4159,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.3",
+ "version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Network Session Essentials",
@@ -4101,7 +4187,6 @@
"link": "https://support.microsoft.com"
},
"dependencies": {
- "operator": "AND",
"criteria": [
{
"kind": "Workbook",
@@ -4196,7 +4281,71 @@
{
"kind": "Watchlist",
"contentId": "[variables('_NetworkSession Monitor Configuration')]",
- "version": "3.0.3"
+ "version": "3.0.4"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "sentinel4azurefirewall.sentinel4azurefirewall"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-networksecuritygroup"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "checkpoint.checkpoint-sentinel-solutions"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-ciscoasa"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-ciscomeraki"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "corelightinc1584998267292.corelight-for-azure-sentinel"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-fortinetfortigate"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-microsoftdefenderforcloud"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-sysmonforlinux"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-windowsfirewall"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "azuresentinel.azure-sentinel-solution-paloaltopanos"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "vectraaiinc.vectra_sentinel_solution"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "watchguard-technologies.watchguard_firebox_mss"
+ },
+ {
+ "kind": "Solution",
+ "contentId": "zscaler1579058425289.zscaler_internet_access_mss"
}
]
},
diff --git a/Solutions/Network Session Essentials/Playbooks/SummarizeData_NSE/readme.md b/Solutions/Network Session Essentials/Playbooks/SummarizeData_NSE/readme.md
index 0dc2bac1e63..97307303f2d 100644
--- a/Solutions/Network Session Essentials/Playbooks/SummarizeData_NSE/readme.md
+++ b/Solutions/Network Session Essentials/Playbooks/SummarizeData_NSE/readme.md
@@ -7,8 +7,8 @@ This logic app helps to summarize Network session data into custom tables. This
### Deployment instructions
1. Deploy the playbook by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
-[](https://aka.ms/deploySummarizationPublic)
-[](https://aka.ms/deploySummarizationGov)
+[](https://aka.ms/sentinel-NetworkSessionEssentials-SummarizeData)
+[](https://aka.ms/sentinel-NetworkSessionEssentials-SummarizeData-gov)
2. Fill in the required parameter:
* Playbook Name: Enter the playbook name here (Ex: SummarizeData)
diff --git a/Solutions/Network Session Essentials/ReleaseNotes.md b/Solutions/Network Session Essentials/ReleaseNotes.md
index 8c20d2b95f3..64f1424dc36 100644
--- a/Solutions/Network Session Essentials/ReleaseNotes.md
+++ b/Solutions/Network Session Essentials/ReleaseNotes.md
@@ -1,6 +1,7 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|-----------------------------------------------------------------------|
-| 3.0.3 | 12-03-2024 |Added 3 new **Hunting Queries** and 2 new **Analytic Rules** |
-| 3.0.2 | 07-02-2024 |Updated **Analytic Rule** (DetectPortMisuseByAnomalyBasedDetection)
Updated solution description |
-| 3.0.1 | 02-01-2024 |Tagged for dependent solutions for deployment |
-| 3.0.0 | 24-07-2023 |Updated ApiVersion for **Watchlist** |
+| 3.0.4 | 03-06-2024 | Added missing AMA **Data Connector** reference in **Analytical rule** and **Hunting Query** |
+| 3.0.3 | 12-03-2024 | Added 3 new **Hunting Queries** and 2 new **Analytic Rules** |
+| 3.0.2 | 07-02-2024 | Updated **Analytic Rule** (DetectPortMisuseByAnomalyBasedDetection)
Updated solution description |
+| 3.0.1 | 02-01-2024 | Tagged for dependent solutions for deployment |
+| 3.0.0 | 24-07-2023 | Updated ApiVersion for **Watchlist** |