Sentinel Repositories Content Export Pull Request

SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json

@@ -0,0 +1,30 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspace": {
+      "type": "String"
+    }
+  },
+  "resources": [
+    {
+      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+      "kind": "ThreatIntelligence",
+      "apiVersion": "2022-09-01-preview",
+      "properties": {
+        "alertRuleTemplateName": "0dd422ee-e6af-4204-b219-f59ac172e4c6",
+        "severity": "Medium",
+        "tactics": [
+          "Persistence",
+          "LateralMovement"
+        ],
+        "techniques": [],
+        "displayName": "(Preview) Microsoft Threat Intelligence Analytics",
+        "enabled": true,
+        "description": "This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \n\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts."
+      }
+    }
+  ]
+}

SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json

@@ -0,0 +1,77 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspace": {
+      "type": "String"
+    }
+  },
+  "resources": [
+    {
+      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/516cc0be-cc97-486b-928e-0e222352ba46')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/516cc0be-cc97-486b-928e-0e222352ba46')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+      "kind": "Scheduled",
+      "apiVersion": "2022-09-01-preview",
+      "properties": {
+        "queryFrequency": "PT1H",
+        "queryPeriod": "P14D",
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "severity": "Medium",
+        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n  // Picking up only IOC's that contain the entities we want\n  | where isnotempty(DomainName)\n  | where Active == true\n  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\nDomainTIs\n  | join (\n      imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\n      | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "incidentConfiguration": {
+          "createIncident": true,
+          "groupingConfiguration": {
+            "enabled": false,
+            "reopenClosedIncident": false,
+            "lookbackDuration": "PT5M",
+            "matchingMethod": "AllEntities",
+            "groupByEntities": [],
+            "groupByAlertDetails": null,
+            "groupByCustomDetails": null
+          }
+        },
+        "entityMappings": [
+          {
+            "entityType": "Host",
+            "fieldMappings": [
+              {
+                "identifier": "FullName",
+                "columnName": "HostCustomEntity"
+              }
+            ]
+          },
+          {
+            "entityType": "IP",
+            "fieldMappings": [
+              {
+                "identifier": "Address",
+                "columnName": "IPCustomEntity"
+              }
+            ]
+          },
+          {
+            "entityType": "URL",
+            "fieldMappings": [
+              {
+                "identifier": "Url",
+                "columnName": "URLCustomEntity"
+              }
+            ]
+          }
+        ],
+        "tactics": [
+          "Impact"
+        ],
+        "techniques": null,
+        "displayName": "(Preview) TI map Domain entity to Dns Events (Normalized DNS)",
+        "enabled": false,
+        "description": "Identifies a match in DNS events from any Domain IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+        "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8"
+      }
+    }
+  ]
+}

SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json

@@ -0,0 +1,77 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspace": {
+      "type": "String"
+    }
+  },
+  "resources": [
+    {
+      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+      "kind": "Scheduled",
+      "apiVersion": "2022-09-01-preview",
+      "properties": {
+        "queryFrequency": "PT1H",
+        "queryPeriod": "P14D",
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "severity": "Medium",
+        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = (ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"\")\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\n    | extend tilist = toscalar(TI_IP_List)\n    | mv-expand tilist\n    | extend SingleIP=tostring(tilist)\n    | project-away tilist\n    | where has_ipv4(DnsResponseName, SingleIP)\n    | extend DNS_TimeGenerated = TimeGenerated\n| join IP_TI\n      on $left.SingleIP == $right.TI_ipEntity\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\n",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "incidentConfiguration": {
+          "createIncident": true,
+          "groupingConfiguration": {
+            "enabled": false,
+            "reopenClosedIncident": false,
+            "lookbackDuration": "PT5M",
+            "matchingMethod": "AllEntities",
+            "groupByEntities": [],
+            "groupByAlertDetails": null,
+            "groupByCustomDetails": null
+          }
+        },
+        "entityMappings": [
+          {
+            "entityType": "Host",
+            "fieldMappings": [
+              {
+                "identifier": "FullName",
+                "columnName": "HostCustomEntity"
+              }
+            ]
+          },
+          {
+            "entityType": "IP",
+            "fieldMappings": [
+              {
+                "identifier": "Address",
+                "columnName": "IPCustomEntity"
+              }
+            ]
+          },
+          {
+            "entityType": "URL",
+            "fieldMappings": [
+              {
+                "identifier": "Url",
+                "columnName": "URLCustomEntity"
+              }
+            ]
+          }
+        ],
+        "tactics": [
+          "Impact"
+        ],
+        "techniques": null,
+        "displayName": "(Preview) TI map IP entity to Dns Events (Normalized DNS)",
+        "enabled": false,
+        "description": "Identifies a match in DNS events from any IP IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+        "alertRuleTemplateName": "67775878-7f8b-4380-ac54-115e1e828901"
+      }
+    }
+  ]
+}

SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json

@@ -0,0 +1,64 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspace": {
+      "type": "String"
+    }
+  },
+  "resources": [
+    {
+      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+      "kind": "Scheduled",
+      "apiVersion": "2022-09-01-preview",
+      "properties": {
+        "queryFrequency": "PT6H",
+        "queryPeriod": "PT7H",
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "eventGroupingSettings": {
+          "aggregationKind": "SingleAlert"
+        },
+        "severity": "High",
+        "query": "// Rule Name - (Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations\r\n// Rule Description - Sensitive Data Access Outside Organziational Geolocations\r\n// Prerequisite 1: Onboard Azure Infomation Protection (https://docs.microsoft.com/en-us/azure/information-protection/requirements)\r\n// Prerequisite 2: Install AIP Unified Labeling Scanner (https://docs.microsoft.com/en-us/azure/information-protection/tutorial-install-scanner)\r\n// Prerequisite 3: Enable Azure Information Protection Connector (https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#azure-information-protection)\r\n// Prerequisite 4: Enable Azure Active Directory Connector (hhttps://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory)\r\nInformationProtectionLogs_CL\r\n| extend UserPrincipalName = UserId_s\r\n| where LabelName_s <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n// | where City <> \"New York\" // Configure Location Details within Organizational Requirements\r\n| extend State = tostring(LocationDetails.state)\r\n// | where State <> \"Texas\" // Configure Location Details within Organizational Requirements\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n// | where Country_Region <> \"US\" // Configure Location Details within Organizational Requirements\r\n| summarize count() by UserPrincipalName, LabelName_s, Activity_s, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 250",
+        "suppressionDuration": "PT5H",
+        "suppressionEnabled": false,
+        "incidentConfiguration": {
+          "createIncident": true,
+          "groupingConfiguration": {
+            "enabled": false,
+            "reopenClosedIncident": false,
+            "lookbackDuration": "PT5H",
+            "matchingMethod": "AllEntities",
+            "groupByEntities": [],
+            "groupByAlertDetails": [],
+            "groupByCustomDetails": []
+          }
+        },
+        "customDetails": {
+          "Activity": "Activity_s",
+          "Where": "City"
+        },
+        "entityMappings": [
+          {
+            "entityType": "Account",
+            "fieldMappings": [
+              {
+                "identifier": "AadUserId",
+                "columnName": "UserPrincipalName"
+              }
+            ]
+          }
+        ],
+        "tactics": [],
+        "techniques": null,
+        "displayName": "(Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations",
+        "enabled": false,
+        "description": "Sensitive Data Access Outside Organziational Geolocations",
+        "alertRuleTemplateName": null
+      }
+    }
+  ]
+}

SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json

@@ -0,0 +1,51 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspace": {
+      "type": "String"
+    }
+  },
+  "resources": [
+    {
+      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+      "kind": "Scheduled",
+      "apiVersion": "2022-09-01-preview",
+      "properties": {
+        "queryFrequency": "PT10M",
+        "queryPeriod": "PT10M",
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "eventGroupingSettings": {
+          "aggregationKind": "AlertPerResult"
+        },
+        "severity": "Medium",
+        "query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists(\"Extension\",\"\") | where isnotempty(Extension) | summarize make_set(Extension));\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\nimWebSession(url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]),'/')[-1])\n| extend requestedFileExt=extract(@(\\.\\w+)$,1,requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\n",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "incidentConfiguration": {
+          "createIncident": true,
+          "groupingConfiguration": {
+            "enabled": false,
+            "reopenClosedIncident": false,
+            "lookbackDuration": "PT5M",
+            "matchingMethod": "AllEntities",
+            "groupByEntities": [],
+            "groupByAlertDetails": null,
+            "groupByCustomDetails": null
+          }
+        },
+        "tactics": [
+          "InitialAccess"
+        ],
+        "techniques": null,
+        "displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
+        "enabled": false,
+        "description": "This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced SIEM information Model (ASIM).\nTo use this analytics rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM)",
+        "alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e"
+      }
+    }
+  ]
+}

SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json

@@ -0,0 +1,52 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspace": {
+      "type": "String"
+    }
+  },
+  "resources": [
+    {
+      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+      "kind": "Scheduled",
+      "apiVersion": "2022-09-01-preview",
+      "properties": {
+        "queryFrequency": "PT15M",
+        "queryPeriod": "PT15M",
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "eventGroupingSettings": {
+          "aggregationKind": "AlertPerResult"
+        },
+        "severity": "Medium",
+        "query": "let threatCategory=\"Powershell\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n    [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n        with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "incidentConfiguration": {
+          "createIncident": true,
+          "groupingConfiguration": {
+            "enabled": false,
+            "reopenClosedIncident": false,
+            "lookbackDuration": "PT5M",
+            "matchingMethod": "AllEntities",
+            "groupByEntities": [],
+            "groupByAlertDetails": null,
+            "groupByCustomDetails": null
+          }
+        },
+        "tactics": [
+          "CommandAndControl",
+          "DefenseEvasion"
+        ],
+        "techniques": null,
+        "displayName": "A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)",
+        "enabled": false,
+        "description": "This rule identifies a web request with a user agent header known to belong PowerShell. <br>You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).<br><br>This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+        "alertRuleTemplateName": "42436753-9944-4d70-801c-daaa4d19ddd2"
+      }
+    }
+  ]
+}