diff --git a/.github/workflows/runAsimSchemaAndDataTesters.yaml b/.github/workflows/runAsimSchemaAndDataTesters.yaml index a2a12dcf4ff..624970622b8 100644 --- a/.github/workflows/runAsimSchemaAndDataTesters.yaml +++ b/.github/workflows/runAsimSchemaAndDataTesters.yaml @@ -78,11 +78,27 @@ jobs: name: Run ASim Sample Data Ingestion runs-on: ubuntu-latest steps: - - name: Checkout code + - name: Checkout pull request branch uses: actions/checkout@v4 with: - fetch-depth: 0 - - name: Setup Python + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + persist-credentials: false # otherwise, the token used is the GITHUB_TOKEN, instead of your personal access token. + fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. + - name: Setup git config + run: | + git config --local user.name "github-actions[bot]" + git config --local user.email "<>" + - name: Merge master into pull request branch + run: | + git merge origin/master + Conflicts=$(git ls-files -u | wc -l) + if [ "$Conflicts" -gt 0 ] ; then + echo "There is a merge conflict. Aborting" + git merge --abort + exit 1 + fi + - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.x' diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Failed_Range_To_Ingest_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Failed_Range_To_Ingest_CL.json new file mode 100644 index 00000000000..ec2438e12aa --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Failed_Range_To_Ingest_CL.json @@ -0,0 +1,53 @@ +{ + "Name": "Failed_Range_To_Ingest_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "From_Date_s", + "Type": "string" + }, + { + "Name": "To_Date_s", + "Type": "string" + }, + { + "Name": "Threat_Type_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Host_Name_Info_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Host_Name_Info_CL.json new file mode 100644 index 00000000000..c9c911f2836 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Host_Name_Info_CL.json @@ -0,0 +1,253 @@ +{ + "Name": "Host_Name_Info_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "configs_s", + "Type": "string" + }, + { + "Name": "created_at_t", + "Type": "datetime" + }, + { + "Name": "display_name_s", + "Type": "string" + }, + { + "Name": "host_type_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "legacy_id_s", + "Type": "string" + }, + { + "Name": "maintenance_mode_s", + "Type": "string" + }, + { + "Name": "pool_id_s", + "Type": "string" + }, + { + "Name": "timezone_s", + "Type": "string" + }, + { + "Name": "updated_at_t", + "Type": "datetime" + }, + { + "Name": "ip_address_s", + "Type": "string" + }, + { + "Name": "mac_address_s", + "Type": "string" + }, + { + "Name": "ophid_g", + "Type": "string" + }, + { + "Name": "tags_host_bundled_k3s_s", + "Type": "string" + }, + { + "Name": "tags_host_deployment_type_s", + "Type": "string" + }, + { + "Name": "tags_host_geoip2_latitude_s", + "Type": "string" + }, + { + "Name": "tags_host_geoip2_longitude_s", + "Type": "string" + }, + { + "Name": "tags_host_host_ip_s", + "Type": "string" + }, + { + "Name": "tags_host_ipv6_enabled_s", + "Type": "string" + }, + { + "Name": "tags_host_k8s_s", + "Type": "string" + }, + { + "Name": "tags_host_k8s_installed_s", + "Type": "string" + }, + { + "Name": "tags_host_nat_ip_s", + "Type": "string" + }, + { + "Name": "tags_host_ophid_g", + "Type": "string" + }, + { + "Name": "tags_host_os_version_s", + "Type": "string" + }, + { + "Name": "host_subtype_s", + "Type": "string" + }, + { + "Name": "host_version_s", + "Type": "string" + }, + { + "Name": "tags_host_boot_mode_s", + "Type": "string" + }, + { + "Name": "tags_host_build_version_s", + "Type": "string" + }, + { + "Name": "tags_host_container_runtime_version_s", + "Type": "string" + }, + { + "Name": "tags_host_host_subtype_s", + "Type": "string" + }, + { + "Name": "tags_host_kernel_version_s", + "Type": "string" + }, + { + "Name": "tags_host_ovs_s", + "Type": "string" + }, + { + "Name": "tags_host_serial_number_s", + "Type": "string" + }, + { + "Name": "tags_host_virtualization_s", + "Type": "string" + }, + { + "Name": "serial_number_g", + "Type": "string" + }, + { + "Name": "tags_host_cpu_s", + "Type": "string" + }, + { + "Name": "tags_host_federation_s", + "Type": "string" + }, + { + "Name": "tags_host_grid_name_s", + "Type": "string" + }, + { + "Name": "tags_host_gridmaster_ip_s", + "Type": "string" + }, + { + "Name": "tags_host_ha_pair_s", + "Type": "string" + }, + { + "Name": "tags_host_ha_status_s", + "Type": "string" + }, + { + "Name": "tags_host_hardware_id_g", + "Type": "string" + }, + { + "Name": "tags_host_heka_optin_s", + "Type": "string" + }, + { + "Name": "tags_host_host_name_s", + "Type": "string" + }, + { + "Name": "tags_host_hw_s", + "Type": "string" + }, + { + "Name": "tags_host_license_uid_g", + "Type": "string" + }, + { + "Name": "tags_host_model_no_s", + "Type": "string" + }, + { + "Name": "tags_host_nios_role_s", + "Type": "string" + }, + { + "Name": "tags_host_nios_version_s", + "Type": "string" + }, + { + "Name": "tags_host_physical_oid_s", + "Type": "string" + }, + { + "Name": "tags_host_serial_number_g", + "Type": "string" + }, + { + "Name": "tags_host_virtual_oid_s", + "Type": "string" + }, + { + "Name": "tags_host_virtualnode_ip_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/IP_Space_Info_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/IP_Space_Info_CL.json new file mode 100644 index 00000000000..736aa7ce99d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/IP_Space_Info_CL.json @@ -0,0 +1,309 @@ +{ + "Name": "IP_Space_Info_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "asm_config_asm_threshold_d", + "Type": "real" + }, + { + "Name": "asm_config_enable_b", + "Type": "bool" + }, + { + "Name": "asm_config_enable_notification_b", + "Type": "bool" + }, + { + "Name": "asm_config_forecast_period_d", + "Type": "real" + }, + { + "Name": "asm_config_growth_factor_d", + "Type": "real" + }, + { + "Name": "asm_config_growth_type_s", + "Type": "string" + }, + { + "Name": "asm_config_history_d", + "Type": "real" + }, + { + "Name": "asm_config_min_total_d", + "Type": "real" + }, + { + "Name": "asm_config_min_unused_d", + "Type": "real" + }, + { + "Name": "asm_config_reenable_date_t", + "Type": "datetime" + }, + { + "Name": "asm_scope_flag_d", + "Type": "real" + }, + { + "Name": "comment_s", + "Type": "string" + }, + { + "Name": "compartment_id_s", + "Type": "string" + }, + { + "Name": "created_at_t", + "Type": "datetime" + }, + { + "Name": "ddns_client_update_s", + "Type": "string" + }, + { + "Name": "ddns_conflict_resolution_mode_s", + "Type": "string" + }, + { + "Name": "ddns_domain_s", + "Type": "string" + }, + { + "Name": "ddns_generate_name_b", + "Type": "bool" + }, + { + "Name": "ddns_generated_prefix_s", + "Type": "string" + }, + { + "Name": "ddns_send_updates_b", + "Type": "bool" + }, + { + "Name": "ddns_ttl_percent_d", + "Type": "real" + }, + { + "Name": "ddns_update_on_renew_b", + "Type": "bool" + }, + { + "Name": "ddns_use_conflict_resolution_b", + "Type": "bool" + }, + { + "Name": "default_realms_s", + "Type": "string" + }, + { + "Name": "dhcp_config_abandoned_reclaim_time_d", + "Type": "real" + }, + { + "Name": "dhcp_config_abandoned_reclaim_time_v6_d", + "Type": "real" + }, + { + "Name": "dhcp_config_allow_unknown_b", + "Type": "bool" + }, + { + "Name": "dhcp_config_allow_unknown_v6_b", + "Type": "bool" + }, + { + "Name": "dhcp_config_echo_client_id_b", + "Type": "bool" + }, + { + "Name": "dhcp_config_filters_s", + "Type": "string" + }, + { + "Name": "dhcp_config_filters_large_selection_s", + "Type": "string" + }, + { + "Name": "dhcp_config_filters_v6_s", + "Type": "string" + }, + { + "Name": "dhcp_config_ignore_client_uid_b", + "Type": "bool" + }, + { + "Name": "dhcp_config_ignore_list_s", + "Type": "string" + }, + { + "Name": "dhcp_config_lease_time_d", + "Type": "real" + }, + { + "Name": "dhcp_config_lease_time_v6_d", + "Type": "real" + }, + { + "Name": "dhcp_options_s", + "Type": "string" + }, + { + "Name": "dhcp_options_v6_s", + "Type": "string" + }, + { + "Name": "header_option_filename_s", + "Type": "string" + }, + { + "Name": "header_option_server_address_s", + "Type": "string" + }, + { + "Name": "header_option_server_name_s", + "Type": "string" + }, + { + "Name": "hostname_rewrite_char_s", + "Type": "string" + }, + { + "Name": "hostname_rewrite_enabled_b", + "Type": "bool" + }, + { + "Name": "hostname_rewrite_regex_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "threshold_enabled_b", + "Type": "bool" + }, + { + "Name": "threshold_high_d", + "Type": "real" + }, + { + "Name": "threshold_low_d", + "Type": "real" + }, + { + "Name": "updated_at_t", + "Type": "datetime" + }, + { + "Name": "utilization_abandon_utilization_d", + "Type": "real" + }, + { + "Name": "utilization_abandoned_s", + "Type": "string" + }, + { + "Name": "utilization_dynamic_s", + "Type": "string" + }, + { + "Name": "utilization_free_s", + "Type": "string" + }, + { + "Name": "utilization_static_s", + "Type": "string" + }, + { + "Name": "utilization_total_s", + "Type": "string" + }, + { + "Name": "utilization_used_s", + "Type": "string" + }, + { + "Name": "utilization_utilization_d", + "Type": "real" + }, + { + "Name": "utilization_v6_abandoned_s", + "Type": "string" + }, + { + "Name": "utilization_v6_dynamic_s", + "Type": "string" + }, + { + "Name": "utilization_v6_static_s", + "Type": "string" + }, + { + "Name": "utilization_v6_total_s", + "Type": "string" + }, + { + "Name": "utilization_v6_used_s", + "Type": "string" + }, + { + "Name": "tags_nios_federation_enabled_s", + "Type": "string" + }, + { + "Name": "tags_nios_grid_name_s", + "Type": "string" + }, + { + "Name": "tags_nios_import_timestamp_t", + "Type": "datetime" + }, + { + "Name": "tags_nios_imported_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insight_Details_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insight_Details_CL.json new file mode 100644 index 00000000000..f0792a5b4fd --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insight_Details_CL.json @@ -0,0 +1,53 @@ +{ + "Name": "Infoblox_Config_Insight_Details_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "analyticInsightId_g", + "Type": "string" + }, + { + "Name": "insightType_s", + "Type": "string" + }, + { + "Name": "feeds_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insights_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insights_CL.json new file mode 100644 index 00000000000..029d60fa93d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Config_Insights_CL.json @@ -0,0 +1,49 @@ +{ + "Name": "Infoblox_Config_Insights_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "policyAnalyticsId_g", + "Type": "string" + }, + { + "Name": "insightType_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Failed_Indicators_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Failed_Indicators_CL.json new file mode 100644 index 00000000000..1122db66120 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Infoblox_Failed_Indicators_CL.json @@ -0,0 +1,97 @@ +{ + "Name": "Infoblox_Failed_Indicators_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "spec_version_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "created_t", + "Type": "datetime" + }, + { + "Name": "modified_t", + "Type": "datetime" + }, + { + "Name": "revoked_b", + "Type": "bool" + }, + { + "Name": "labels_s", + "Type": "string" + }, + { + "Name": "description_s", + "Type": "string" + }, + { + "Name": "indicator_types_s", + "Type": "string" + }, + { + "Name": "pattern_s", + "Type": "string" + }, + { + "Name": "pattern_version_s", + "Type": "string" + }, + { + "Name": "valid_from_t", + "Type": "datetime" + }, + { + "Name": "valid_until_t", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Service_Name_Info_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Service_Name_Info_CL.json new file mode 100644 index 00000000000..3881d9428f2 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/Service_Name_Info_CL.json @@ -0,0 +1,81 @@ +{ + "Name": "Service_Name_Info_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "configs_s", + "Type": "string" + }, + { + "Name": "created_at_t", + "Type": "datetime" + }, + { + "Name": "desired_state_s", + "Type": "string" + }, + { + "Name": "destinations_s", + "Type": "string" + }, + { + "Name": "id_s", + "Type": "string" + }, + { + "Name": "name_s", + "Type": "string" + }, + { + "Name": "pool_id_s", + "Type": "string" + }, + { + "Name": "service_type_s", + "Type": "string" + }, + { + "Name": "source_interfaces_s", + "Type": "string" + }, + { + "Name": "updated_at_t", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_CL.json new file mode 100644 index 00000000000..c61ae4dd5ae --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_CL.json @@ -0,0 +1,97 @@ +{ + "Name": "dossier_atp_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "data_attack_chain_collection_s", + "Type": "string" + }, + { + "Name": "data_attack_chain_credential_access_s", + "Type": "string" + }, + { + "Name": "data_attack_chain_defense_evasion_s", + "Type": "string" + }, + { + "Name": "data_attack_chain_execution_s", + "Type": "string" + }, + { + "Name": "data_attack_chain_initial_access_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_record_count_d", + "Type": "real" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_threat_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_threat_CL.json new file mode 100644 index 00000000000..e0b99ac8cfc --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_atp_threat_CL.json @@ -0,0 +1,237 @@ +{ + "Name": "dossier_atp_threat_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "extended_registration_date_s", + "Type": "string" + }, + { + "Name": "ip_s", + "Type": "string" + }, + { + "Name": "target_s", + "Type": "string" + }, + { + "Name": "email_s", + "Type": "string" + }, + { + "Name": "extended_extended_s", + "Type": "string" + }, + { + "Name": "extended_url_hash_g", + "Type": "string" + }, + { + "Name": "url_s", + "Type": "string" + }, + { + "Name": "extended_no_whitelist_s", + "Type": "string" + }, + { + "Name": "extended_protocol_s", + "Type": "string" + }, + { + "Name": "extended_email_id_s", + "Type": "string" + }, + { + "Name": "extended_processor_s", + "Type": "string" + }, + { + "Name": "extended_provider_s", + "Type": "string" + }, + { + "Name": "extended_submitter_s", + "Type": "string" + }, + { + "Name": "full_origin_s", + "Type": "string" + }, + { + "Name": "extended_from_email_s", + "Type": "string" + }, + { + "Name": "extended_subject_line_s", + "Type": "string" + }, + { + "Name": "extended_references_s", + "Type": "string" + }, + { + "Name": "up_s", + "Type": "string" + }, + { + "Name": "extended_attack_chain_s", + "Type": "string" + }, + { + "Name": "extended_reason_s", + "Type": "string" + }, + { + "Name": "batch_id_g", + "Type": "string" + }, + { + "Name": "class_s", + "Type": "string" + }, + { + "Name": "confidence_d", + "Type": "real" + }, + { + "Name": "confidence_score_d", + "Type": "real" + }, + { + "Name": "confidence_score_rating_s", + "Type": "string" + }, + { + "Name": "confidence_score_vector_s", + "Type": "string" + }, + { + "Name": "detected_t", + "Type": "datetime" + }, + { + "Name": "dga_s", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "expiration_t", + "Type": "datetime" + }, + { + "Name": "extended_cyberint_guid_g", + "Type": "string" + }, + { + "Name": "extended_notes_s", + "Type": "string" + }, + { + "Name": "full_profile_s", + "Type": "string" + }, + { + "Name": "host_s", + "Type": "string" + }, + { + "Name": "id_g", + "Type": "string" + }, + { + "Name": "imported_t", + "Type": "datetime" + }, + { + "Name": "profile_s", + "Type": "string" + }, + { + "Name": "property_s", + "Type": "string" + }, + { + "Name": "received_t", + "Type": "datetime" + }, + { + "Name": "risk_score_d", + "Type": "real" + }, + { + "Name": "risk_score_rating_s", + "Type": "string" + }, + { + "Name": "risk_score_vector_s", + "Type": "string" + }, + { + "Name": "threat_level_d", + "Type": "real" + }, + { + "Name": "threat_score_d", + "Type": "real" + }, + { + "Name": "threat_score_rating_s", + "Type": "string" + }, + { + "Name": "threat_score_vector_s", + "Type": "string" + }, + { + "Name": "tld_s", + "Type": "string" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_dns_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_dns_CL.json new file mode 100644 index 00000000000..b0e25f1b6ef --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_dns_CL.json @@ -0,0 +1,121 @@ +{ + "Name": "dossier_dns_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_A_s", + "Type": "string" + }, + { + "Name": "data_AAAA_s", + "Type": "string" + }, + { + "Name": "data_CERT_s", + "Type": "string" + }, + { + "Name": "data_CNAME_s", + "Type": "string" + }, + { + "Name": "data_HTTPS_s", + "Type": "string" + }, + { + "Name": "data_MX_s", + "Type": "string" + }, + { + "Name": "data_NS_s", + "Type": "string" + }, + { + "Name": "data_SOA_s", + "Type": "string" + }, + { + "Name": "data_SVCB_s", + "Type": "string" + }, + { + "Name": "data_TSIG_s", + "Type": "string" + }, + { + "Name": "data_TXT_s", + "Type": "string" + }, + { + "Name": "data_rcode_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_geo_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_geo_CL.json new file mode 100644 index 00000000000..f98505dc9f6 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_geo_CL.json @@ -0,0 +1,121 @@ +{ + "Name": "dossier_geo_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "data_info_s", + "Type": "string" + }, + { + "Name": "data_reason_s", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_asn_num_s", + "Type": "string" + }, + { + "Name": "data_city_s", + "Type": "string" + }, + { + "Name": "data_country_code_s", + "Type": "string" + }, + { + "Name": "data_country_name_s", + "Type": "string" + }, + { + "Name": "data_isp_s", + "Type": "string" + }, + { + "Name": "data_latitude_d", + "Type": "real" + }, + { + "Name": "data_longitude_d", + "Type": "real" + }, + { + "Name": "data_org_s", + "Type": "string" + }, + { + "Name": "data_postal_code_s", + "Type": "string" + }, + { + "Name": "data_region_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_infoblox_web_cat_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_infoblox_web_cat_CL.json new file mode 100644 index 00000000000..7d5ea2d17c3 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_infoblox_web_cat_CL.json @@ -0,0 +1,77 @@ +{ + "Name": "dossier_infoblox_web_cat_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_results_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_inforank_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_inforank_CL.json new file mode 100644 index 00000000000..2c7179d1846 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_inforank_CL.json @@ -0,0 +1,89 @@ +{ + "Name": "dossier_inforank_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "data_domain_s", + "Type": "string" + }, + { + "Name": "data_interval_s", + "Type": "string" + }, + { + "Name": "data_rank_d", + "Type": "real" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_message_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_malware_analysis_v3_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_malware_analysis_v3_CL.json new file mode 100644 index 00000000000..507986af847 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_malware_analysis_v3_CL.json @@ -0,0 +1,77 @@ +{ + "Name": "dossier_malware_analysis_v3_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_info_s", + "Type": "string" + }, + { + "Name": "data_reason_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_CL.json new file mode 100644 index 00000000000..3f75502d5fc --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_CL.json @@ -0,0 +1,73 @@ +{ + "Name": "dossier_nameserver_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_matches_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_matches_CL.json new file mode 100644 index 00000000000..cd2946c4da0 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_nameserver_matches_CL.json @@ -0,0 +1,81 @@ +{ + "Name": "dossier_nameserver_matches_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "ns_reputation_confidence_s", + "Type": "string" + }, + { + "Name": "ns_reputation_label_s", + "Type": "string" + }, + { + "Name": "ns_reputation_malicious_counts_s", + "Type": "string" + }, + { + "Name": "ns_reputation_popular_s", + "Type": "string" + }, + { + "Name": "ns_reputation_rare_s", + "Type": "string" + }, + { + "Name": "ns_reputation_raw_score_s", + "Type": "string" + }, + { + "Name": "ns_reputation_score_s", + "Type": "string" + }, + { + "Name": "ns_reputation_total_counts_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_ptr_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_ptr_CL.json new file mode 100644 index 00000000000..504d414e3d6 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_ptr_CL.json @@ -0,0 +1,85 @@ +{ + "Name": "dossier_ptr_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "data_reason_s", + "Type": "string" + }, + { + "Name": "data_status_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_ptr_record_s", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_CL.json new file mode 100644 index 00000000000..db4db37136d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_CL.json @@ -0,0 +1,73 @@ +{ + "Name": "dossier_rpz_feeds_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_records_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_records_CL.json new file mode 100644 index 00000000000..0518b2398aa --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_rpz_feeds_records_CL.json @@ -0,0 +1,73 @@ +{ + "Name": "dossier_rpz_feeds_records_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "class_s", + "Type": "string" + }, + { + "Name": "detected_t", + "Type": "datetime" + }, + { + "Name": "expiration_t", + "Type": "datetime" + }, + { + "Name": "feed_name_s", + "Type": "string" + }, + { + "Name": "indicator_s", + "Type": "string" + }, + { + "Name": "property_s", + "Type": "string" + }, + { + "Name": "threat_level_d", + "Type": "real" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_threat_actor_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_threat_actor_CL.json new file mode 100644 index 00000000000..0e1a7ae16e1 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_threat_actor_CL.json @@ -0,0 +1,129 @@ +{ + "Name": "dossier_threat_actor_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_actor_description_s", + "Type": "string" + }, + { + "Name": "data_actor_id_s", + "Type": "string" + }, + { + "Name": "data_actor_name_s", + "Type": "string" + }, + { + "Name": "data_customer_first_dns_query_s", + "Type": "string" + }, + { + "Name": "data_customer_last_dns_query_s", + "Type": "string" + }, + { + "Name": "data_display_name_s", + "Type": "string" + }, + { + "Name": "data_external_references_s", + "Type": "string" + }, + { + "Name": "data_ikb_first_classified_malicious_s", + "Type": "string" + }, + { + "Name": "data_ikb_submitted_s", + "Type": "string" + }, + { + "Name": "data_infoblox_references_s", + "Type": "string" + }, + { + "Name": "data_page_s", + "Type": "string" + }, + { + "Name": "data_purpose_s", + "Type": "string" + }, + { + "Name": "data_related_count_s", + "Type": "string" + }, + { + "Name": "data_ttp_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_tld_risk_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_tld_risk_CL.json new file mode 100644 index 00000000000..40170fccef8 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_tld_risk_CL.json @@ -0,0 +1,77 @@ +{ + "Name": "dossier_tld_risk_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_matches_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_whitelist_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_whitelist_CL.json new file mode 100644 index 00000000000..91545354ae4 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_whitelist_CL.json @@ -0,0 +1,81 @@ +{ + "Name": "dossier_whitelist_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_value_s", + "Type": "string" + }, + { + "Name": "data_whitelisted_b", + "Type": "bool" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/dossier_whois_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/dossier_whois_CL.json new file mode 100644 index 00000000000..22f474292f7 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/dossier_whois_CL.json @@ -0,0 +1,197 @@ +{ + "Name": "dossier_whois_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "data_info_s", + "Type": "string" + }, + { + "Name": "data_reason_s", + "Type": "string" + }, + { + "Name": "data_response_ip_response_country_s", + "Type": "string" + }, + { + "Name": "data_response_ip_response_handle_s", + "Type": "string" + }, + { + "Name": "data_response_ip_response_last_changed_t", + "Type": "datetime" + }, + { + "Name": "data_response_ip_response_name_s", + "Type": "string" + }, + { + "Name": "data_response_ip_response_net_range_s", + "Type": "string" + }, + { + "Name": "data_response_ip_response_net_type_s", + "Type": "string" + }, + { + "Name": "data_response_ip_response_parent_s", + "Type": "string" + }, + { + "Name": "data_response_ip_response_registration_t", + "Type": "datetime" + }, + { + "Name": "data_response_ip_response_source_registery_s", + "Type": "string" + }, + { + "Name": "status_message_for_dossier_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_created_date_t", + "Type": "datetime" + }, + { + "Name": "data_response_parsed_whois_domain_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_expired_date_t", + "Type": "datetime" + }, + { + "Name": "data_response_parsed_whois_name_servers_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_other_properties_registry_domain_id_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_registrar_abuse_contact_email_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_registrar_abuse_contact_phone_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_registrar_iana_id_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_registrar_name_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_statuses_s", + "Type": "string" + }, + { + "Name": "data_response_parsed_whois_updated_date_t", + "Type": "datetime" + }, + { + "Name": "data_response_registration_created_t", + "Type": "datetime" + }, + { + "Name": "data_response_registration_expires_t", + "Type": "datetime" + }, + { + "Name": "data_response_registration_registrar_s", + "Type": "string" + }, + { + "Name": "data_response_registration_statuses_s", + "Type": "string" + }, + { + "Name": "data_response_registration_updated_t", + "Type": "datetime" + }, + { + "Name": "data_response_whois_date_s", + "Type": "string" + }, + { + "Name": "data_response_whois_record_s", + "Type": "string" + }, + { + "Name": "task_id_g", + "Type": "string" + }, + { + "Name": "params_type_s", + "Type": "string" + }, + { + "Name": "params_target_s", + "Type": "string" + }, + { + "Name": "params_source_s", + "Type": "string" + }, + { + "Name": "status_s", + "Type": "string" + }, + { + "Name": "time_d", + "Type": "real" + }, + { + "Name": "v_s", + "Type": "string" + }, + { + "Name": "data_response_nameservers_s", + "Type": "string" + }, + { + "Name": "data_response_registrant_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/tide_lookup_data_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/tide_lookup_data_CL.json new file mode 100644 index 00000000000..e7f05722091 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/tide_lookup_data_CL.json @@ -0,0 +1,157 @@ +{ + "Name": "tide_lookup_data_CL", + "Properties": [ + { + "Name": "TenantId", + "Type": "string" + }, + { + "Name": "SourceSystem", + "Type": "string" + }, + { + "Name": "MG", + "Type": "string" + }, + { + "Name": "ManagementGroupName", + "Type": "string" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Computer", + "Type": "string" + }, + { + "Name": "RawData", + "Type": "string" + }, + { + "Name": "extended_registration_date_s", + "Type": "string" + }, + { + "Name": "extended_ais_consent_s", + "Type": "string" + }, + { + "Name": "extended_protocol_s", + "Type": "string" + }, + { + "Name": "extended_sample_sha256_s", + "Type": "string" + }, + { + "Name": "hash_s", + "Type": "string" + }, + { + "Name": "hash_type_s", + "Type": "string" + }, + { + "Name": "dga_s", + "Type": "string" + }, + { + "Name": "domain_s", + "Type": "string" + }, + { + "Name": "host_s", + "Type": "string" + }, + { + "Name": "tld_s", + "Type": "string" + }, + { + "Name": "extended_attack_chain_s", + "Type": "string" + }, + { + "Name": "class_s", + "Type": "string" + }, + { + "Name": "detected_t", + "Type": "datetime" + }, + { + "Name": "expiration_t", + "Type": "datetime" + }, + { + "Name": "extended_cyberint_guid_g", + "Type": "string" + }, + { + "Name": "id_g", + "Type": "string" + }, + { + "Name": "imported_t", + "Type": "datetime" + }, + { + "Name": "ip_s", + "Type": "string" + }, + { + "Name": "profile_s", + "Type": "string" + }, + { + "Name": "property_s", + "Type": "string" + }, + { + "Name": "received_t", + "Type": "datetime" + }, + { + "Name": "threat_level_d", + "Type": "real" + }, + { + "Name": "type_s", + "Type": "string" + }, + { + "Name": "up_s", + "Type": "string" + }, + { + "Name": "confidence_d", + "Type": "real" + }, + { + "Name": "extended_notes_s", + "Type": "string" + }, + { + "Name": "extended_references_s", + "Type": "string" + }, + { + "Name": "extended_no_whitelist_s", + "Type": "string" + }, + { + "Name": "extended_reason_s", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "_ResourceId", + "Type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index dc1ff05fee7..9bda2566a31 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -3178,7 +3178,438 @@ "id": "ed8a116c-07b4-441c-b74b-395937c264a1", "templateName": "SymantecVIP.yaml", "validationFailReason": "Missing column name from custom table 'CollectorHostName' which is already added to the Custom table " + }, + { + "id": "518e6938-10ef-4165-af19-82f1287141bc", + "templateName": "ATP policy status check.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b6392f39-a1f4-4ec8-8689-4cb9d28c295a", + "templateName": "JNLP attachment.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "16eda414-1550-4cdc-8512-0769901d3f05", + "templateName": "Safe attachment detection.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422", + "templateName": "Authentication failures.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "5971f2e7-1bb2-4170-aa7a-577ed8a45c72", + "templateName": "Spoof attempts with auth failure.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "ba1a91ad-1f99-4386-b191-06a76ef213f8", + "templateName": "Audit Email Preview-Download action.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "bc2d8214-afb6-4876-b210-25b69325b9b2", + "templateName": "Hunt for TABL changes.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "712ffdd8-ddce-4372-85dd-063029b418cf", + "templateName": "Local time to UTC time conversion.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "deb4b2c6-c10e-4044-8cf4-84243e40db73", + "templateName": "MDO daily detection summary report.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "81ede5df-2ec3-40a5-9dff-1fe6a841079d", + "templateName": "Mail item accessed.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "63c799bc-7567-4e4d-97be-e143fcfaa333", + "templateName": "Malicious email senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "92b76a34-502e-4a53-93ec-9fc37c3b358c", + "templateName": "New TABL Items.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935", + "templateName": "Emails containing links to IP addresses.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "e6259b03-622e-4e11-9c54-94987dad7c14", + "templateName": "Good emails from senders with bad patterns.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72", + "templateName": "Hunt for email conversation take over attempts.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "57f95ba7-938d-4a76-b411-c01034c0d167", + "templateName": "Hunt for malicious URLs using external IOC source.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe", + "templateName": "Hunt for malicious attachments using external IOC source.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "54569b06-47fc-41ae-9b00-f7d9b61337b6", + "templateName": "Inbox rule change which forward-redirect email.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "430a9c0d-f3ce-46a3-a994-92b3ada0d1b2", + "templateName": "MDO_CountOfRecipientsEmailaddressbySubject.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b95994d1-1008-4c42-a74f-9f2967e39ed6", + "templateName": "MDO_CountOfSendersEmailaddressbySubject.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f840db5b-87c9-43c8-a8c3-5b6b83838cd4", + "templateName": "MDO_Countofrecipientsemailaddressesbysubject.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a96c1571-1f7d-48dc-8287-7df5a5f0d987", + "templateName": "MDO_SummaryOfSenders.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "2c6e7f75-d83c-4344-afdc-83335fe550e6", + "templateName": "MDO_URLClickedinEmail.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "1c51e10e-7f77-40bc-bd37-6aa55cdf94d6", + "templateName": "Detections by detection methods.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "da7b973a-0045-4fd6-9161-269369336d24", + "templateName": "Mail reply to new domain.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "6b478186-da3b-4d71-beaa-aa5b42908499", + "templateName": "Mailflow by directionality.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "da932998-81dd-4be4-963c-f4890cb4192e", + "templateName": "Malicious emails detected per day.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b2beec6a-2c1c-4319-a191-e70c2ee42857", + "templateName": "Sender recipient contact establishment.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "12225f50-9d41-4b78-8269-cc127d98654c", + "templateName": "Top 100 malicious email senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "cadf6e78-2a9a-4fb5-b788-30a592d699d3", + "templateName": "Top 100 senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "95b0c7ed-2853-4343-80a9-ab076cf31e51", + "templateName": "Zero day threats.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "439f817c-845c-4dda-a8d9-5c1f6831cee9", + "templateName": "Email containing malware accessed on a unmanaged device.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "07c85687-6dee-4266-9345-1e34de85d989", + "templateName": "Email containing malware sent by an internal sender.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "23dbd58b-23ce-42ae-b4d1-0dfdd35871ea", + "templateName": "Email malware detection report.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a3619c75-a927-4dbb-91cc-9adc55e95bda", + "templateName": "Malware detections by detection methods.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "fd68706e-8e3e-4ccd-9230-1f267bdad4c8", + "templateName": "Admin overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "c73ae295-d120-4f79-aaed-de005f766ad2", + "templateName": "Top policies performing admin overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "fe2cb53e-4eb3-4676-87c1-f80d2813f542", + "templateName": "Top policies performing user overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9", + "templateName": "User overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808", + "templateName": "Appspot phishing abuse.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9d59be10-54d9-478b-b669-fb4eb8517cd0", + "templateName": "PhishDetectionByDetectionMethod.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "25150085-015a-4673-9b67-bc6ad9475500", + "templateName": "Campaign with randomly named attachments.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9b086a51-e396-4718-90d7-f7b3646e6581", + "templateName": "Campaign with suspicious keywords.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "516046e8-a460-4f7b-86eb-421d3a9cdff1", + "templateName": "Custom detection-Emails with QR from non-prevalent senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "594fe5a1-53b6-466b-86df-028366c3994e", + "templateName": "Emails delivered having URLs from QR codes.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "706b711a-7622-40f1-9ebb-331d1a0ff697", + "templateName": "Emails with QR codes and suspicious keywords in subject.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f708c866-073a-4107-a60b-ba6f86e54caa", + "templateName": "Emails with QR codes from non-prevalent sender.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "68aa199c-259b-4bb0-8e7a-8ed6f96c5525", + "templateName": "Hunting for sender patterns.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8c852f12-499f-499b-afc1-25c50aa9b462", + "templateName": "Hunting for user signals-clusters.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f6354c94-3a95-4235-8530-414f016a7bf6", + "templateName": "Inbound emails with QR code URLs.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "dc7e1eb5-16f5-4ad5-96a1-794970f4b310", + "templateName": "Personalized campaigns based on the first few keywords.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "54d3455d-27e0-4ceb-99f9-375abd620151", + "templateName": "Personalized campaigns based on the last few keywords.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8d298b5c-feca-4add-bd42-e43e0a317a88", + "templateName": "Risky sign-in attempt from a non-managed device.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "3131d0ba-32c9-483e-a25c-82e26a07e116", + "templateName": "Suspicious sign-in attempts from QR code phishing campaigns.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a12cac64-ea6d-46d4-91a6-262b165fb9ad", + "templateName": "Group quarantine release.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9e8faa62-7222-48a5-a78f-ef2d22f866dc", + "templateName": "High Confidence Phish Released.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "6f96f6d7-d972-421e-a59f-6b9a8de81324", + "templateName": "Quarantine Release Email Details.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9f135aef-ad25-4df2-bdab-8399978a36a2", + "templateName": "Quarantine release trend.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "99713387-9d61-49eb-8edc-f51153d8bb01", + "templateName": "Email remediation action list.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "6a570927-8638-4a6f-ac09-72a7d51ffa3c", + "templateName": "Display Name - Spoof and Impersonation.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "cdc4da1c-64a1-4941-be59-1f5cc85481ab", + "templateName": "Referral phish emails.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b3180ac0-6d94-494a-8b8c-fcc84319ea6e", + "templateName": "Spoof and impersonation detections by sender IP.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "011c3d48-f6ca-405f-9763-66c7856ad2ba", + "templateName": "Spoof and impersonation phish detections.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "e90345b3-439c-44e1-a85d-8ae84ad9c65b", + "templateName": "User not covered under display name impersonation.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "71aeb41d-c85c-4569-bb08-6f1cd38bca49", + "templateName": "Admin reported submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "1c390fd7-2668-4445-9b7d-055f3851be5f", + "templateName": "Status of submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "2d2351ca-e9a6-4286-b445-a9268189c1dc", + "templateName": "Top submitters of admin submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8c9bc29b-f32a-49fe-8fe8-450479f4130f", + "templateName": "Top submitters of user submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "0bd33643-c517-48b1-8211-25a7fbd15a50", + "templateName": "User reported submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "de480ca4-4095-4fef-b3e7-2a3f17f24e78", + "templateName": "Attacked more than x times average.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27", + "templateName": "Malicious mails by sender IPs.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "27ee28e7-423b-48c9-a410-cbc6c8e21d25", + "templateName": "Top 10 URL domains attacking organization.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "e3b7b5c1-0e50-4dfb-b73a-c226636eaf58", + "templateName": "Top 10 percent of most attacked users.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2", + "templateName": "Top external malicious senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a1664330-810a-473b-b354-acbaa751a294", + "templateName": "Top targeted users.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "d24e9c4a-b72a-4a85-89cd-83760ae61155", + "templateName": "End user malicious clicks.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "3f007cdc-86bf-4657-9015-05101a3e54f5", + "templateName": "URL click count by click action.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "efe27064-6d35-4720-b7f5-e0326695613d", + "templateName": "URL click on ZAP Email.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "bc46e331-3cb0-483d-9c90-989d2a59457f", + "templateName": "URL clicks actions by URL.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "03e61096-20d0-46eb-b8e0-a507dd00a19f", + "templateName": "URLClick details based on malicious URL click alert.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f075d4c4-cf76-4e5d-9c2d-9ed524286316", + "templateName": "User clicked through events.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "891f4865-75e5-4d40-bc24-ebf97da3ca9a", + "templateName": "User clicks on malicious inbound emails.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "d823da0e-1334-4a66-8ff4-2c2c40d26295", + "templateName": "User clicks on phishing URLs in emails.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "08aff8c6-b983-43a3-be95-68a10c3d35e6", + "templateName": "Phishing Email Url Redirector.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9", + "templateName": "SafeLinks URL detections.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "c10b22a0-6021-46f9-bdaf-05bf2350a554", + "templateName": "Total ZAP count.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" } + // Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End ] \ No newline at end of file diff --git a/.script/tests/asimParsersTest/ingestASimSampleData.py b/.script/tests/asimParsersTest/ingestASimSampleData.py index 735e03b058a..fcc9411118e 100644 --- a/.script/tests/asimParsersTest/ingestASimSampleData.py +++ b/.script/tests/asimParsersTest/ingestASimSampleData.py @@ -275,6 +275,15 @@ def extract_event_vendor_product(parser_query,parser_file): prnumber = sys.argv[1] for file in parser_yaml_files: + SchemaNameMatch = re.search(r'ASim(\w+)/', file) + if SchemaNameMatch: + SchemaName = SchemaNameMatch.group(1) + else: + SchemaName = None + # Check if changed file is a union parser. If Yes, skip the file + if file.endswith((f'ASim{SchemaName}.yaml', f'im{SchemaName}.yaml')): + print(f"Ignoring this {file} because it is a union parser file") + continue print(f"Starting ingestion for sample data present in {file}") asim_parser_url = f'{SENTINEL_REPO_RAW_URL}/{commit_number}/{file}' asim_parser = read_github_yaml(asim_parser_url) diff --git a/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json b/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json index 1f8bcf1a916..d10dbf2f0bd 100644 --- a/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json +++ b/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json @@ -530,5 +530,93 @@ "df292d06-f348-41ad-b780-0abb5acfe9ab", "b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8", "13424be6-aed7-448b-afe5-c03d8b29b4fe", - "04384937-e927-4595-8f3c-89ff58ed231f" + "04384937-e927-4595-8f3c-89ff58ed231f", + "518e6938-10ef-4165-af19-82f1287141bc", + "b6392f39-a1f4-4ec8-8689-4cb9d28c295a", + "16eda414-1550-4cdc-8512-0769901d3f05", + "7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422", + "5971f2e7-1bb2-4170-aa7a-577ed8a45c72", + "ba1a91ad-1f99-4386-b191-06a76ef213f8", + "bc2d8214-afb6-4876-b210-25b69325b9b2", + "712ffdd8-ddce-4372-85dd-063029b418cf", + "deb4b2c6-c10e-4044-8cf4-84243e40db73", + "81ede5df-2ec3-40a5-9dff-1fe6a841079d", + "63c799bc-7567-4e4d-97be-e143fcfaa333", + "92b76a34-502e-4a53-93ec-9fc37c3b358c", + "8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935", + "e6259b03-622e-4e11-9c54-94987dad7c14", + "fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72", + "57f95ba7-938d-4a76-b411-c01034c0d167", + "0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe", + "54569b06-47fc-41ae-9b00-f7d9b61337b6", + "430a9c0d-f3ce-46a3-a994-92b3ada0d1b2", + "b95994d1-1008-4c42-a74f-9f2967e39ed6", + "f840db5b-87c9-43c8-a8c3-5b6b83838cd4", + "a96c1571-1f7d-48dc-8287-7df5a5f0d987", + "2c6e7f75-d83c-4344-afdc-83335fe550e6", + "1c51e10e-7f77-40bc-bd37-6aa55cdf94d6", + "da7b973a-0045-4fd6-9161-269369336d24", + "6b478186-da3b-4d71-beaa-aa5b42908499", + "da932998-81dd-4be4-963c-f4890cb4192e", + "b2beec6a-2c1c-4319-a191-e70c2ee42857", + "12225f50-9d41-4b78-8269-cc127d98654c", + "cadf6e78-2a9a-4fb5-b788-30a592d699d3", + "95b0c7ed-2853-4343-80a9-ab076cf31e51", + "439f817c-845c-4dda-a8d9-5c1f6831cee9", + "07c85687-6dee-4266-9345-1e34de85d989", + "23dbd58b-23ce-42ae-b4d1-0dfdd35871ea", + "a3619c75-a927-4dbb-91cc-9adc55e95bda", + "fd68706e-8e3e-4ccd-9230-1f267bdad4c8", + "c73ae295-d120-4f79-aaed-de005f766ad2", + "fe2cb53e-4eb3-4676-87c1-f80d2813f542", + "b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9", + "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808", + "9d59be10-54d9-478b-b669-fb4eb8517cd0", + "25150085-015a-4673-9b67-bc6ad9475500", + "9b086a51-e396-4718-90d7-f7b3646e6581", + "516046e8-a460-4f7b-86eb-421d3a9cdff1", + "594fe5a1-53b6-466b-86df-028366c3994e", + "706b711a-7622-40f1-9ebb-331d1a0ff697", + "f708c866-073a-4107-a60b-ba6f86e54caa", + "68aa199c-259b-4bb0-8e7a-8ed6f96c5525", + "8c852f12-499f-499b-afc1-25c50aa9b462", + "f6354c94-3a95-4235-8530-414f016a7bf6", + "dc7e1eb5-16f5-4ad5-96a1-794970f4b310", + "54d3455d-27e0-4ceb-99f9-375abd620151", + "8d298b5c-feca-4add-bd42-e43e0a317a88", + "3131d0ba-32c9-483e-a25c-82e26a07e116", + "a12cac64-ea6d-46d4-91a6-262b165fb9ad", + "9e8faa62-7222-48a5-a78f-ef2d22f866dc", + "6f96f6d7-d972-421e-a59f-6b9a8de81324", + "9f135aef-ad25-4df2-bdab-8399978a36a2", + "99713387-9d61-49eb-8edc-f51153d8bb01", + "6a570927-8638-4a6f-ac09-72a7d51ffa3c", + "cdc4da1c-64a1-4941-be59-1f5cc85481ab", + "b3180ac0-6d94-494a-8b8c-fcc84319ea6e", + "011c3d48-f6ca-405f-9763-66c7856ad2ba", + "e90345b3-439c-44e1-a85d-8ae84ad9c65b", + "71aeb41d-c85c-4569-bb08-6f1cd38bca49", + "1c390fd7-2668-4445-9b7d-055f3851be5f", + "2d2351ca-e9a6-4286-b445-a9268189c1dc", + "8c9bc29b-f32a-49fe-8fe8-450479f4130f", + "0bd33643-c517-48b1-8211-25a7fbd15a50", + "de480ca4-4095-4fef-b3e7-2a3f17f24e78", + "a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27", + "27ee28e7-423b-48c9-a410-cbc6c8e21d25", + "e3b7b5c1-0e50-4dfb-b73a-c226636eaf58", + "9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2", + "a1664330-810a-473b-b354-acbaa751a294", + "d24e9c4a-b72a-4a85-89cd-83760ae61155", + "3f007cdc-86bf-4657-9015-05101a3e54f5", + "efe27064-6d35-4720-b7f5-e0326695613d", + "bc46e331-3cb0-483d-9c90-989d2a59457f", + "03e61096-20d0-46eb-b8e0-a507dd00a19f", + "f075d4c4-cf76-4e5d-9c2d-9ed524286316", + "891f4865-75e5-4d40-bc24-ebf97da3ca9a", + "d823da0e-1334-4a66-8ff4-2c2c40d26295", + "08aff8c6-b983-43a3-be95-68a10c3d35e6", + "492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9", + "c10b22a0-6021-46f9-bdaf-05bf2350a554" + + ] \ No newline at end of file diff --git a/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json b/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json index 33ebc5285ee..41365fa17bc 100644 --- a/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json +++ b/.script/tests/idChangeValidatorTest/SkipIdValidationsTemplates.json @@ -557,4 +557,4 @@ "d561b1a2-6416-4a2e-93c5-4d157ba9013b", "f91808d1-b164-4097-ba5b-44940e5dded3", "b04f6270-115a-47f1-8e4f-0817fab31bec" -] \ No newline at end of file +] diff --git a/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md b/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md new file mode 100644 index 00000000000..da876729aa5 --- /dev/null +++ b/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md @@ -0,0 +1,40 @@ +# Function app manual deployment instructions + +- Start VS Code. Choose File in the main menu and select Open Folder. + +- Select the top level folder from extracted files. + +- Choose the Azure icon in the Activity bar, if you aren't already signed in, choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose Sign in to Azure + +- If you're already signed in, go to the next step. + +- Provide the following information at the prompts: + + a. **Select folder**: Choose a folder from your workspace or browse to one that contains your function app. + + b. **Select Subscription**: Choose the subscription to use under resources. + + ![Select Subscription](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/subscription.png) + + c. Right click on the functions and select **Create new Function App in Azure** (Don't choose the Advanced option) + + ![Create new Function App in Azure](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/CreatenewFunctionApp.png) + + d. **Enter a globally unique name for the function app**: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. UmbrellaXYZ). + + ![Enter a globally unique name](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/globallyuniquename.png) + + e. **Select a runtime**: Choose Python 3.9. + + ![Select a runtime](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectaruntime.png) + + f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located. + + ![Select a location for new resources](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectalocation.png) + +- Deployment will begin. A notification is displayed after your function app is created. + +- Deploy the function in Function app: Once the function app is created click on deploy button under workspace section. Select the Subcription and the function app in which function needs to be deployed. +![Deploy the function in Function app](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Deploythefunction.png) + +- Go to Azure Portal for the Function App configuration. \ No newline at end of file diff --git a/DataConnectors/Syslog/Forwarder_AMA_installer.py b/DataConnectors/Syslog/Forwarder_AMA_installer.py index 31141fa41a7..b45ff646bd2 100644 --- a/DataConnectors/Syslog/Forwarder_AMA_installer.py +++ b/DataConnectors/Syslog/Forwarder_AMA_installer.py @@ -23,6 +23,7 @@ rsyslog_old_config_tcp_content = "# provides TCP syslog reception\n$ModLoad imtcp\n$InputTCPServerRun " + daemon_default_incoming_port + "\n" syslog_ng_documantation_path = "https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.26/administration-guide/34#TOPIC-1431029" rsyslog_documantation_path = "https://www.rsyslog.com/doc/master/configuration/actions.html" +temp_file_path = "/tmp/rsyslog_temp_config.txt" def print_error(input_str): @@ -130,7 +131,7 @@ def set_rsyslog_new_configuration(): Sets the Rsyslog configuration to listen on port 514 for incoming requests- For new config format """ with open(rsyslog_conf_path, "rt") as fin: - with open("tmp.txt", "wt") as fout: + with open(temp_file_path, "wt") as fout: for line in fin: if "imudp" in line or "imtcp" in line: # Load configuration line requires 1 replacement @@ -143,7 +144,7 @@ def set_rsyslog_new_configuration(): fout.write(line) else: fout.write(line) - command_tokens = ["sudo", "mv", "tmp.txt", rsyslog_conf_path] + command_tokens = ["sudo", "cp", temp_file_path, rsyslog_conf_path] write_new_content = subprocess.Popen(command_tokens, stdout=subprocess.PIPE) time.sleep(3) o, e = write_new_content.communicate() @@ -250,7 +251,7 @@ def set_syslog_ng_configuration(): comment_line = False snet_found = False with open(syslog_ng_conf_path, "rt") as fin: - with open("tmp.txt", "wt") as fout: + with open(temp_file_path, "wt") as fout: for line in fin: # fount snet if "s_net" in line and not "#": @@ -265,7 +266,7 @@ def set_syslog_ng_configuration(): comment_line = False # write line correctly fout.write(line if not comment_line else ("#" + line)) - command_tokens = ["sudo", "mv", "tmp.txt", syslog_ng_conf_path] + command_tokens = ["sudo", "cp", temp_file_path, rsyslog_conf_path] write_new_content = subprocess.Popen(command_tokens, stdout=subprocess.PIPE) time.sleep(3) o, e = write_new_content.communicate() @@ -324,4 +325,4 @@ def main(): -main() +main() \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML b/Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML index 2f06ed3e094..a5d1e516cf7 100644 --- a/Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML @@ -5,17 +5,17 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceInfo + - DeviceInfo query: | -//Find out of date clients -DeviceInfo -| where OSPlatform contains "Windows" -| summarize arg_max(Timestamp, *) by DeviceId -| extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7)) -| where MajorClientVersion < 10.8500 -| where OnboardingStatus == "Onboarded" -| project-reorder ClientVersion -version: 1.0.0 + //Find out of date clients + DeviceInfo + | where OSPlatform contains "Windows" + | summarize arg_max(Timestamp, *) by DeviceId + | extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7)) + | where MajorClientVersion < 10.8500 + | where OnboardingStatus == "Onboarded" + | project-reorder ClientVersion +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML index 2202a7f0fd2..d721bae755d 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML @@ -5,15 +5,15 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceEvents + - DeviceEvents query: | -//List all the scan types and device name of those scans -DeviceEvents -| where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled") -| extend A=parse_json(AdditionalFields) -| project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User -| sort by Timestamp desc -version: 1.0.0 + //List all the scan types and device name of those scans + DeviceEvents + | where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled") + | extend A=parse_json(AdditionalFields) + | project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User + | sort by Timestamp desc +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML index 32b53758a72..ed76f4160eb 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML @@ -5,15 +5,15 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceEvents + - DeviceEvents query: | -DeviceEvents -| where ActionType startswith "ASR" -| extend Fields=parse_json(AdditionalFields) -| extend IsAudit = tostring(Fields.IsAudit) -| where IsAudit == "false" -| project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId -version: 1.0.0 + DeviceEvents + | where ActionType startswith "ASR" + | extend Fields=parse_json(AdditionalFields) + | extend IsAudit = tostring(Fields.IsAudit) + | where IsAudit == "false" + | project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML index b84c26a963a..29dca86c154 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML @@ -5,13 +5,13 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceFileEvents + - DeviceFileEvents query: | -DeviceFileEvents -| where FileOriginReferrerUrl <> "" -| where FileName contains ".crx" -| project DeviceName, FileName, FolderPath, FileOriginReferrerUrl -version: 1.0.0 + DeviceFileEvents + | where FileOriginReferrerUrl <> "" + | where FileName contains ".crx" + | project DeviceName, FileName, FolderPath, FileOriginReferrerUrl +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML index 314779c8824..b5c5d4e3fd4 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML @@ -5,23 +5,23 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceTvmSecureConfigurationAssessment + - DeviceTvmSecureConfigurationAssessment query: | -let avmodetable = DeviceTvmSecureConfigurationAssessment -| where ConfigurationId == "scid-2010" and isnotnull(Context) -| extend avdata=parsejson(Context) -| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2', 'SxS Passive' ,'Unknown')))) -| project DeviceId, AVMode; -DeviceTvmSecureConfigurationAssessment -| where ConfigurationId == "scid-2011" and isnotnull(Context) -| extend avdata=parsejson(Context) -| extend AVSigVersion = tostring(avdata[0][0]) -| extend AVEngineVersion = tostring(avdata[0][1]) -| extend AVSigLastUpdateTime = tostring(avdata[0][2]) -| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable -| join avmodetable on DeviceId -| project-away DeviceId1 -version: 1.0.0 + let avmodetable = DeviceTvmSecureConfigurationAssessment + | where ConfigurationId == "scid-2010" and isnotnull(Context) + | extend avdata=parsejson(Context) + | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2', 'SxS Passive' ,'Unknown')))) + | project DeviceId, AVMode; + DeviceTvmSecureConfigurationAssessment + | where ConfigurationId == "scid-2011" and isnotnull(Context) + | extend avdata=parsejson(Context) + | extend AVSigVersion = tostring(avdata[0][0]) + | extend AVEngineVersion = tostring(avdata[0][1]) + | extend AVSigLastUpdateTime = tostring(avdata[0][2]) + | project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable + | join avmodetable on DeviceId + | project-away DeviceId1 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML index a563eb98954..06ef8b39721 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML @@ -5,34 +5,34 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceEvents + - DeviceEvents query: | -let LastLogins=DeviceLogonEvents + let LastLogins=DeviceLogonEvents | where LogonType == "Interactive" | where InitiatingProcessParentFileName == "wininit.exe" | summarize LastLogon=arg_max(Timestamp, *) by AccountName, DeviceName | project AccountName, DeviceName, LastLogon; -let Logins=DeviceLogonEvents + let Logins=DeviceLogonEvents | where LogonType == "Interactive" | where InitiatingProcessParentFileName == "wininit.exe" | summarize Logins=count() by AccountName, DeviceName | project AccountName, Logins, DeviceName; -let NetworkInfo=DeviceNetworkInfo + let NetworkInfo=DeviceNetworkInfo | where IPv4Dhcp <> "" | mvexpand parse_json(IPAddresses) | where IPAddresses.IPAddress !contains ":" | summarize arg_max(Timestamp, *) by DeviceName | project DeviceName, IPAddress=IPAddresses.IPAddress, Timestamp; -Logins -| join kind=inner ( LastLogins + Logins + | join kind=inner ( LastLogins | project AccountName, DeviceName, LastLogon -) on DeviceName, AccountName -| join kind=leftouter ( NetworkInfo + ) on DeviceName, AccountName + | join kind=leftouter ( NetworkInfo | project DeviceName, IPAddress, Timestamp -) on DeviceName -| project AccountName, DeviceName, LastLogon, Logins, IPAddress -| sort by DeviceName -version: 1.0.0 + ) on DeviceName + | project AccountName, DeviceName, LastLogon, Logins, IPAddress + | sort by DeviceName +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML index 148a6b96503..3dfbb891f29 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML @@ -5,52 +5,52 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - AlertEvidence + - AlertEvidence query: | -//Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM. -let _F = AlertEvidence + //Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM. + let _F = AlertEvidence | where DeviceName == "Yourendpointhere" | distinct AlertId; -let _Process = AlertEvidence + let _Process = AlertEvidence | where EntityType == "Process" | join kind=inner _F on $left.AlertId == $right.AlertId | order by Timestamp, AlertId | project AlertId, FileName, FolderPath, SHA1, SHA256, FileSize, ProcessCommandLine, AdditionalFields; -let _IP = AlertEvidence + let _IP = AlertEvidence | where EntityType == "Ip" | join kind=inner _F on $left.AlertId == $right.AlertId | order by Timestamp, AlertId | project AlertId, RemoteIP, AdditionalFields; -let _URL = AlertEvidence + let _URL = AlertEvidence | where EntityType == "Url" | join kind=inner _F on $left.AlertId == $right.AlertId | order by Timestamp, AlertId | project AlertId, RemoteUrl, AdditionalFields; -let _User = AlertEvidence + let _User = AlertEvidence | where EntityType == "User" | join kind=inner _F on $left.AlertId == $right.AlertId | order by Timestamp, AlertId | project AlertId, AccountName, AccountDomain, AccountSid, AccountUpn, AdditionalFields; -let _Machine = AlertEvidence + let _Machine = AlertEvidence | where EntityType == "Machine" | join kind=inner _F on $left.AlertId == $right.AlertId | order by Timestamp, AlertId | project AlertId, DeviceName, LocalIP, AdditionalFields; -_Machine -| join _F on $left.AlertId == $right.AlertId -| join _IP on $left.AlertId == $right.AlertId -| join _Process on $left.AlertId == $right.AlertId -| join _URL on $left.AlertId == $right.AlertId -| join _User on $left.AlertId == $right.AlertId -| distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn, + _Machine + | join _F on $left.AlertId == $right.AlertId + | join _IP on $left.AlertId == $right.AlertId + | join _Process on $left.AlertId == $right.AlertId + | join _URL on $left.AlertId == $right.AlertId + | join _User on $left.AlertId == $right.AlertId + | distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn, DeviceName, LocalIP, FileSize, FolderPath, SHA1, SHA256, ProcessCommandLine, RemoteIP, RemoteUrl -version: 1.0.0 +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML index 382b64f798f..4f69ef61402 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML @@ -5,18 +5,18 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceBaselineComplianceAssessment + - DeviceBaselineComplianceAssessment query: | -//Find Windows Defender Settings -DeviceBaselineComplianceAssessment -| where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\" -| project DeviceName, Source, CurrentValue + //Find Windows Defender Settings + DeviceBaselineComplianceAssessment + | where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\" + | project DeviceName, Source, CurrentValue -//Find Windows Defender Security Center Settings -DeviceBaselineComplianceAssessment -| where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\" -| project DeviceName, Source, CurrentValue -version: 1.0.0 + //Find Windows Defender Security Center Settings + DeviceBaselineComplianceAssessment + | where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\" + | project DeviceName, Source, CurrentValue +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML index 2d4cd060d93..b5c08a42ff5 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML @@ -5,14 +5,14 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceFileEvents + - DeviceFileEvents query: | -//Find LNK files on certain devices -DeviceFileEvents -| where DeviceName == "EndpointNameHere" -| where FileName contains ".LNK" -| project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath -version: 1.0.0 + //Find LNK files on certain devices + DeviceFileEvents + | where DeviceName == "EndpointNameHere" + | where FileName contains ".LNK" + | project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML index 10b98bbc323..1fddd44a3fd 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML @@ -5,29 +5,29 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceFileEvents + - DeviceFileEvents query: | -//Find Mounted ISO files and drive letters -DeviceFileEvents -| where Timestamp > ago(1d) -| where FileName endswith "iso" -| project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath -| join kind = inner ( + //Find Mounted ISO files and drive letters + DeviceFileEvents + | where Timestamp > ago(1d) + | where FileName endswith "iso" + | project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath + | join kind = inner ( DeviceFileEvents | where Timestamp > ago(1d) | where FileName endswith "lnk" | extend ['LNK FileName'] = FileName | project ['LNK FileName'], DeviceName ) on DeviceName -| join kind = inner ( + | join kind = inner ( DeviceRegistryEvents | where Timestamp > ago(1d) | where RegistryKey contains "MountedDevices" | project ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), DeviceName, RegistryValueName ) on DeviceName -| where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName) -| distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName -version: 1.0.0 + | where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName) + | distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindsPowerShellExecutionEvents.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindsPowerShellExecutionEvents.YAML index f58176d1b54..b94eee8f738 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindsPowerShellExecutionEvents.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindsPowerShellExecutionEvents.YAML @@ -5,18 +5,18 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceProcessEvents + - DeviceProcessEvents query: | -// Finds PowerShell execution events that could involve a download. -DeviceProcessEvents -| where Timestamp > ago(7d) -| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") -| where ProcessCommandLine has "Net.WebClient" + // Finds PowerShell execution events that could involve a download. + DeviceProcessEvents + | where Timestamp > ago(7d) + | where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE") + | where ProcessCommandLine has "Net.WebClient" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "Invoke-Shellcode" or ProcessCommandLine has "http:" -| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine,DeviceId, ReportId + | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine,DeviceId, ReportId metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindstatuschangefromExposurelevel.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindstatuschangefromExposurelevel.YAML index c43fcb2c303..c38bbfceb0b 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindstatuschangefromExposurelevel.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindstatuschangefromExposurelevel.YAML @@ -5,19 +5,19 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceInfo + - DeviceInfo query: | -//Find status change from Exposurelevel -DeviceInfo -| serialize -| where ExposureLevel == "High" -| where Timestamp > ago(12h) -| extend Date = format_datetime(Timestamp, "MM/dd/yyyy") -| extend PrevExposureLevel = prev(ExposureLevel) -| where PrevExposureLevel <> ExposureLevel -| where ExposureLevel <> "Medium" or ExposureLevel <> "Low" -| where PrevExposureLevel <> "High" -| distinct DeviceName, ExposureLevel,PrevExposureLevel, DeviceId, Date, ReportId, Timestamp + //Find status change from Exposurelevel + DeviceInfo + | serialize + | where ExposureLevel == "High" + | where Timestamp > ago(12h) + | extend Date = format_datetime(Timestamp, "MM/dd/yyyy") + | extend PrevExposureLevel = prev(ExposureLevel) + | where PrevExposureLevel <> ExposureLevel + | where ExposureLevel <> "Medium" or ExposureLevel <> "Low" + | where PrevExposureLevel <> "High" + | distinct DeviceName, ExposureLevel,PrevExposureLevel, DeviceId, Date, ReportId, Timestamp metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAlPnPDevicesAllowedorBlocked.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAlPnPDevicesAllowedorBlocked.YAML index a2e9af6f00a..04f70143f43 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAlPnPDevicesAllowedorBlocked.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAlPnPDevicesAllowedorBlocked.YAML @@ -5,17 +5,17 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceEvents + - DeviceEvents query: | -//List all PnP Devices that have been allowed or blocked -DeviceEvents -| where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed" -| extend parsed=parse_json(AdditionalFields) -| extend MediaClassGuid = tostring(parsed.ClassGuid) -| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) -| extend MediaDeviceId = tostring(parsed.MatchingDeviceId) -| project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields -| order by Timestamp desc + //List all PnP Devices that have been allowed or blocked + DeviceEvents + | where ActionType == "PnpDeviceBlocked" or ActionType == "PnpDeviceAllowed" + | extend parsed=parse_json(AdditionalFields) + | extend MediaClassGuid = tostring(parsed.ClassGuid) + | extend MediaInstanceId = tostring(parsed.DeviceInstanceId) + | extend MediaDeviceId = tostring(parsed.MatchingDeviceId) + | project Timestamp , DeviceId, DeviceName, ActionType, MediaClassGuid, MediaDeviceId, MediaInstanceId, AdditionalFields + | order by Timestamp desc metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAllNotOnboardedEnpoints.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAllNotOnboardedEnpoints.YAML index 7f60677339d..9007da9ca01 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAllNotOnboardedEnpoints.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ListAllNotOnboardedEnpoints.YAML @@ -5,14 +5,14 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceInfo + - DeviceInfo query: | -//List all devices that are not onboarded -DeviceInfo -| extend Date = format_datetime(Timestamp, "MM/dd/yyyy") -| where OnboardingStatus <> "Onboarded" -| where Timestamp > ago(1d) -| distinct DeviceName, Date, OnboardingStatus, Timestamp + //List all devices that are not onboarded + DeviceInfo + | extend Date = format_datetime(Timestamp, "MM/dd/yyyy") + | where OnboardingStatus <> "Onboarded" + | where Timestamp > ago(1d) + | distinct DeviceName, Date, OnboardingStatus, Timestamp metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport-DNS.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport-DNS.YAML index 9b0736e7963..b81914005fa 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport-DNS.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport-DNS.YAML @@ -5,14 +5,14 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceNetworkEvents + - DeviceNetworkEvents query: | -//Network traffic going to DNS(Port 53) -DeviceNetworkEvents -| where RemotePort == "53" -| where RemoteUrl <> "" -| project Timestamp, DeviceName, RemotePort, RemoteUrl -version: 1.0.0 + //Network traffic going to DNS(Port 53) + DeviceNetworkEvents + | where RemotePort == "53" + | where RemoteUrl <> "" + | project Timestamp, DeviceName, RemotePort, RemoteUrl +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport.YAML index d91cd15eb23..11290935f10 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Networktrafficgoingtoport.YAML @@ -5,13 +5,13 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceNetworkEvents + - DeviceNetworkEvents query: | -//Network traffic going to port 80 and 443 -DeviceNetworkEvents -| where RemotePort == "80" or RemotePort == "443" -| project Timestamp, DeviceName, RemotePort, RemoteIP, RemoteUrl -version: 1.0.0 + //Network traffic going to port 80 and 443 + DeviceNetworkEvents + | where RemotePort == "80" or RemotePort == "443" + | project Timestamp, DeviceName, RemotePort, RemoteIP, RemoteUrl +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ProxyChangesViaRegistry.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ProxyChangesViaRegistry.YAML index 1503dabe9de..d80e2f330ab 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ProxyChangesViaRegistry.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ProxyChangesViaRegistry.YAML @@ -5,12 +5,12 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceRegistryEvents + - DeviceRegistryEvents query: | -//Detect Proxy configurations changes on endpoints -DeviceRegistryEvents -| where RegistryValueName contains "AutoConfigURL" or RegistryValueName contains "Proxy" -| project DeviceName, RegistryKey, RegistryValueName,RegistryValueData + //Detect Proxy configurations changes on endpoints + DeviceRegistryEvents + | where RegistryValueName contains "AutoConfigURL" or RegistryValueName contains "Proxy" + | project DeviceName, RegistryKey, RegistryValueName,RegistryValueData metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedDevicesAndDriveLetter.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedDevicesAndDriveLetter.YAML index 09cf121157c..26f8b932b1f 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedDevicesAndDriveLetter.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedDevicesAndDriveLetter.YAML @@ -5,13 +5,13 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceEvents + - DeviceEvents query: | -//Show usb mounted devices and drive letters -DeviceEvents -| where ActionType contains "USB" -| extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter) -| distinct DeviceName, ActionType, DriveLetter, Timestamp + //Show usb mounted devices and drive letters + DeviceEvents + | where ActionType contains "USB" + | extend DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter) + | distinct DeviceName, ActionType, DriveLetter, Timestamp metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedandfilescopied.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedandfilescopied.YAML index 5ddd50c0be9..a9f409c1971 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedandfilescopied.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_ShowUSBMountedandfilescopied.YAML @@ -5,20 +5,20 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceEvents + - DeviceEvents query: | -//Show usb mounted and files copied -DeviceEvents -| where ActionType contains "USB" -| where Timestamp > ago(1d) -| project USBMountTime = Timestamp, DeviceName, DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter) -| join (DeviceFileEvents + //Show usb mounted and files copied + DeviceEvents + | where ActionType contains "USB" + | where Timestamp > ago(1d) + | project USBMountTime = Timestamp, DeviceName, DriveLetter = tostring(todynamic(AdditionalFields).DriveLetter) + | join (DeviceFileEvents | where Timestamp > ago(1d) | where ActionType == "FileCreated" | parse FolderPath with DriveLetter '\\' * | extend DriveLetter = tostring(DriveLetter))on DeviceName, DriveLetter -| project USBMountTime, DeviceName, DriveLetter, ActionType, FileName, FolderPath, FileSize -version: 1.0.0 + | project USBMountTime, DeviceName, DriveLetter, ActionType, FileName, FolderPath, FileSize +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SmartScreenCheck.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SmartScreenCheck.YAML index e43c4510c3c..4868f04af70 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SmartScreenCheck.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SmartScreenCheck.YAML @@ -5,23 +5,23 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceNetworkEvents + - DeviceNetworkEvents query: | -DeviceNetworkEvents -| where RemoteUrl <> "" -| extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt') -| join kind=leftouter (DeviceEvents + DeviceNetworkEvents + | where RemoteUrl <> "" + | extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt') + | join kind=leftouter (DeviceEvents | where ActionType == 'SmartScreenUrlWarning' or ActionType == 'ExploitGuardNetworkProtectionBlocked' | extend A=parse_json(AdditionalFields) | extend TimeStampformated=format_datetime(Timestamp,'MM/dd/yyyy HH:mm tt') ) on DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessAccountName, TimeStampformated -| where InitiatingProcessFileName == "msedge.exe" or InitiatingProcessFileName == "chrome.exe" -//| where RemoteUrl contains "facebook" -//| where InitiatingProcessAccountName contains "Matt" -//| where ActionType1 <> "" -| distinct TimeStampformated,DeviceName, Action=ActionType1, URL_IPAddress=RemoteIP, URL=RemoteUrl, Username=InitiatingProcessAccountName, Browser=InitiatingProcessFileName -| order by TimeStampformated desc -version: 1.0.0 + | where InitiatingProcessFileName == "msedge.exe" or InitiatingProcessFileName == "chrome.exe" + //| where RemoteUrl contains "facebook" + //| where InitiatingProcessAccountName contains "Matt" + //| where ActionType1 <> "" + | distinct TimeStampformated,DeviceName, Action=ActionType1, URL_IPAddress=RemoteIP, URL=RemoteUrl, Username=InitiatingProcessAccountName, Browser=InitiatingProcessFileName + | order by TimeStampformated desc +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SoftwareInventorybyOS.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SoftwareInventorybyOS.YAML index 9e33790aa9b..de0db317c6d 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SoftwareInventorybyOS.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_SoftwareInventorybyOS.YAML @@ -5,13 +5,13 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - DeviceTvmSoftwareInventory + - DeviceTvmSoftwareInventory query: | -//Software Inventory by OS -DeviceTvmSoftwareInventory -| where OSPlatform contains "iOS" -| project DeviceName,SoftwareName, SoftwareVendor, SoftwareVersion -version: 1.0.0 + //Software Inventory by OS + DeviceTvmSoftwareInventory + | where OSPlatform contains "iOS" + | project DeviceName,SoftwareName, SoftwareVendor, SoftwareVersion +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Objects_Moving_OUs.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Objects_Moving_OUs.YAML index 83aed00ef88..f5907bd4bc4 100644 --- a/Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Objects_Moving_OUs.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Discovery/MDI_Objects_Moving_OUs.YAML @@ -5,31 +5,31 @@ description: | requiredDataConnectors: - connectorId: MicrosoftThreatProtection dataTypes: - - IdentityDirectoryEvents + - IdentityDirectoryEvents tactics: - Credential Access query: | -//Moving User Objects to different OUs -IdentityDirectoryEvents -| where ActionType == 'Account Path changed' -| extend parsed=parse_json(AdditionalFields) -| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"]) -| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"]) -| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"]) -| extend Affected_User = iff( isnull(AdditionalFields.["TARGET_OBJECT.USER"]), AdditionalFields.["TARGET_OBJECT.USER"], AdditionalFields.["TARGET_OBJECT.USER"]) -| where TargetDeviceName == "" -| project Timestamp, ActionType, INITIATED_BY, Affected_User, FROM_Account_Path, TO_Account_Path, AdditionalFields + //Moving User Objects to different OUs + IdentityDirectoryEvents + | where ActionType == 'Account Path changed' + | extend parsed=parse_json(AdditionalFields) + | extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"]) + | extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"]) + | extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"]) + | extend Affected_User = iff( isnull(AdditionalFields.["TARGET_OBJECT.USER"]), AdditionalFields.["TARGET_OBJECT.USER"], AdditionalFields.["TARGET_OBJECT.USER"]) + | where TargetDeviceName == "" + | project Timestamp, ActionType, INITIATED_BY, Affected_User, FROM_Account_Path, TO_Account_Path, AdditionalFields -//Moving Computer Objects to different OUs -IdentityDirectoryEvents -| where ActionType == 'Account Path changed' -| extend parsed=parse_json(AdditionalFields) -| extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"]) -| extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"]) -| extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"]) -| where TargetDeviceName <> "" -| project Timestamp, ActionType, INITIATED_BY, TargetDeviceName, FROM_Account_Path, TO_Account_Path, AdditionalFields -version: 1.0.0 + //Moving Computer Objects to different OUs + IdentityDirectoryEvents + | where ActionType == 'Account Path changed' + | extend parsed=parse_json(AdditionalFields) + | extend FROM_Account_Path = iff( isnull(AdditionalFields.["FROM Account Path"]), AdditionalFields.["FROM Account Path"], AdditionalFields.["FROM Account Path"]) + | extend TO_Account_Path = iff( isnull(AdditionalFields.["TO Account Path"]), AdditionalFields.["TO Account Path"], AdditionalFields.["TO Account Path"]) + | extend INITIATED_BY = iff( isnull(AdditionalFields.["ACTOR.ENTITY_USER"]), AdditionalFields.["ACTOR.ENTITY_USER"], AdditionalFields.["ACTOR.ENTITY_USER"]) + | where TargetDeviceName <> "" + | project Timestamp, ActionType, INITIATED_BY, TargetDeviceName, FROM_Account_Path, TO_Account_Path, AdditionalFields +version: 1.0.1 metadata: source: kind: Community diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml index 073d68c7fb1..613e0c8edfa 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml @@ -1,27 +1,4 @@ id: 518e6938-10ef-4165-af19-82f1287141bc name: ATP policy status check description: | - This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365. -description-detailed: | - This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365. - Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - CloudAppEvents - | where Application == "Microsoft Exchange Online" - | where ActionType == "Set-AtpPolicyForO365" - | mv-expand ActivityObjects - | extend Name = tostring(ActivityObjects.Name) - | extend Value = tostring(ActivityObjects.Value) - | where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen") - | extend packed = pack(Name, Value) - | summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName - | evaluate bag_unpack(PackedInfo) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/ATP%20policy%20status%20check.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml index 360cac771fb..65c6143125a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml @@ -1,18 +1,4 @@ id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a name: JNLP-File-Attachment description: | - JNLP file extensions are an uncommon file type often used to deliver malware. -description-detailed: | - JNLP file extensions are an uncommon file type often used to deliver malware. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailAttachmentInfo -tactics: -- InitialAccess -relevantTechniques: - - T1566 -query: | - EmailAttachmentInfo - | where FileName endswith ".jnlp" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/JNLP%20attachment.yaml' diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml index d88452723a4..bcc5b0acbb9 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml @@ -1,23 +1,4 @@ id: 16eda414-1550-4cdc-8512-0769901d3f05 name: Safe Attachments detections description: | - This query provides insights on the detections done by Safe Attachment detections -description-detailed: | - This query provides insights on the detections done by Safe Attachment detections. - Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where DetectionMethods != "" - | extend detection= tostring(parse_json(DetectionMethods).Phish) - | where detection has "File detonation reputation" or detection has "File detonation" - | summarize total=count() by bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/Safe%20attachment%20detection.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml index 98fffd44e55..4d37a4da4b7 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml @@ -1,23 +1,4 @@ id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422 name: Authentication failures by time and authentication type description: | - This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth -description-detailed: | - This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results. - Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago (30d) - | project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods - | evaluate bag_unpack(AR) - | where DMARC == "fail" - | summarize count() by bin(Timestamp, 1d) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Authentication%20failures.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml index 050f4149469..dfc92f2cdf1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml @@ -1,22 +1,4 @@ id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72 name: Spoof attempts with auth failure description: | - This query helps in checking for spoofing attempts on the domain with Authentication failures -description-detailed: | - This query helps in checking for spoofing attempts on the domain with Authentication failures. - Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago (1d) and DetectionMethods contains "spoof" - | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames - | evaluate bag_unpack(AR) - | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Spoof%20attempts%20with%20auth%20failure.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml index 830d0baf68d..f29509ee35e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml @@ -1,29 +1,4 @@ id: ba1a91ad-1f99-4386-b191-06a76ef213f8 name: Audit Email Preview-Download action description: | - This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365 -description-detailed: | - This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: -- PrivilegeEscalation -relevantTechniques: - - T1078 -query: | - CloudAppEvents - | project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData) - | evaluate bag_unpack(AR) - | where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl" - | serialize - | extend RowNumber = row_number() - | mv-expand ExtendedProperties - | evaluate bag_unpack(ExtendedProperties, 'xp_') - | extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '') - | summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber - | extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0]) - | project-away RowNumber -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Audit%20Email%20Preview-Download%20action.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml index 604b0d1d310..5f1ba6104dc 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml @@ -1,20 +1,4 @@ id: bc2d8214-afb6-4876-b210-25b69325b9b2 name: Hunt for TABL changes description: | - This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365 -description-detailed: | - This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - CloudAppEvents - | where ActionType contains "TenantAllowBlockListItems" - | order by Timestamp desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Hunt%20for%20TABL%20changes.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml index 9e6f4285d77..ed3e0096fbe 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml @@ -1,20 +1,4 @@ id: 712ffdd8-ddce-4372-85dd-063029b418cf name: Local time to UTC time conversion description: | - Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. -description-detailed: | - This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid")) - | where DeliveryAction == "Delivered" - | where LatestDeliveryLocation == "Quarantine" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Local%20time%20to%20UTC%20time%20conversion.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml index d01b5292321..daf1885f52e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml @@ -1,66 +1,4 @@ id: deb4b2c6-c10e-4044-8cf4-84243e40db73 name: MDO daily detection summary report description: | - This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365 -description-detailed: | - This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result - Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents - - AlertEvidence - - EmailEvents - - EmailPostDeliveryEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let QueryTime = 30d; - let Reports = CloudAppEvents - | where Timestamp > ago(QueryTime) - | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" - | extend MessageDate = todatetime((parse_json(RawEventData)).MessageDate) - | extend NetworkMessageID = tostring((parse_json(RawEventData)).ObjectId) - | extend Date_value = tostring(format_datetime( MessageDate, "yyyy-MM-dd")) - | distinct Date_value,NetworkMessageID - | summarize count() by Date_value - | project Date_value, MessagesGotReported=count_; - let ThreatByAutomation = (AlertEvidence | where Title == "Email reported by user as malware or phish") - | extend LastVerdictfromAutomation = tostring((parse_json(AdditionalFields)).LastVerdict) - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) - | extend DetectionFromAIR = iif(isempty(LastVerdictfromAutomation), "NoThreatsFound", tostring(LastVerdictfromAutomation)) - | summarize PostDeliveryTotalAIRInvestigations = count(), - PostDeliveryAirNoThreatsFound = countif(DetectionFromAIR contains "NoThreatsFound"), - PostDeliveryAirSuspicious = countif(DetectionFromAIR contains "Suspicious"), - PostDeliveryAirMalicious = countif(DetectionFromAIR contains "Malicious") - by Date_value //Date Reported from Message Submissions from CloudAppEvents does not match to the AIR Investigations from Alert playbooks - | project Date_value, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirSuspicious, PostDeliveryAirMalicious; - let DeliveryInboundEvents = (EmailEvents | where EmailDirection == "Inbound" and Timestamp > ago(QueryTime) - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) - | project Date_value, Timestamp, NetworkMessageId, DetectionMethods ,RecipientEmailAddress); - let PostDeliveryEvents = (EmailPostDeliveryEvents | where ActionType contains "ZAP" and ActionResult == "Success"| join DeliveryInboundEvents on RecipientEmailAddress, NetworkMessageId //Only successful ZAP Events, there could still be more, join on Recipient and NetID - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) //Zap Timestamp is used and not MessageDate received - | summarize PostDeliveryZAP=count() by Date_value); - let DeliveryByThreat = (DeliveryInboundEvents - | where Timestamp > ago(QueryTime) - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) - | extend MDO_detection = parse_json(DetectionMethods) - | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0])) - | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)")) - | summarize TotalEmails = count(), - Clean = countif(FirstSubcategory contains "Clean"), - Malware = countif(FirstSubcategory contains "Malware"), - Phish = countif(FirstSubcategory contains "Phish"), - Spam = countif(FirstSubcategory contains "Spam" and FirstSubcategory !contains "Bulk"), - Bulk = countif(FirstSubcategory contains "Bulk") - by Date_value; - DeliveryByThreat - | join kind=fullouter Reports on Date_value - | join kind=fullouter PostDeliveryEvents on Date_value - | join kind=fullouter ThreatByAutomation on Date_value - | sort by Date_value asc - | project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious - | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/MDO%20daily%20detection%20summary%20report.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml index f994e68557e..7d32b5b26f8 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml @@ -1,21 +1,4 @@ id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d name: Mail item accessed description: | - This query helps reviewing emails accessed by end users using cloud app events data -description-detailed: | - This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | where Record == 50 - | take 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Mail%20item%20accessed.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml index 53af695df26..d80fdeeebf0 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml @@ -1,22 +1,4 @@ id: 63c799bc-7567-4e4d-97be-e143fcfaa333 name: Malicious email senders description: | - This query helps hunting for emails from a sender with at least one email in quarantine -description-detailed: | - This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let SenderWithQuarantine = EmailEvents - | where LatestDeliveryLocation == "Quarantine" - | project SenderFromAddress; - EmailEvents - | where LatestDeliveryLocation == "Inbox/folder" - | where SenderFromAddress in (SenderWithQuarantine) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Malicious%20email%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml index bc435dcca92..25e9d130fec 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml @@ -1,33 +1,4 @@ id: 92b76a34-502e-4a53-93ec-9fc37c3b358c name: New TABL Items description: | - This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. -description-detailed: | - This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries. - Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - CloudAppEvents - | where ActionType == "New-TenantAllowBlockListItems" - | extend Parameters = RawEventData.Parameters - | mv-apply Parameters on ( - extend Out=bag_pack(tostring(Parameters.Name), Parameters.Value) - | summarize Parameters=make_bag(Out) - ) - | extend Allow=Parameters.Allow, Block=Parameters.Block, Entry=Parameters.Entries, ExpirationDate=Parameters.ExpirationDate, ListType=Parameters.ListType,ListSubType=Parameters.ListSubType, ModifiedBy=Parameters.ModifiedBy, NoExpiration=Parameters.NoExpiration, SubmissionID=Parameters.SubmissionID, SubmissionUserId=Parameters.SubmissionUserId, Notes=Parameters.Notes - | extend Action=iff(Allow == "True", "Allow", iff(Block == "True", "Block", "Unknown")), AccountUpn=tostring(coalesce(SubmissionUserId, ModifiedBy)) - | project Timestamp, Action, ListType, ListSubType, Entry, ExpirationDate, NoExpiration, AccountUpn, Notes, SubmissionID, ReportId - | order by Timestamp desc -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountUpn -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/New%20TABL%20Items.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml index 1238dcb4159..ae18090f570 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml @@ -1,18 +1,4 @@ id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935 name: Emails containing links to IP addresses description: | - This query helps hunting for Emails containing links to IP addresses -description-detailed: | - This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailUrlInfo - | where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Emails%20containing%20links%20to%20IP%20addresses.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml index 4418071d721..6340073f8aa 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml @@ -1,30 +1,4 @@ id: e6259b03-622e-4e11-9c54-94987dad7c14 name: Good emails from senders with bad patterns description: | - This query helps hunting for good emails from senders with bad patterns -description-detailed: | - This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Good emails from senders with bad patterns - let PctPhishThreshold = 50; - let LookbackWindow = 1d; - EmailEvents - | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" - | extend PhishMethods=tostring(parse_json(DetectionMethods).Phish) - | where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter") - | summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods - | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" - | summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails - | project-away SenderMailFromAddress1,AuthenticationDetails1 - | extend PctPhish = (PhishCount*100 / TotalCount) - | where PctPhish < 100 and PctPhish>= PctPhishThreshold - | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Good%20emails%20from%20senders%20with%20bad%20patterns.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml index c89f0113cdd..30404987d23 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml @@ -1,40 +1,4 @@ id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72 name: Hunt for email conversation take over attempts description: | - This query helps hunting for email conversation take over attempts -description-detailed: | - This query helps hunting for email conversation take over attempts using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress) - | distinct Pair; - let EmailDomains = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | distinct SenderFromDomain; - EmailEvents - | where Timestamp >= ago(4hrs) - | where DeliveryLocation != "Quarantine" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftouter ( emailDelivered ) on Pair - | order by SenderMailFromAddress - | where NewMsg == false - and Pair1 == "" - | join kind=leftouter (EmailDomains) on SenderFromDomain - | where SenderFromDomain1 == "" - | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20email%20conversation%20take%20over%20attempts.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml index 8404270426a..8d7416628a1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml @@ -1,28 +1,4 @@ id: 57f95ba7-938d-4a76-b411-c01034c0d167 name: Hunt for malicious URLs using external IOC source description: | - This query helps hunt for emails with malicious URLs based on external IOC source -description-detailed: | - This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR - Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailUrlInfo - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let url = (externaldata(url: string ) - [@"https://urlhaus.abuse.ch/downloads/text_online/"] - with (format="txt")) - | project url; - url - | join (EmailUrlInfo - | where Timestamp > ago(2h) - ) on $left.url == $right.Url - |join EmailEvents on NetworkMessageId - |project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20malicious%20attachments%20using%20external%20IOC%20source.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml index e040a99bb93..ba145bc3895 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml @@ -1,27 +1,4 @@ id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe name: Hunt for malicious attachments using external IOC source description: | - This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source -description-detailed: | - This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR - Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailAttachmentInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let abuse_sha256 = (externaldata(sha256_hash: string) - [@"https://bazaar.abuse.ch/export/txt/sha256/recent/"] - with (format="txt")) - | where sha256_hash !startswith "#" - | project sha256_hash; - abuse_sha256 - | join (EmailAttachmentInfo - | where Timestamp > ago(1d) - ) on $left.sha256_hash == $right.SHA256 - | project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20malicious%20URLs%20using%20external%20IOC%20source.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml index b5fb498c7dc..8d5e36cdbf1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml @@ -1,21 +1,4 @@ id: 54569b06-47fc-41ae-9b00-f7d9b61337b6 name: Inbox rule changes which forward-redirect email description: | - This query helps hunting for Inbox rule changes which forward-redirect email -description-detailed: | - This query helps hunting for Inbox rule changes which forward-redirect email - Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - Persistence -relevantTechniques: - - T1098 -query: | - CloudAppEvents - | where ActionType contains "Set-InboxRule" - |extend Parameters = tostring((parse_json(RawEventData)).Parameters) - |where Parameters contains "ForwardTo" or Parameters contains "RedirectTo" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Inbox%20rule%20change%20which%20forward-redirect%20email.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML index 9907db0a4f9..a90712253f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML @@ -1,33 +1,4 @@ id: 430a9c0d-f3ce-46a3-a994-92b3ada0d1b2 name: MDO_CountOfRecipientsEmailaddressbySubject description: | - Count of recipient's email addresses by subject -description-detailed: | - Count of recipient's email addresses by subject -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Count of recipient's email addresses by subject - EmailEvents - //Change the date for as far back as you want to go - | where Timestamp > ago(10d) - | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject - //Change the Count of how many times the email with the same subject has come in - | where CountRecipientEmailAddress >= 15 - | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML index 318c7b7f6dc..31e34bf0e2e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML @@ -1,33 +1,4 @@ id: b95994d1-1008-4c42-a74f-9f2967e39ed6 name: MDO_CountOfSendersEmailaddressbySubject description: | - Count of sender's email addresses by subject -description-detailed: | - Count of sender's email addresses by subject -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Count of sender's email addresses by subject - EmailEvents - //Change the date for as far back as you want to go - | where Timestamp > ago(10d) - | summarize CountSenderFromAddress=count() by SenderFromAddress, Subject - //Change the Count of how many times the email with the same subject has come in - | where CountSenderFromAddress >= 10 - | project SenderFromAddress, CountSenderFromAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML index dd80a2b63e4..e4bc093cee2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML @@ -1,33 +1,4 @@ id: f840db5b-87c9-43c8-a8c3-5b6b83838cd4 name: MDO_Countofrecipientsemailaddressesbysubject description: | - Count of recipient's email addresses by subject -description-detailed: | - Count of recipient's email addresses by subject -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Count of recipient's email addresses by subject - EmailEvents - //Change the date for as far back as you want to go - | where Timestamp > ago(10d) - | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject - //Change the Count of how many times the email with the same subject has come in - | where CountRecipientEmailAddress >= 15 - | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML index 9cd812817bc..564547e1ebf 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML @@ -1,36 +1,4 @@ id: a96c1571-1f7d-48dc-8287-7df5a5f0d987 name: MDO_SummaryOfSenders description: | - Count of all Senders and where they were delivered -description-detailed: | - Count of all Senders and where they were delivered -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Distinct Count - EmailEvents - | summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"), - Emails = count_distinct(DeliveryLocation == "Inbox/folder"), - JunkEmails = count_distinct(DeliveryLocation == "Junk folder")by SenderFromAddress - - //Count of all Senders and where they were delivered - EmailEvents - | summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"), - Emails = count(DeliveryLocation == "Inbox/folder"), - JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_SummaryOfSenders.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML index f79d2afbe42..9f83987b82a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML @@ -1,29 +1,4 @@ id: 2c6e7f75-d83c-4344-afdc-83335fe550e6 name: MDO_URLClickedinEmail description: | - URLs clicked in Email -description-detailed: | - URLs clicked in Email -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ActionType == "ClickAllowed" - //| where ActionType <> "ClickAllowed" - | project AccountUpn, ActionType, Url -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_URLClickedinEmail.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml index 2882a9f8cd8..dbea72deb0e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml @@ -1,46 +1,4 @@ id: 1c51e10e-7f77-40bc-bd37-6aa55cdf94d6 name: Detections by detection methods description: | - This query helps reviewing malicious email detections by detection methods -description-detailed: | - This query helps reviewing malicious email detections by detection methods in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(7d) - | where isnotempty(DetectionMethods) - | extend MDO_detection = parse_json(DetectionMethods) - | summarize TotalEmailCount = count(), - Phish_detection = countif(isnotempty(MDO_detection.Phish)), - Malware_detection = countif(isnotempty(MDO_detection.Malware)), - Spam_detection = countif(isnotempty( MDO_detection.Spam)), - URL_malicious_reputation = countif(MDO_detection.Phish == @'["URL malicious reputation"]' or MDO_detection.Malware == @'["URL malicious reputation"]'), - URL_detonation_reputation = countif(MDO_detection.Phish == @'["URL detonation reputation"]' or MDO_detection.Malware == @'["URL detonation reputation"]'), - URL_detonation = countif(MDO_detection.Phish == @'["URL detonation"]' or MDO_detection.Malware == @'["URL detonation"]'), - Advanced_filter = countif(MDO_detection.Phish == @'["Advanced filter"]'), - General_filter = countif(MDO_detection.Phish == @'["General filter"]'), - Spoof_intra_org = countif(MDO_detection.Phish == @'["Spoof intra-org"]'), - Spoof_external_domain = countif(MDO_detection.Phish == @'["Spoof external domain"]'), - Spoof_DMARC = countif(MDO_detection.Phish == @'["Spoof DMARC"]'), - Impersonation_brand = countif(MDO_detection.Phish == @'["Impersonation brand"]'), - Impersonation_user = countif(MDO_detection.Phish == @'["Impersonation user"]'), - Impersonation_domain = countif(MDO_detection.Phish == @'["Impersonation domain"]'), - Mixed_analysis_detection= countif(MDO_detection.Phish == @'["Mixed analysis detection"]'), - File_reputation = countif(MDO_detection.Phish == @'["File reputation"]' or MDO_detection.Malware == @'["File reputation"]'), - File_detonation = countif(MDO_detection.Phish == @'["File detonation"]' or MDO_detection.Malware == @'["File detonation"]'), - File_detonation_reputation = countif(MDO_detection.Phish == @'["File detonation reputation"]' or MDO_detection.Malware == @'["File detonation reputation"]'), - Antimalware_engine = countif(MDO_detection.Malware == @'["Antimalware engine"]'), - Fingerprint_matching = countif(MDO_detection.Phish == @'["Fingerprint matching"]'), - Mailbox_intelligence_impersonation = countif(MDO_detection.Phish == @'["Mailbox intelligence impersonation"]'), - Campaign = countif(MDO_detection.Phish == @'["Campaign"]' or MDO_detection.Malware == @'["Campaign"]') by bin(Timestamp, 1d) - | project Timestamp, TotalEmailCount, Phish_detection, Malware_detection, Spam_detection,URL_malicious_reputation,URL_detonation_reputation ,URL_detonation,Advanced_filter, General_filter,Spoof_intra_org,Spoof_external_domain,Spoof_DMARC,Impersonation_brand,Impersonation_user,Impersonation_domain, - Mixed_analysis_detection,File_reputation,File_detonation,File_detonation_reputation,Antimalware_engine,Fingerprint_matching,Mailbox_intelligence_impersonation,Campaign -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Detections%20by%20detection%20methods.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml index 26445e81ceb..54c5f637bbd 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml @@ -1,40 +1,4 @@ id: da7b973a-0045-4fd6-9161-269369336d24 name: Mail reply to new domain description: | - This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new -description-detailed: | - This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress) - | distinct Pair; - let EmailDomains = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | distinct SenderFromDomain; - EmailEvents - | where Timestamp >= ago(4hrs) - | where DeliveryLocation != "Quarantine" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftouter ( emailDelivered ) on Pair - | order by SenderMailFromAddress - | where NewMsg == false - and Pair1 == "" - | join kind=leftouter (EmailDomains) on SenderFromDomain - | where SenderFromDomain1 == "" - | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Mail%20reply%20to%20new%20domain.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml index 0c3919bff60..b8730b7575e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml @@ -1,21 +1,4 @@ id: 6b478186-da3b-4d71-beaa-aa5b42908499 name: Mailflow by directionality description: | - This query helps reviewing inbound / outbound / intra-org emails by domain per day -description-detailed: | - This query helps reviewing inbound / outbound / intra-org emails by domain per day -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1) - | summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Mailflow%20by%20directionality.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml index 69336a8e718..a864dbd8fe2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml @@ -1,29 +1,4 @@ id: da932998-81dd-4be4-963c-f4890cb4192e name: Malicious emails detected per day description: | - This query helps reviewing Malware, Phishing, Spam emails caught per day -description-detailed: | - This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where DetectionMethods != "" - | extend detection= parse_json(DetectionMethods) - | extend Spam = tostring(detection.Spam) - | extend Phish = tostring(detection.Phish) - | extend Malware = tostring(detection.Malware) - | where Spam != '' or Phish != '' or Malware != '' - | extend detection = case( - Malware != "", 'Malware', - Phish != "", 'Phish', - 'Spam') - | summarize total=count() by detection, bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Malicious%20emails%20detected%20per%20day.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml index f7b901cf9d4..43e055d2078 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml @@ -1,35 +1,4 @@ id: b2beec6a-2c1c-4319-a191-e70c2ee42857 name: Sender recipient contact establishment description: | - This query helps in checking the sender-recipient contact establishment status -description-detailed: | - This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(30d) - and DeliveryAction == "Delivered" - and SenderDisplayName contains "Microsoft" - | summarize count() by SenderFromAddress - | where count_ > 3 // ensuring that some level of communications has occured. - | project SenderFromAddress; - EmailEvents - | where Timestamp > ago(24hrs) - | where DeliveryAction == "Delivered" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - and SenderDisplayName contains "Microsoft" //Change the name here - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftanti ( emailDelivered ) on SenderFromAddress - | order by SenderMailFromAddress - | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Sender%20recipient%20contact%20establishment.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml index 0f38e332aa5..22900e20111 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml @@ -1,21 +1,4 @@ id: 12225f50-9d41-4b78-8269-cc127d98654c name: Top 100 malicious email senders description: | - This query helps reviewing top 100 malicious senders -description-detailed: | - This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where ThreatTypes has "Phish" or ThreatTypes has "Malware" - | summarize total=count() by SenderMailFromAddress - | top 100 by total -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Top%20100%20malicious%20email%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml index 56acd61b385..feae1339316 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml @@ -1,20 +1,4 @@ id: cadf6e78-2a9a-4fb5-b788-30a592d699d3 name: Top 100 senders description: | - This query helps reviewing top 100 senders in your organization in last 30 days -description-detailed: | - This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | summarize mailCountBySender = count() by SenderMailFromAddress - | top 100 by mailCountBySender -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Top%20100%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml index 92570b4efb7..294a91fbe8b 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml @@ -1,20 +1,4 @@ id: 95b0c7ed-2853-4343-80a9-ab076cf31e51 name: Zero day threats description: | - This query helps reviewing zero day threats via URL and file detonations -description-detailed: | - This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Zero%20day%20threats.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml index 78770fe82a9..b768649ed62 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml @@ -1,30 +1,4 @@ id: 439f817c-845c-4dda-a8d9-5c1f6831cee9 name: Email containing malware accessed on a unmanaged device description: | - In this query, we are looking for emails containing malware accessed on a unmanaged device -description-detailed: | - In this query, we are looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailPostDeliveryEvents - - CloudAppEvents - - AADSignInEventsBeta -tactics: - - Execution -relevantTechniques: - - T1204 -query: | - EmailPostDeliveryEvents - | where ActionType == "Malware ZAP" - | project NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,ZAPReportId=ReportId,ZAPTimestamp=Timestamp - | join (CloudAppEvents | where ActionType == "MailItemsAccessed" - | extend RawEvent=parse_json(RawEventData) - | mv-expand RawEvent.Folders - | mv-expand RawEvent_Folders.FolderItems - | project SessionId=tostring(RawEvent.SessionId),InternetMessageId=tostring(parse_json(RawEvent_Folders_FolderItems).InternetMessageId),ActionTimestamp=Timestamp,ActionReportId=ReportId - ) on InternetMessageId - | where isnotempty(SessionId) - | join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId - | project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20containing%20malware%20accessed%20on%20a%20unmanaged%20device.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml index 1f62c3f7a71..4fa08d467ff 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml @@ -1,20 +1,4 @@ id: 07c85687-6dee-4266-9345-1e34de85d989 name: Email containing malware sent by an internal sender description: | - In this query, we are looking for emails containing malware attachment sent by an internal sender -description-detailed: | - In this query, we are looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - LateralMovement -relevantTechniques: - - T1534 -query: | - EmailEvents - | where EmailDirection == "Intra-org" or EmailDirection == "Outbound" - | where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange" - | join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20containing%20malware%20sent%20by%20an%20internal%20sender.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml index 11228a4bb19..f043e09c75c 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml @@ -1,26 +1,4 @@ id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea name: Email malware detection report description: | - This query helps reviewing email malware detection cases -description-detailed: | - This query helps reviewing email malware detection cases in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailAttachmentInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where isnotempty(ThreatNames) - | join kind=inner EmailAttachmentInfo on NetworkMessageId - | extend ThreatFamilyAttachment = strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " /", ThreatNames, " /", FileName, " /", NetworkMessageId) - | summarize ThreatFamily_wih_Attachment= make_list(ThreatFamilyAttachment) by RecipientEmailAddress - | extend Case = array_length(ThreatFamily_wih_Attachment) - | project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment - | sort by Case desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20malware%20detection%20report.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml index 1ac1617a435..66b80eaf5f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml @@ -1,32 +1,4 @@ id: a3619c75-a927-4dbb-91cc-9adc55e95bda name: Malware detections by detection methods description: | - This query helps reviewing malware detections by detection methods -description-detailed: | - This query helps reviewing malware detections by detection methods in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where isnotempty(DetectionMethods) - | extend MDO_detection = parse_json(DetectionMethods) - | where MDO_detection.Malware in - ( - @'["File detonation reputation"]', - @'["File detonation"]', - @'["File reputation"]', - @'["Antimalware engine"]', - @'["URL malicious reputation"]', - @'["URL detonation reputation"]', - @'["URL detonation"]' - ) - | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4) - | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Malware%20detections%20by%20detection%20methods.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml index 5ebf204e44c..7724b51cec0 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml @@ -1,21 +1,4 @@ id: fd68706e-8e3e-4ccd-9230-1f267bdad4c8 name: Admin overrides description: | - This query helps in reviewing malicious emails allowed due to admin overrides -description-detailed: | - This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where DeliveryLocation == "Inbox/folder" - | where isnotempty(ThreatTypes) and OrgLevelAction == "Allow" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Admin%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml index af30ca7a214..89c68d789e4 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml @@ -1,20 +1,4 @@ id: c73ae295-d120-4f79-aaed-de005f766ad2 name: Top policies performing admin overrides description: | - This query helps in reviewing top policies for admin overrides (Allow/Block) -description-detailed: | - This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where Timestamp > ago(30d) and OrgLevelPolicy!="" and OrgLevelAction == "Allow" //"Block" - | summarize count() by OrgLevelPolicy -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Top%20policies%20performing%20admin%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml index 7f1dc112106..c7e00025985 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml @@ -1,20 +1,4 @@ id: fe2cb53e-4eb3-4676-87c1-f80d2813f542 name: Top policies performing user overrides description: | - This query helps in reviewing top policies for user overrides (Allow/Block) -description-detailed: | - This query helps in reviewing top policies for user defined detection overrides (Allow/Block)in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where Timestamp > ago(30d) and UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block" - | summarize count() by UserLevelPolicy -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Top%20policies%20performing%20user%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml index cb4c06ce199..efd7e7d4e75 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml @@ -1,21 +1,4 @@ id: b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9 name: User overrides description: | - This query helps in reviewing malicious emails allowed due to user overrides -description-detailed: | - This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where DeliveryLocation == "Inbox/folder" - | where isnotempty(ThreatTypes) and UserLevelAction == "Allow" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/User%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml index 557a0585c42..38cac5cdbc0 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml @@ -1,31 +1,4 @@ id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808 name: Appspot Phishing Abuse description: | - This query helps surface phishing campaigns associated with Appspot abuse. -description-detailed: | - This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI. - This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800 - Reference - https://twitter.com/MsftSecIntel -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailUrlInfo - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailUrlInfo - // Detect URLs with a subdomain on appspot.com - | where UrlDomain matches regex @'\b[\w\-]+-dot-[\w\-\.]+\.appspot\.com\b' - // Enrich results with sender and recipient data - | join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId - // Phishing attempts from Appspot related campaigns typically contain the recipient's email address in the URI - // Example 1: https://example-dot-example.appspot.com/#recipient@domain.com - // Example 2: https://example-dot-example.appspot.com/index.html?user=recipient@domain.com - | where Url has RecipientEmailAddress - // Some phishing campaigns pass recipient email as a Base64 encoded string in the URI - or Url has base64_encode_tostring(RecipientEmailAddress) - | project-away Timestamp1, NetworkMessageId1, ReportId1 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Phish/Appspot%20phishing%20abuse.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml index 8f85f9baca2..2634a11dc0a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml @@ -1,39 +1,4 @@ id: 9d59be10-54d9-478b-b669-fb4eb8517cd0 name: Phish detections by detection methods description: | - This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days -description-detailed: | - This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days in Defender for Office 365 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(7d) - | where isnotempty(DetectionMethods) - | extend MDO_detection = parse_json(DetectionMethods) - | where MDO_detection.Phish in - ( - @'["URL malicious reputation"]', - @'["URL detonation reputation"]', - @'["URL detonation"]', - @'["Advanced filter"]', - @'["General filter"]', - @'["Spoof intra-org"]', - @'["Spoof external domain"]', - @'["Spoof DMARC"]', - @'["Impersonation brand"]', - @'["Mixed analysis detection"]', - @'["File reputation"]', - @'["File detonation reputation"]', - @'["File detonation"]', - @'["Fingerprint matching"]' - ) - | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4) - | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Phish/PhishDetectionByDetectionMethod.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml index d57803288be..47fe4b44094 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml @@ -1,24 +1,4 @@ id: 25150085-015a-4673-9b67-bc6ad9475500 name: Campaign with randomly named attachments description: | - In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients -description-detailed: | - In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailAttachmentInfo - | where Timestamp > ago(7d) - | where FileType in ("png", "jpg", "jpeg", "gif", "svg") - | where isnotempty(FileName) - | extend firstFourFileName = substring(FileName, 0, 4) - | summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress - | where FirstFourFilesCount >= 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Campaign%20with%20randomly%20named%20attachments.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml index 0ef5dde9857..6f9b8a86104 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml @@ -1,25 +1,4 @@ id: 9b086a51-e396-4718-90d7-f7b3646e6581 name: Campaign with suspicious keywords description: | - In this detection, we track emails with suspicious keywords in subjects. -description-detailed: | - In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let PhishingKeywords = () - {pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");}; - EmailEvents - | where Timestamp > ago(1d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where isempty(SenderObjectId) - | where Subject has_any (PhishingKeywords()) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Campaign%20with%20suspicious%20keywords.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml index 9c4aa61e48c..80ccb925cdd 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml @@ -1,51 +1,4 @@ id: 516046e8-a460-4f7b-86eb-421d3a9cdff1 name: Custom detection-Emails with QR from non-prevalent senders description: | - In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code -description-detailed: | - In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let QRCode_emails = EmailUrlInfo - | where Timestamp > ago (2d) - | where UrlLocation == "QRCode" - | distinct Url,NetworkMessageId; - let nMIDs = QRCode_emails | distinct NetworkMessageId; - // Extracting sender of the email with QRCode: - let senders_NMIDs = EmailEvents - | where Timestamp > ago (2d) - | where DeliveryAction != "Blocked" // Only delivered or Junked emails are interesting - | where isnotempty(NetworkMessageId) - | where NetworkMessageId in (nMIDs) - | distinct Timestamp, NetworkMessageId, RecipientEmailAddress, SenderFromAddress, InternetMessageId, RecipientObjectId, ReportId; - let senders = senders_NMIDs - | distinct SenderFromAddress; - // Checking sender prevalence in the organization - let senderprevalence = EmailEvents - | where Timestamp between (ago(14d)..(now()-24h)) - | where isnotempty(SenderFromAddress) - | where SenderFromAddress in (senders) - | summarize TotalEmailCount = count() by SenderFromAddress - | where TotalEmailCount > 1; - let prevalent_Sender = senderprevalence - | where isnotempty (SenderFromAddress) - | distinct SenderFromAddress; - // Checking where email sender was not prevalent. - let nMIDs_from_non_prevalent_Senders = senders_NMIDs - | where SenderFromAddress !in (prevalent_Sender) - | distinct NetworkMessageId; - let QRCode_emails_from_non_prevalent_senders = QRCode_emails - | where NetworkMessageId in (nMIDs_from_non_prevalent_Senders) - | join kind=inner senders_NMIDs on NetworkMessageId - | project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId; - QRCode_emails_from_non_prevalent_senders -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Custom%20detection-Emails%20with%20QR%20from%20non-prevalent%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml index aa174855f68..3db6a34d930 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml @@ -1,25 +1,4 @@ id: 594fe5a1-53b6-466b-86df-028366c3994e name: Emails delivered having URLs from QR codes description: | - In this query, we hunt for inbound emails delivered having URLs from QR codes -description-detailed: | - In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" - | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20delivered%20having%20URLs%20from%20QR%20codes.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml index c5c3870f86f..cf65c6bc36f 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml @@ -1,27 +1,4 @@ id: 706b711a-7622-40f1-9ebb-331d1a0ff697 name: Emails with QR codes and suspicious keywords in subject description: | - In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject -description-detailed: | - In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let SubjectKeywords = () - {pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password", "payment", "urgent", "verify");}; - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where Subject has_any (SubjectKeywords) - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20with%20QR%20codes%20and%20suspicious%20keywords%20in%20subject.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml index 75848be8718..00dfe196733 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml @@ -1,36 +1,4 @@ id: f708c866-073a-4107-a60b-ba6f86e54caa name: Emails with QR codes from non-prevalent sender description: | - In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders -description-detailed: | - In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let senderprevalence = - EmailEvents - | where Timestamp between (ago(7d)..(now()-24h)) - | where isnotempty(SenderFromAddress) - | summarize TotalEmailCount = dcount(NetworkMessageId) by SenderFromAddress - | where TotalEmailCount > 1; - let prevalent_Sender = senderprevalence - | where isnotempty (SenderFromAddress) - | distinct SenderFromAddress; - let QR_from_non_prevalent = - EmailEvents - | where EmailDirection == "Inbound" - | where Timestamp > ago(1d) - | where SenderFromAddress !in (prevalent_Sender) - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" - | distinct SenderFromAddress,Url,NetworkMessageId; - QR_from_non_prevalent -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20with%20QR%20codes%20from%20non-prevalent%20sender.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml index 021f41bc3db..6e947ec8e16 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml @@ -1,47 +1,4 @@ id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525 name: Hunting for sender patterns description: | - In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents -description-detailed: | - In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailAttachmentInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let PhishingSenderDisplayNames = () - { - pack_array("IT", "support", "Payroll", "HR", "admin", "2FA", "notification", "sign", "reminder", "consent", "workplace", - "administrator", "administration", "benefits", "employee", "update", "on behalf"); - }; - let suspiciousEmails = EmailEvents - | where Timestamp > ago(1d) - | where isnotempty(RecipientObjectId) - | where isnotempty(SenderFromAddress) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | join kind=inner (EmailAttachmentInfo - | where Timestamp > ago(1d) - | where isempty(SenderObjectId) - | where FileType has_any ("png", "jpg", "jpeg", "bmp", "gif") - ) on NetworkMessageId - | where SenderDisplayName has_any (PhishingSenderDisplayNames()) - | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId; - let suspiciousSenders = suspiciousEmails | distinct SenderFromDomain; - let prevalentSenders = materialize(EmailEvents - | where Timestamp between (ago(7d) .. ago(1d)) - | where isnotempty(RecipientObjectId) - | where isnotempty(SenderFromAddress) - | where SenderFromDomain in (suspiciousSenders) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | distinct SenderFromDomain); - suspiciousEmails - | where SenderFromDomain !in (prevalentSenders) - | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Hunting%20for%20sender%20patterns.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml index f251a00ca33..e229f40293d 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml @@ -1,26 +1,4 @@ id: 8c852f12-499f-499b-afc1-25c50aa9b462 name: Hunting for user signals-clusters description: | - In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. -description-detailed: | - In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let suspiciousClusters = EmailEvents - | where Timestamp > ago(7d) - | where EmailDirection == "Inbound" - | where NetworkMessageId in ("5ff15b1f-d731-4625-4c1c-08dc8615943f","00ff0916-1263-428c-a558-08dc86a6d3cd") // - | distinct EmailClusterId; - EmailEvents - | where Timestamp > ago(7d) - | where EmailDirection == "Inbound" - | where EmailClusterId in (suspiciousClusters) - | summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Hunting%20for%20user%20signals-clusters.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml index 6a06e213170..50c6b1e3beb 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml @@ -1,25 +1,4 @@ id: f6354c94-3a95-4235-8530-414f016a7bf6 name: Inbound emails with QR code URLs description: | - In this query, we summarize volume of inbound emails with QR code URLs in last 30 days -description-detailed: | - In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" - | summarize dcount(NetworkMessageId) by bin(Timestamp, 1d) - | render timechart -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Inbound%20emails%20with%20QR%20code%20URLs.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml index a5e3f88b14d..dbb8d85d564 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml @@ -1,25 +1,4 @@ id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310 name: Personalized campaigns based on the first few keywords description: | - In this detection, we track emails with personalized subjects. -description-detailed: | - In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(1d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where isempty(SenderObjectId) - | extend words = split(Subject," ") - | project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId - | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress - | where SubjectsCount >= 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Personalized%20campaigns%20based%20on%20the%20first%20few%20keywords.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml index 14ce1a2eb7e..69d230043cf 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml @@ -1,25 +1,4 @@ id: 54d3455d-27e0-4ceb-99f9-375abd620151 name: Personalized campaigns based on the last few keywords description: | - In this detection, we track emails with personalized subjects. -description-detailed: | - In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(1d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where isempty(SenderObjectId) - | extend words = split(Subject," ") - | project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId - | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress - | where SubjectsCount >= 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Personalized%20campaigns%20based%20on%20the%20last%20few%20keywords.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml index 0a596fcf021..38af94e2954 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml @@ -1,31 +1,4 @@ id: 8d298b5c-feca-4add-bd42-e43e0a317a88 name: Risky sign-in attempt from a non-managed device description: | - In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device. -description-detailed: | - In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - AADSignInEventsBeta - | where Timestamp > ago(7d) - | where IsManaged != 1 - | where IsCompliant != 1 - //Filtering only for medium and high risk sign-in - | where RiskLevelDuringSignIn in (50, 100) - | where ClientAppUsed == "Browser" - | where isempty(DeviceTrustType) - | where isnotempty(State) or isnotempty(Country) or isnotempty(City) - | where isnotempty(IPAddress) - | where isnotempty(AccountObjectId) - | where isempty(DeviceName) - | where isempty(AadDeviceId) - | project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Risky%20sign-in%20attempt%20from%20a%20non-managed%20device.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml index 7b8e893aa13..8265d48d50b 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml @@ -1,47 +1,4 @@ id: 3131d0ba-32c9-483e-a25c-82e26a07e116 name: Suspicious sign-in attempts from QR code phishing campaigns description: | - This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices. -description-detailed: | - This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents - - AADSignInEventsBeta -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let successfulRiskySignIn = materialize(AADSignInEventsBeta - | where Timestamp > ago(1d) - | where isempty(DeviceTrustType) - | where IsManaged != 1 - | where IsCompliant != 1 - | where RiskLevelDuringSignIn in (50, 100) - | project Timestamp, ReportId, IPAddress, AccountUpn, AccountObjectId, SessionId, Country, State, City - ); - let suspiciousSignInUsers = successfulRiskySignIn - | distinct AccountObjectId; - let suspiciousSignInIPs = successfulRiskySignIn - | distinct IPAddress; - let suspiciousSignInCities = successfulRiskySignIn - | distinct City; - CloudAppEvents - | where Timestamp > ago(1d) - | where ActionType == "MailItemsAccessed" - | where AccountObjectId in (suspiciousSignInUsers) - | where IPAddress !in (suspiciousSignInIPs) - | where City !in (suspiciousSignInCities) - | join kind=inner successfulRiskySignIn on AccountObjectId - | where AccountObjectId in (suspiciousSignInUsers) - | where (Timestamp - Timestamp1) between (-5min .. 5min) - | extend folders = RawEventData.Folders - | mv-expand folders - | extend items = folders.FolderItems - | mv-expand items - | extend InternetMessageId = tostring(items.InternetMessageId) - | project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Suspicious%20sign-in%20attempts%20from%20QR%20code%20phishing%20campaigns.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml index 5bb855719ed..57d4440e9f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml @@ -1,24 +1,4 @@ id: a12cac64-ea6d-46d4-91a6-262b165fb9ad name: Group quarantine release description: | - This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released. -description-detailed: | - This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | extend parsed=parse_json(RawEventData) - | extend NetworkMessageId = tostring(parsed.NetworkMessageId) - | join EmailEvents on NetworkMessageId - | summarize count() by DetectionMethods - | order by count_ desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Group%20quarantine%20release.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml index 023ece25ab7..a6ec216a6eb 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml @@ -1,27 +1,4 @@ id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc name: High Confidence Phish Released description: | - This query shows information about high confidence phish email that has been released from the Quarantine. -description-detailed: | - This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo - | join kind=inner ( - EmailEvents - | where todynamic(ConfidenceLevel).Phish == "High" - | project-rename EmailTime = Timestamp - ) on NetworkMessageId - | project-away NetworkMessageId1 - | order by ReleaseTime asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/High%20Confidence%20Phish%20Released.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml index a0a2020e247..749d55b23fb 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml @@ -1,27 +1,4 @@ id: 6f96f6d7-d972-421e-a59f-6b9a8de81324 name: Quarantine Release Email Details description: | - This query shows information about email that has been released from the Quarantine in Defender for Office 365. -description-detailed: | - This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by. - Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo - | join kind=inner ( - EmailEvents - | project-rename EmailTime = Timestamp - ) on NetworkMessageId - | project-away NetworkMessageId1 - | order by ReleaseTime asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Quarantine%20Release%20Email%20Details.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml index 595cc35d1e9..b3851374ce1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml @@ -1,22 +1,4 @@ id: 9f135aef-ad25-4df2-bdab-8399978a36a2 name: Quarantine release trend description: | - This query helps reviewing quarantine release trend in Defender for Office 365 -description-detailed: | - This query helps reviewing quarantine release trend in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | summarize count() by bin(Timestamp, 1d) - | project-rename Releases = count_ - | render timechart with (title="Qurantine Releases by Day") -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Quarantine%20release%20trend.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml index b193cdab50e..0b44a1ef43a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml @@ -1,33 +1,4 @@ id: 99713387-9d61-49eb-8edc-f51153d8bb01 name: Listing Email Remediation Actions via Explorer description: | - Listing Email Remediation Actions performed via Explorer in Defender for Office 365 -description-detailed: | - Listing Email Remediation Actions performed via Explorer in Defender for Office 365 - - Track each cases with Network Message ID - - Sort the users who got a number of actions - - e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where LatestDeliveryAction in ("Hard delete", "Soft delete", "Moved to junk folder", "Moved to deleted items") - | summarize HardDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Hard delete"), - SoftDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Soft delete"), - MoveToJunk_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to junk folder"), - MoveToDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to deleted items") by RecipientEmailAddress - | extend HardDelete_case = array_length(HardDelete_NetworkID) - | extend SoftDelete_case = array_length(SoftDelete_NetworkID) - | extend MoveToJunk_case = array_length(MoveToJunk_NetworkID) - | extend MoveToDelete_case = array_length(MoveToDelete_NetworkID) - | extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case - | project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID - | order by Sum_case desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Remediation/Email%20remediation%20action%20list.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml index ad4ed66303d..1f6abd4fa16 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml @@ -1,35 +1,4 @@ id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c name: Display Name - Spoof and Impersonation description: | - This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name -description-detailed: | - This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(24hrs) - and DeliveryAction == "Delivered" - and SenderDisplayName contains "Microsoft" - | summarize count() by SenderFromAddress - | where count_ > 3 // ensuring that some level of communications has occurred. - | project SenderFromAddress; - EmailEvents - | where Timestamp > ago(24hrs) - | where DeliveryAction == "Delivered" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - and SenderDisplayName contains "Microsoft" - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftanti ( emailDelivered ) on SenderFromAddress - | order by SenderMailFromAddress - | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Display%20Name%20-%20Spoof%20and%20Impersonation.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml index c59b75f3048..490469c12c2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml @@ -1,27 +1,4 @@ id: cdc4da1c-64a1-4941-be59-1f5cc85481ab name: referral-phish-emails description: | - Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data -description-detailed: | - The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let EmailAddresses = pack_array - ('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com', - 'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com', - 'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com', - 'irefferal.com','refferasl.co','zrefferal.com'); - EmailEvents - | where SenderMailFromDomain in (EmailAddresses) - | extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress) - | where SenderFromDomain == RecipientDomain - | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Referral%20phish%20emails.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml index a846b40c439..70842c8038c 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml @@ -1,21 +1,4 @@ id: b3180ac0-6d94-494a-8b8c-fcc84319ea6e name: Spoof and impersonation detections by sender IP description: | - This query helps reviewing count of spoof and impersonation detections done per sender IP -description-detailed: | - This query helps reviewing count of spoof and impersonation detections done per sender IP using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation") - | project Timestamp, EmailDirection, SenderFromAddress, AdditionalFields, SenderIPv4 - | summarize count() by SenderIPv4 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Spoof%20and%20impersonation%20detections%20by%20sender%20IP.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml index e5e609c3044..e57b15bfbf7 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml @@ -1,22 +1,4 @@ id: 011c3d48-f6ca-405f-9763-66c7856ad2ba name: Spoof and impersonation phish detections description: | - This query helps reviewing count of phish detections done by spoof detection methods -description-detailed: | - This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation") - | project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress - | evaluate bag_unpack(DT) - | summarize count() by tostring(Phish) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Spoof%20and%20impersonation%20phish%20detections.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml index 02b7a73635d..51edd4fd13b 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml @@ -1,28 +1,4 @@ id: e90345b3-439c-44e1-a85d-8ae84ad9c65b name: User not covered under display name impersonation description: | - This query helps to find threats using display name impersonation for users not already protected with User Impersonation -description-detailed: | - This query helps to find threats using display name impersonation for users not already protected with User Impersonation -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - IdentityInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let display_names = - IdentityInfo - | summarize by AccountDisplayName - | project-rename SenderDisplayName = AccountDisplayName; - EmailEvents - | where EmailDirection == "Inbound" - | where ThreatNames != "" - | where ThreatNames !contains "Impersonation User" - | lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName - | where SenderDisplayName != "" - | summarize by SenderDisplayName -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/User%20not%20covered%20under%20display%20name%20impersonation.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml index 1fcd30d2942..6d08dba8b05 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml @@ -1,22 +1,4 @@ id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49 name: Admin reported submissions description: | - This query helps reviewing admin reported email submissions -description-detailed: | - This query helps reviewing admin reported email submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | where Record == 29 - | where ActionType == "AdminSubmission" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Admin%20reported%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml index 0c6e9b3fe04..9bfe08b43f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml @@ -1,25 +1,4 @@ id: 1c390fd7-2668-4445-9b7d-055f3851be5f name: Status of submissions description: | - This query helps reviewing status of submissions -description-detailed: | - This query helps reviewing status of submissions in Defender for Office 365. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | extend UserKey = (parse_json(RawEventData)).UserKey - | where Record == 29 - | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" - | summarize count() by tostring(SubmissionState) - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Status%20of%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml index dd461795c5c..d5294dfb592 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml @@ -1,25 +1,4 @@ id: 2d2351ca-e9a6-4286-b445-a9268189c1dc name: Top submitters of admin submissions description: | - This query helps reviewing top submitters of admin submissions -description-detailed: | - This query helps reviewing top submitters of admin submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | extend UserKey = (parse_json(RawEventData)).UserKey - | where Record == 29 - | where ActionType == "AdminSubmission" - | summarize count() by tostring(UserKey) - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Top%20submitters%20of%20admin%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml index 47eb25afd28..2ac20f440b3 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml @@ -1,25 +1,4 @@ id: 8c9bc29b-f32a-49fe-8fe8-450479f4130f name: Top submitters of user submissions description: | - This query helps reviewing top submitters of user submissions -description-detailed: | - This query helps reviewing top submitters of user submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | extend UserKey = (parse_json(RawEventData)).UserKey - | where Record == 29 - | where ActionType == "UserSubmission" - | summarize count() by tostring(UserKey) - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Top%20submitters%20of%20user%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml index 7bd93ee72a1..66a810fd7a3 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml @@ -1,22 +1,4 @@ id: 0bd33643-c517-48b1-8211-25a7fbd15a50 name: User reported submissions description: | - This query helps reviewing user reported email submissions -description-detailed: | - This query helps reviewing user reported email submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | where Record == 29 - | where ActionType == "UserSubmission" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/User%20reported%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml index 016aa34627f..76213554372 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml @@ -1,24 +1,4 @@ id: de480ca4-4095-4fef-b3e7-2a3f17f24e78 name: Attacked more than x times average description: | - This query helps reviewing count of users attacked more than x times average. -description-detailed: | - This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let AverageThreatPerRecipient = toscalar(EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | summarize avg(total)); - EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | where tolong(total) >= 1*AverageThreatPerRecipient // update "1" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Attacked%20more%20than%20x%20times%20average.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml index 3155eca2cc5..fdf14b77d4a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml @@ -1,21 +1,4 @@ id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27 name: Malicious mails by sender IPs description: | - This query helps reviewing sender IPs sending malicious email of type Malware or Phish -description-detailed: | - This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where ThreatTypes has "Phish" or ThreatTypes has "Malware" - | summarize count() by SenderIPv4 //SenderIPv6 - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Malicious%20mails%20by%20sender%20IPs.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml index c3c732a0424..068308325c6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml @@ -1,27 +1,4 @@ id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25 name: Top 10 URL domains attacking organization description: | - This query helps reviewing list of top 10 URL domains attacking the organization -description-detailed: | - This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where ThreatTypes != "" - | extend detection= parse_json(DetectionMethods) - | extend Spam = tostring(detection.Spam) - | extend Phish = tostring(detection.Phish) - | where (Spam == '["URL malicious reputation"]') or (Phish == '["URL malicious reputation"]') or (Phish == '["URL detonation reputation"]') or (Phish == '["URL detonation"]') - | join EmailUrlInfo on NetworkMessageId - | summarize total=count() by UrlDomain - | top 10 by total - | render columnchart -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%2010%20URL%20domains%20attacking%20organization.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml index cf806f90a37..2bc82938c19 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml @@ -1,25 +1,4 @@ id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58 name: Top 10% of most attacked users description: | - This query helps reviewing the list of top 10% of most attacked users -description-detailed: | - This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let topTargeted = toscalar( EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | summarize percentiles(total,90)); - EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | where total >= topTargeted - | order by total desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%2010%20percent%20of%20most%20attacked%20users.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml index 7fa9cf13725..c3b61ee58e9 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml @@ -1,21 +1,4 @@ id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2 name: Top external malicious senders description: | - This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days -description-detailed: | - This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | summarize count() by SenderFromAddress - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%20external%20malicious%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml index ba4fc6da181..fdbc333dbf2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml @@ -1,21 +1,4 @@ id: a1664330-810a-473b-b354-acbaa751a294 name: Top targeted users description: | - This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days -description-detailed: | - This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where ThreatTypes has "Malware" or ThreatTypes has "Phish" - | summarize count() by RecipientEmailAddress - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%20targeted%20users.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml index 65d69bfd6ad..577a39d3b0d 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml @@ -1,24 +1,4 @@ id: d24e9c4a-b72a-4a85-89cd-83760ae61155 name: End user malicious clicks description: | - This query helps reviewing list of top users click on Phis URLs -description-detailed: | - This query helps reviewing list of top users click on Phis URLs using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ThreatTypes contains "Phish" - | extend UrlBlocked = ActionType has_any("ClickBlocked") - | extend UrlAllowed = ActionType has_any('ClickAllowed') - | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') - | extend ErrorPage = ActionType has_any('UrlErrorPage') - | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by AccountUpn - | sort by Blocked desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/End%20user%20malicious%20clicks.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml index 4b7e4995da8..c99a4224e92 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml @@ -1,22 +1,4 @@ id: 3f007cdc-86bf-4657-9015-05101a3e54f5 name: URL click count by click action description: | - This query helps reviewing URL click count by ClickAction -description-detailed: | - This query helps reviewing URL click count by ClickAction using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | extend UrlBlocked = ActionType has_any("ClickBlocked") - | extend UrlAllowed = ActionType has_any('ClickAllowed') - | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') - | extend ErrorPage = ActionType has_any('UrlErrorPage') - | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URL%20click%20count%20by%20click%20action.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml index 7314fe0f1d5..a139c111795 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml @@ -1,23 +1,4 @@ id: efe27064-6d35-4720-b7f5-e0326695613d name: URL click on ZAP email description: | - In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge -description-detailed: | - In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge (ZAP) in Defender for Office 365. - Reference - https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents - - Alertinfo - - AlertEvidence -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - AlertInfo - | where Title contains "Email messages containing malicious URL removed after delivery" and Timestamp > ago (7d) - | join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId - | join UrlClickEvents on NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URL%20click%20on%20ZAP%20Email.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml index 203a82bb8ae..3545269f012 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml @@ -1,22 +1,4 @@ id: bc46e331-3cb0-483d-9c90-989d2a59457f name: URL clicks actions by URL description: | - In this query, we are looking URL click actions by URL in the last 7 days -description-detailed: | - In this query, we are looking URL click actions by URL in the last 7 days using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | extend UrlBlocked = ActionType has_any("ClickBlocked") - | extend UrlAllowed = ActionType has_any('ClickAllowed') - | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') - | extend ErrorPage = ActionType has_any('UrlErrorPage') - | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URL%20clicks%20actions%20by%20URL.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml index 83669de1661..ec909fbb618 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml @@ -1,22 +1,4 @@ id: 03e61096-20d0-46eb-b8e0-a507dd00a19f name: URLClick details based on malicious URL click alert description: | - In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected -description-detailed: | - In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected in Defender for Office 365. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents - - Alertinfo - - AlertEvidence -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - AlertInfo - | where Title contains "Potentially malicious" and Timestamp > ago (30d) - | join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId - | join UrlClickEvents on NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URLClick%20details%20based%20on%20malicious%20URL%20click%20alert.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml index cbc81471bec..f1aaa163cde 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml @@ -1,20 +1,4 @@ id: f075d4c4-cf76-4e5d-9c2d-9ed524286316 name: User clicked through events description: | - This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page. -description-detailed: | - This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page via click though option on SafeLinks warning page in Defender for Office 365. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ActionType == "ClickAllowed" or IsClickedThrough !="0" - | where ThreatTypes has "Phish" - | summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/User%20clicked%20through%20events.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml index 8b5f6f204a2..fd1c9dea770 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml @@ -1,28 +1,4 @@ id: 891f4865-75e5-4d40-bc24-ebf97da3ca9a name: User clicks on malicious inbound emails description: | - This query provides insights on users who clicked on a suspicious URL -description-detailed: | - This query provides insights on users who clicked on a suspicious URL from phishing/malware-categorized inbound emails over the past 30 days using Defender for Office 365 Data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let UrlClicked = (UrlClickEvents - | where ActionType == "ClickAllowed" or IsClickedThrough !="0" - | extend Device_IPv4 = IPAddress - | project ActionType, Device_IPv4, Url, UrlChain, IPAddress, NetworkMessageId); - EmailEvents - | where Timestamp > ago(30d) - | where isnotempty(ThreatTypes) and EmailDirection == "Inbound" - | where ThreatTypes has_any ("Malware", "Phish") - | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4) - | join kind = inner UrlClicked on NetworkMessageId - | project Timestamp,NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, ThreatTypes, ActionType, Url, UrlChain, Device_IPv4, LatestDeliveryLocation, LatestDeliveryAction, EmailAction, EmailActionPolicy -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/User%20clicks%20on%20malicious%20inbound%20emails.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml index b7f82b3f328..3ee8bde4fba 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml @@ -1,21 +1,4 @@ id: d823da0e-1334-4a66-8ff4-2c2c40d26295 name: User clicks on phishing URLs in emails description: | - This query helps in determining clickthroughs when email delivered because of detection overrides. -description-detailed: | - This query helps in determining clickthroughs, potential deliveries through User/Tenant overrides and detection details for malicious clicks on URLs in emails -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ThreatTypes has "Phish" - | join EmailEvents on NetworkMessageId, $left.AccountUpn == $right.RecipientEmailAddress - | project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/User%20clicks%20on%20phishing%20URLs%20in%20emails.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml index 3440bc2f62a..3214cee52a3 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml @@ -1,23 +1,4 @@ id: 08aff8c6-b983-43a3-be95-68a10c3d35e6 name: PhishingEmailUrlRedirector (1) description: | - The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. -description-detailed: | - The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection. - This query was originally published on Twitter, by @MsftSecIntel. - Reference - https://twitter.com/MsftSecIntel -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailUrlInfo - //This regex identifies emails containing the "T-Dot" redirector pattern in the URL - | where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?" - //This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns - and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL/Phishing%20Email%20Url%20Redirector.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml index 05a10116d63..523ac201442 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml @@ -1,23 +1,4 @@ id: 492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9 name: SafeLinks URL detections description: | - This query provides insights on the detections done by SafeLinks protection in Defender for Office 365 -description-detailed: | - This query provides insights on the detections done by SafeLinks protection in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-links-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where DetectionMethods != "" - | extend detection= tostring(parse_json(DetectionMethods).Phish) - | where detection == '["URL detonation reputation"]' or detection == '["URL detonation"]' - | summarize total=count() by bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL/SafeLinks%20URL%20detections.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml index 3c934312a33..dd3677ed551 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml @@ -1,20 +1,4 @@ id: c10b22a0-6021-46f9-bdaf-05bf2350a554 name: Total ZAP count description: | - This query helps reviewing count of total ZAP events -description-detailed: | - This query helps reviewing count of total ZAP events in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailPostDeliveryEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailPostDeliveryEvents - | where Timestamp > ago(30d) - | where ActionType == "Phish ZAP" or ActionType == "Malware ZAP" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/ZAP/Total%20ZAP%20count.yaml' \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/Failed_Range_To_Ingest_CL.csv b/Sample Data/Custom/Infoblox/Failed_Range_To_Ingest_CL.csv new file mode 100644 index 00000000000..d4f09f93282 --- /dev/null +++ b/Sample Data/Custom/Infoblox/Failed_Range_To_Ingest_CL.csv @@ -0,0 +1,4 @@ +TimeGenerated [UTC],From_Date_s,To_Date_s,Threat_Type_s +"6/8/2024, 5:44:50 AM",2024-06-05 8:50:00,2024-06-05 11:50:00,host +"6/8/2024, 4:33:10 AM",2024-06-06 2:50:00,2024-06-06 5:50:00,host +"6/7/2024, 1:23:52 PM",2024-06-06 8:50:00,2024-06-06 11:50:00,host \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/Host_Name_Info_CL.csv b/Sample Data/Custom/Infoblox/Host_Name_Info_CL.csv new file mode 100644 index 00000000000..141b2d6825b --- /dev/null +++ b/Sample Data/Custom/Infoblox/Host_Name_Info_CL.csv @@ -0,0 +1,6 @@ +configs_s,created_at_t [UTC],display_name_s,host_type_s,id_s,legacy_id_s,maintenance_mode_s,pool_id_s,timezone_s,updated_at_t [UTC],ip_address_s,mac_address_s,ophid_g,tags_host_bundled_k3s_s,tags_host_deployment_type_s,tags_host_geoip2_latitude_s,tags_host_geoip2_longitude_s,tags_host_host_ip_s,tags_host_ipv6_enabled_s +"[{""id"":""infra/service_host_config/1215f7af-3005-4017-afe1-f617a593a09c"",""service_id"":""infra/service/kk2q6vub7qk5gk77ncmffy3kulrnxfsg"",""service_type"":""appmgmt"",""upgraded_at"":""2024-04-15T07:47:34.663897Z""},{""id"":""infra/service_host_config/3f53511e-8035-4cf7-9c75-a697c48571a6"",""service_id"":""infra/service/wzoqlthpaz5tj2la3cv77zkfmcyoz3u2"",""service_type"":""platform"",""upgraded_at"":""2024-04-15T07:47:34.666892Z""}]","4/15/2024, 7:47:35 AM",TestingSentinelHost,0,infra/host/jbeuiwrwgvsdenbxmvrdkyrxhe2wcnbtgy4dmnlcgzstgnrygjsgkojwhbqwiobseaqcaib,689500,disabled,infra/pool/prgfvenkivqyth4ibdwdljldh7twmji,UTC,"4/15/2024, 7:47:33 AM",,,,,,,,, +"[{""id"":""infra/service_host_config/07d55c75-39a3-4512-a375-7cddca0ee667"",""service_id"":""infra/service/g5g3jiiydmj2kw3fh6cnowwfhyqqodc3"",""service_type"":""platform"",""upgraded_at"":""2024-04-15T12:31:40.232858Z""},{""id"":""infra/service_host_config/8442aa2a-3784-4654-9065-2a5b1101cbb8"",""service_id"":""infra/service/dwjn3aohe3nmzid6jzzmrf25kdee4pqd"",""service_type"":""appmgmt"",""upgraded_at"":""2024-04-15T12:31:40.229731Z""}]","4/15/2024, 12:31:40 PM",TestingSentinelHost,5,infra/host/jbeuiwrzgrrgkytbg44dezbvhfqtinzthe2dqmtfgrstgmrymi3gknlegq4tmzbweaqcaib,689502,disabled,infra/pool/zr4foyncx5764ccpzgq4hymy7rwdwfa,UTC,"6/25/2024, 4:23:18 PM",0.0.0.0,FF:FF:FF:FF:FF:FF,93c4900d-1df2-ffda-2b62-0edfb27f7e4,TRUE,BAREMETAL,12.9717,77.5945,0.0.0.0,FALSE +"[{""id"":""infra/service_host_config/873dc7ba-1444-4747-99c6-9661083f9bd6"",""service_id"":""infra/service/y7w3a6su72cjhndbc2t4vh2tewudwk6c"",""service_type"":""appmgmt"",""upgraded_at"":""2024-04-16T12:51:44.636082Z""},{""current_version"":""v5.4.6"",""id"":""infra/service_host_config/4c957bf3-a068-4e5c-8801-82cc101b9292"",""service_id"":""infra/service/wkjcqx27dc7t254dnvdlmwr52r63ztky"",""service_type"":""platform"",""upgraded_at"":""2024-07-16T09:39:09.266047Z""},{""current_version"":""v2.1.3"",""id"":""infra/service_host_config/d360a9a5-0cc4-4c92-8fa3-9dfed095170f"",""service_id"":""infra/service/z77m2xgrbsx22jokk44ueitoiianv7nz"",""service_type"":""cdc"",""upgraded_at"":""2024-07-16T09:39:09.262237Z""}]","4/16/2024, 12:51:43 PM",TestingSentinelHost,3,infra/host/jbeuiwrwmu3tkyrwmezdqmrymfstmnztme2gkobxgy4tgnjumi4win3ehe2gkndceaqcaib,689531,disabled,infra/pool/ji566waegiibisr7l5syx2ezbkxbl53,UTC,"7/16/2024, 9:39:09 AM",10.50.11.19,00:50:56:81:d2:3f,c02b102a-393c-e8e5-6cf7-31b865a1d2d,TRUE,NGPVM,19.077,72.8778,10.50.11.14,FALSE +"[{""id"":""infra/service_host_config/7566a8af-66ee-4381-8361-f785c0271974"",""service_id"":""infra/service/4zyyyhkz4nzer72j5pklqvt3ckczx7ac"",""service_type"":""appmgmt"",""upgraded_at"":""2024-04-17T11:10:07.603488Z""},{""current_version"":""v4.3.15"",""id"":""infra/service_host_config/2f6491f0-f6f6-45c9-8e0a-e48a87a58129"",""service_id"":""infra/service/riep7efxh52ewvwxfd7pq6jf3cadr2zc"",""service_type"":""dhcp"",""upgraded_at"":""2024-08-08T13:19:19.516829Z""},{""current_version"":""v3.5.7"",""id"":""infra/service_host_config/d8a53762-4b0c-4bf3-a071-f5d2f94c732b"",""service_id"":""infra/service/6je7wvsabcsaqkoej2dj7662zruqkpej"",""service_type"":""dns"",""upgraded_at"":""2024-08-08T13:19:19.512244Z""},{""current_version"":""v5.4.6"",""id"":""infra/service_host_config/ba260fe3-2cff-4c2e-8e0e-ebfba50d16cb"",""service_id"":""infra/service/w5m7yremaaqztovqlgx2f6cn2n45vpvf"",""service_type"":""platform"",""upgraded_at"":""2024-08-08T13:19:19.521652Z""}]","4/17/2024, 11:10:07 AM",TestingSentinelHost,3,infra/host/jbeuiwrwgvsdenbxmvrdkyrxhe2wcnbtgy4dmnjvmqzdgnrygjsgkojwhbqwiobseaqcaib,689611,disabled,infra/pool/qsjvfu5m673udtfcsnpxlyqeceuzskd,UTC,"8/8/2024, 1:19:19 PM",10.50.11.18,00:50:56:81:54:92,3b2b7660-e753-7dc0-9e98-352b881322e,TRUE,NGPVM,19.2115,72.8285,10.50.11.12,TRUE +"[{""id"":""infra/service_host_config/d388cb5a-dcb1-4070-94c5-cf33b0b16f78"",""service_id"":""infra/service/74uq6wvescb7xe72kgadrkqmpea5chvh"",""service_type"":""appmgmt"",""upgraded_at"":""2024-04-26T00:00:13.202237Z""},{""current_version"":""v5.4.6"",""id"":""infra/service_host_config/76f76f09-369a-4083-a109-5067ea4b6fc1"",""service_id"":""infra/service/awenmzc4jg3hgzw2mrjmzzgv6gbexuek"",""service_type"":""platform"",""upgraded_at"":""2024-04-26T16:47:11.993038Z""}]","4/26/2024, 12:00:13 AM",TestingSentinelHost,3,infra/host/jbeuiwrzgi2teyjyg5rgiyjwgjstknbtmu3deyjwmezdgodcmq4tonbzmu3dkzdceaqcaib,689956,disabled,infra/pool/rg74zfqiiuo2nrhh6l7zcuj5zbguwit,UTC,"4/26/2024, 4:47:12 PM",10.50.11.40,00:50:56:83:58:81,1bd8166f-38fc-1938-3b21-1f602957f55,TRUE,NGPVM,22.3173,73.1633,10.50.11.41,FALSE \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/IP_Space_Info_CL.csv b/Sample Data/Custom/Infoblox/IP_Space_Info_CL.csv new file mode 100644 index 00000000000..ff262999225 --- /dev/null +++ b/Sample Data/Custom/Infoblox/IP_Space_Info_CL.csv @@ -0,0 +1,7 @@ +TimeGenerated [UTC],asm_config_asm_threshold_d,asm_config_enable_b,asm_config_enable_notification_b,asm_config_forecast_period_d,asm_config_growth_factor_d,asm_config_growth_type_s,asm_config_history_d,asm_config_min_total_d,asm_config_min_unused_d,asm_config_reenable_date_t [UTC],asm_scope_flag_d,comment_s,compartment_id_s,created_at_t [UTC],ddns_client_update_s,ddns_conflict_resolution_mode_s,ddns_domain_s,ddns_generate_name_b,ddns_generated_prefix_s,ddns_send_updates_b,ddns_ttl_percent_d,ddns_update_on_renew_b,ddns_use_conflict_resolution_b,default_realms_s,dhcp_config_abandoned_reclaim_time_d,dhcp_config_abandoned_reclaim_time_v6_d,dhcp_config_allow_unknown_b,dhcp_config_allow_unknown_v6_b,dhcp_config_echo_client_id_b,dhcp_config_filters_s,dhcp_config_filters_large_selection_s,dhcp_config_filters_v6_s,dhcp_config_ignore_client_uid_b,dhcp_config_ignore_list_s,dhcp_config_lease_time_d,dhcp_config_lease_time_v6_d,dhcp_options_s,dhcp_options_v6_s,header_option_filename_s,header_option_server_address_s,header_option_server_name_s,hostname_rewrite_char_s,hostname_rewrite_enabled_b,hostname_rewrite_regex_s,id_s,name_s,threshold_enabled_b,threshold_high_d,threshold_low_d,updated_at_t [UTC],utilization_abandon_utilization_d,utilization_abandoned_s,utilization_dynamic_s,utilization_free_s,utilization_static_s,utilization_total_s,utilization_used_s,utilization_utilization_d,utilization_v6_abandoned_s,utilization_v6_dynamic_s,utilization_v6_static_s,utilization_v6_total_s,utilization_v6_used_s,tags_nios_federation_enabled_s,tags_nios_grid_name_s,tags_nios_import_timestamp_t [UTC],tags_nios_imported_s +"6/16/2024, 2:03:23 PM",90,TRUE,TRUE,14,20,percent,30,10,10,"1/1/1970, 12:00:00 AM",0,,,"4/17/2024, 10:42:18 AM",client,check_with_dhcid,,FALSE,myhost,TRUE,0,FALSE,TRUE,[],3600,3600,TRUE,TRUE,TRUE,[],[],[],FALSE,[],3600,3600,"[{""group"":null,""option_code"":""dhcp/option_code/c499bd83-37e7-4da9-b963-a278b0c16c15"",""option_value"":""1.1.1.1"",""type"":""option""}]",[],,,,-,FALSE,[^a-zA-Z0-9.-],ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb1234,test,FALSE,0,0,"6/14/2024, 10:04:49 AM",0,0,4,4345,1,4352,7,0,0,0,0,0,0,,,, +"6/16/2024, 2:03:23 PM",90,TRUE,TRUE,14,20,percent,30,10,10,"1/1/1970, 12:00:00 AM",0,,,"6/12/2024, 9:47:38 AM",client,check_with_dhcid,,FALSE,myhost,TRUE,0,FALSE,TRUE,[],3600,3600,TRUE,TRUE,TRUE,[],[],[],FALSE,[],3600,3600,[],[],,,,-,FALSE,[^a-zA-Z0-9.-],ipam/ip_space/4542f06e-1754-11ef-ab51-e2d25c3e1234,default-Infoblox-beef,FALSE,0,0,"6/13/2024, 6:24:50 AM",0,0,0,4092,2,4096,4,0,0,0,0,0,0,FALSE,Infoblox-test,"6/12/2024, 9:47:37 AM",TRUE +"6/16/2024, 2:03:23 PM",90,TRUE,TRUE,14,20,percent,30,10,10,"1/1/1970, 12:00:00 AM",0,Test_New,,"4/26/2024, 12:49:16 PM",client,check_with_dhcid,,FALSE,myhost,TRUE,0,FALSE,TRUE,[],3600,3600,TRUE,TRUE,TRUE,[],[],[],FALSE,[],3600,3600,[],[],,,,-,FALSE,[^a-zA-Z0-9.-],ipam/ip_space/63d1f1e4-03cb-11ef-b37a-46b3a2fd1234,DHCP_New,FALSE,0,0,"6/7/2024, 1:29:16 PM",0,0,0,4094,0,4096,2,0,0,0,0,0,0,,,, +"6/15/2024, 2:03:23 PM",90,TRUE,TRUE,14,20,percent,30,10,10,"1/1/1970, 12:00:00 AM",0,,,"4/17/2024, 10:42:18 AM",client,check_with_dhcid,,FALSE,myhost,TRUE,0,FALSE,TRUE,[],3600,3600,TRUE,TRUE,TRUE,[],[],[],FALSE,[],3600,3600,"[{""group"":null,""option_code"":""dhcp/option_code/c499bd83-37e7-4da9-b963-a278b0c123c"",""option_value"":""1.1.1.1"",""type"":""option""}]",[],,,,-,FALSE,[^a-zA-Z0-9.-],ipam/ip_space/29b07f2d-fca7-11ee-952b-26d521eb1234,test,FALSE,0,0,"6/14/2024, 10:04:49 AM",0,0,4,4345,1,4352,7,0,0,0,0,0,0,,,, +"6/15/2024, 2:03:23 PM",90,TRUE,TRUE,14,20,percent,30,10,10,"1/1/1970, 12:00:00 AM",0,,,"6/12/2024, 9:47:38 AM",client,check_with_dhcid,,FALSE,myhost,TRUE,0,FALSE,TRUE,[],3600,3600,TRUE,TRUE,TRUE,[],[],[],FALSE,[],3600,3600,[],[],,,,-,FALSE,[^a-zA-Z0-9.-],ipam/ip_space/4542f06e-1754-11ef-ab51-e2d25c3e1234,default-Infoblox-beef,FALSE,0,0,"6/13/2024, 6:24:50 AM",0,0,0,4092,2,4096,4,0,0,0,0,0,0,FALSE,Infoblox-test,"6/12/2024, 9:47:37 AM",TRUE +"6/15/2024, 2:03:23 PM",90,TRUE,TRUE,14,20,percent,30,10,10,"1/1/1970, 12:00:00 AM",0,Test_New,,"4/26/2024, 12:49:16 PM",client,check_with_dhcid,,FALSE,myhost,TRUE,0,FALSE,TRUE,[],3600,3600,TRUE,TRUE,TRUE,[],[],[],FALSE,[],3600,3600,[],[],,,,-,FALSE,[^a-zA-Z0-9.-],ipam/ip_space/63d1f1e4-03cb-11ef-b37a-46b3a2fd1234,DHCP_New,FALSE,0,0,"6/7/2024, 1:29:16 PM",0,0,0,4094,0,4096,2,0,0,0,0,0,0,,,, \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/Infoblox_Config_Insight_Details_CL.csv b/Sample Data/Custom/Infoblox/Infoblox_Config_Insight_Details_CL.csv new file mode 100644 index 00000000000..66538e5c130 --- /dev/null +++ b/Sample Data/Custom/Infoblox/Infoblox_Config_Insight_Details_CL.csv @@ -0,0 +1,6 @@ +TimeGenerated [UTC],analyticInsightId_g,insightType_s,feeds_s +"7/11/2024, 9:24:27 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea1234,Feed Actions Mismatch,"[{""id"":""d6de9f89-f7c7-4837-9060-7f80410939c5"",""ruleType"":""Policy"",""ruleName"":""Default Global Policy"",""feedName"":""AntiMalware"",""currentAction"":""Allow"",""recommendedAction"":""BLOCK"",""status"":""Active""}]" +"7/11/2024, 9:25:29 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea5678,Feed Actions Mismatch,"[{""id"":""d6de9f89-f7c7-4837-9060-7f80410939c5"",""ruleType"":""Policy"",""ruleName"":""Default Global Policy"",""feedName"":""AntiMalware"",""currentAction"":""Allow"",""recommendedAction"":""BLOCK"",""status"":""Active""}]" +"7/13/2024, 1:16:21 PM",b19dc157-cca9-5d0d-ac78-5fbb80ea4567,Feed Actions Mismatch,"[{""id"":""d6de9f89-f7c7-4837-9060-7f80410939c5"",""ruleType"":""Policy"",""ruleName"":""Default Global Policy"",""feedName"":""AntiMalware"",""currentAction"":""Allow"",""recommendedAction"":""BLOCK"",""status"":""Fixed""}]" +"7/13/2024, 7:59:29 PM",b19dc157-cca9-5d0d-ac78-5fbb80ea3456,Feed Actions Mismatch,"[{""id"":""d6de9f89-f7c7-4837-9060-7f80410939c5"",""ruleType"":""Policy"",""ruleName"":""Default Global Policy"",""feedName"":""AntiMalware"",""currentAction"":""Allow"",""recommendedAction"":""BLOCK"",""status"":""Fixed""}]" +"7/10/2024, 10:02:50 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea2345,Feed Actions Mismatch,"[{""id"":""d6de9f89-f7c7-4837-9060-7f80410939c5"",""ruleType"":""Policy"",""ruleName"":""Default Global Policy"",""feedName"":""AntiMalware"",""currentAction"":""Allow"",""recommendedAction"":""BLOCK"",""status"":""Active""}]" \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/Infoblox_Config_Insights_CL.csv b/Sample Data/Custom/Infoblox/Infoblox_Config_Insights_CL.csv new file mode 100644 index 00000000000..6ea2d075b91 --- /dev/null +++ b/Sample Data/Custom/Infoblox/Infoblox_Config_Insights_CL.csv @@ -0,0 +1,6 @@ +TimeGenerated [UTC],policyAnalyticsId_g,insightType_s +"7/9/2024, 11:52:20 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea1234,Feed Actions Mismatch +"7/9/2024, 11:52:20 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea2345,Feed Actions Mismatch +"7/9/2024, 11:52:20 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea3456,Feed Actions Mismatch +"7/9/2024, 11:52:20 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea4567,Feed Actions Mismatch +"7/9/2024, 11:52:20 AM",b19dc157-cca9-5d0d-ac78-5fbb80ea5678,Feed Actions Mismatch \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/Infoblox_Failed_Indicators_CL.csv b/Sample Data/Custom/Infoblox/Infoblox_Failed_Indicators_CL.csv new file mode 100644 index 00000000000..46f0deb3389 --- /dev/null +++ b/Sample Data/Custom/Infoblox/Infoblox_Failed_Indicators_CL.csv @@ -0,0 +1,11 @@ +id_s,revoked_b,labels_s,description_s,indicator_types_s,pattern_s,pattern_version_s,valid_from_t [UTC],valid_until_t [UTC] +indicator--bb8cdcf8-1e2c-11ef-ae91-5ffd6f51234,TRUE,"[""HOST"",""Domain : test-com.top"",""TLD : top"",""Imported : 2024-05-30T02:31:34.497Z"",""Profile : IID"",""Property : Phishing_Lookalike"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : Domain is a typosquat to test.com and likely used for phishing. The creation date is 2024-05-29.""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'test-com.top'],2.1,"5/30/2024, 2:31:34 AM","9/27/2024, 2:26:50 AM" +indicator--f1d0ccd9-1e29-11ef-abac-f1ea1d091234,TRUE,"[""HOST"",""Domain : check-mobile.online"",""TLD : online"",""Imported : 2024-05-30T02:11:37.050Z"",""Profile : IID"",""Property : Phishing_Lookalike"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : Domain is a lookalike to check-mobile.com and likely used for phishing. The creation or first seen date is 2024-01-27.""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'check-mobile.online'],2.1,"5/30/2024, 2:11:37 AM","9/27/2024, 2:09:36 AM" +indicator--bb8c68d2-1e2c-11ef-ae91-5ffd6f511234,TRUE,"[""HOST"",""Domain : expressmail.com"",""TLD : com"",""Imported : 2024-05-30T02:31:34.497Z"",""Profile : IID"",""Property : Phishing_Lookalike"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : Domain is a typosquat to keyword express and likely used for phishing. The creation date is 2024-05-28.""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'expressmail.com'],2.1,"5/30/2024, 2:31:34 AM","9/27/2024, 2:26:50 AM" +indicator--f166c0d9-1e29-11ef-abac-f1ea1d091234,TRUE,"[""HOST"",""Domain : accounting-jobs-jp-ja-12345.live"",""TLD : live"",""Imported : 2024-05-30T02:11:36.311Z"",""Profile : IID"",""Property : Phishing_Lookalike"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : Domain is a lookalike to accounting.com and likely used for phishing. The creation or first seen date is 2024-01-29.""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'accounting-jobs-jp-ja-12345.live'],2.1,"5/30/2024, 2:11:36 AM","9/27/2024, 2:09:36 AM" +indicator--f1d057bd-1e29-11ef-abac-f1ea1d091234,TRUE,"[""HOST"",""Domain : bag.com"",""TLD : com"",""Imported : 2024-05-30T02:11:37.050Z"",""Profile : IID"",""Property : Phishing_Generic"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : ""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'webdisk.bag.com'],2.1,"5/30/2024, 2:11:37 AM","9/27/2024, 2:09:36 AM" +indicator--0c09d60a-1e2c-11ef-ae91-5ffd6f5121234,TRUE,"[""HOST"",""Domain : maiwaiwei.com"",""TLD : com"",""Imported : 2024-05-30T02:26:40.104Z"",""Profile : IID"",""Property : Suspicious_Lookalike"",""Dga: False"",""Threat Level : 80"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : Domain is a typosquat to maiwaiwei.com and likely distributed via spam. The creation date is 2024-05-27.""]",Infoblox - HOST - Suspicious,"[""Suspicious""]",[domain-name:value = 'maiwaiwei.com'],2.1,"5/30/2024, 2:26:40 AM","8/13/2024, 2:26:29 AM" +indicator--f1669999-1e29-11ef-abac-f1ea1d091234,TRUE,"[""HOST"",""Domain : teresi.com"",""TLD : com"",""Imported : 2024-05-30T02:11:36.311Z"",""Profile : IID"",""Property : Phishing_Generic"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : ""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'topsoil.teresi.com'],2.1,"5/30/2024, 2:11:36 AM","9/27/2024, 2:09:36 AM" +indicator--f1658879-1e29-11ef-abac-f1ea1d091234,TRUE,"[""HOST"",""Domain : usc.shop"",""TLD : shop"",""Imported : 2024-05-30T02:11:36.311Z"",""Profile : IID"",""Property : Phishing_Generic"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : ""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'usc.shop'],2.1,"5/30/2024, 2:11:36 AM","9/27/2024, 2:09:36 AM" +indicator--f165d650-1e29-11ef-abac-f1ea1d091234,TRUE,"[""HOST"",""Domain : priceless.com"",""TLD : com"",""Imported : 2024-05-30T02:11:36.311Z"",""Profile : IID"",""Property : Phishing_Generic"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : Identified as phishing by analysts.""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'priceless.com'],2.1,"5/30/2024, 2:11:36 AM","9/27/2024, 2:09:36 AM" +indicator--bb8c40f1-1e2c-11ef-ae91-5ffd6f5121234,TRUE,"[""HOST"",""Domain : support.online"",""TLD : online"",""Imported : 2024-05-30T02:31:34.497Z"",""Profile : IID"",""Property : Phishing_Lookalike"",""Dga: False"",""Threat Level : 100"",""Threat Score : -"",""Threat Score Rating : -"",""Confidence Score : -"",""Confidence Score Rating : -"",""Risk Score : -"",""Risk Score Rating : -"",""Notes : Domain is a typosquat to keyword support and likely used for phishing. The creation date is 2024-05-27.""]",Infoblox - HOST - Phishing,"[""Phishing""]",[domain-name:value = 'support.online'],2.1,"5/30/2024, 2:31:34 AM","9/27/2024, 2:26:50 AM" \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/Service_Name_Info_CL.csv b/Sample Data/Custom/Infoblox/Service_Name_Info_CL.csv new file mode 100644 index 00000000000..0bda77f73a0 --- /dev/null +++ b/Sample Data/Custom/Infoblox/Service_Name_Info_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],configs_s,created_at_t [UTC],desired_state_s,destinations_s,id_s,name_s,pool_id_s,service_type_s,source_interfaces_s,updated_at_t [UTC] +"6/16/2024, 2:07:38 PM","[{""host_id"":""test/host/jbeuiwrwgvsdenbxmvrdkyrxhe2wcnbtgy4dmnjvmqzdgnrygjsgkojwhbqwiobseaqcabcd"",""id"":""test/service_host/7566a8af-66ee-4381-8361-f785c02712354"",""service_id"":""test/service/4zyyyhkz4nzer72j5pklqvt3ckczabcd""}]","4/17/2024, 11:10:07 AM",start,[],test/service/4zyyyhkz4nzer72j5pklqvt3ckczabcd,test1,test/pool/qsjvfu5m673udtfcsnpxlyqeceuabcd,service1,[],"4/17/2024, 11:10:07 AM" +"6/16/2024, 2:07:38 PM","[{""current_version"":""v3.5.7"",""host_id"":""test/host/jbeuiwrwgvsdenbxmvrdkyrxhe2wcnbtgy4dmnjvmqzdgnrygjsgkojwhbqwiobseaqcabcd"",""id"":""test/service_host/d8a53762-4b0c-4bf3-a071-f5d2f94c732a"",""service_id"":""test/service/6je7wvsabcsaqkoej2dj7662zruqabcd"",""upgraded_at"":""2024-05-04T17:17:18Z""}]","4/24/2024, 10:07:51 AM",start,[],test/service/6je7wvsabcsaqkoej2dj7662zruqabcd,test2,test/pool/qsjvfu5m673udtfcsnpxlyqeceuabcd,service2,[],"4/24/2024, 10:07:51 AM" +"6/16/2024, 2:07:38 PM","[{""host_id"":""test/host/jbeuiwrzgi2teyjyg5rgiyjwgjstknbtmu3deyjwmezdgodcmq4tonbzmu3dkzdceaqcaiba"",""id"":""test/service_host/d388cb5a-dcb1-4070-94c5-cf33b0b16f77"",""service_id"":""test/service/74uq6wvescb7xe72kgadrkqmpea5abcd""}]","4/26/2024, 12:00:13 AM",start,[],test/service/74uq6wvescb7xe72kgadrkqmpea5abcd,test3,test/pool/rg74zfqiiuo2nrhh6l7zcuj5zbguabcd,service3,[],"4/26/2024, 12:00:13 AM" +"6/16/2024, 2:07:38 PM","[{""current_version"":""v4.1.2"",""host_id"":""test/host/jbeuiwrzgi2teyjyg5rgiyjwgjstknbtmu3deyjwmezdgodcmq4tonbzmu3dkzdceaqcabcd"",""id"":""test/service_host/76f76f09-369a-4083-a109-5067ea4b1c21"",""service_id"":""test/service/awenmzc4jg3hgzw2mrjmzzgv6gbancd"",""upgraded_at"":""2024-04-26T00:02:33Z""}]","4/26/2024, 12:00:13 AM",start,[],test/service/awenmzc4jg3hgzw2mrjmzzgv6gbancd,test4,test/pool/rg74zfqiiuo2nrhh6l7zcuj5zbguabcd,service4,[],"4/26/2024, 12:00:13 AM" +"6/16/2024, 2:07:38 PM","[{""host_id"":""test/host/jbeuiwrzgrrgkytbg44dezbvhfqtinzthe2dqmtfgrstgmrymi3gknlegq4tmzbweaqcabcd"",""id"":""test/service_host/8442aa2a-3784-4654-9065-2a5b1101aab41"",""service_id"":""test/service/dwjn3aohe3nmzid6jzzmrf25kdeeabcd""}]","4/15/2024, 12:31:40 PM",start,[],test/service/dwjn3aohe3nmzid6jzzmrf25kdeeabcd,test5,test/pool/zr4foyncx5764ccpzgq4hymy7rwdabcd,service5,[],"4/15/2024, 12:31:40 PM" +"6/16/2024, 2:07:38 PM","[{""current_version"":""v4.1.1"",""host_id"":""test/host/jbeuiwrzgrrgkytbg44dezbvhfqtinzthe2dqmtfgrstgmrymi3gknlegq4tmzbweaqabcd"",""id"":""test/service_host/07d55c75-39a3-4512-a375-7cddca0e111"",""service_id"":""test/service/g5g3jiiydmj2kw3fh6cnowwfhyqqabcd4""}]","4/15/2024, 12:31:40 PM",start,[],test/service/g5g3jiiydmj2kw3fh6cnowwfhyqqabcd4,test6,test/pool/zr4foyncx5764ccpzgq4hymy7rwdabcd,service6,[],"4/15/2024, 12:31:40 PM" +"6/16/2024, 2:07:38 PM","[{""host_id"":""test/host/jbeuiwrwgvsdenbxmvrdkyrxhe2wcnbtgy4dmnlcgzstgnrygjsgkojwhbqwiobseaqcabcd"",""id"":""test/service_host/1215f7af-3005-4017-afe1-f617a593ab21"",""service_id"":""test/service/kk2q6vub7qk5gk77ncmffy3kulrnxabcd""}]","4/15/2024, 7:47:35 AM",start,[],test/service/kk2q6vub7qk5gk77ncmffy3kulrnxabcd,test7,test/pool/prgfvenkivqyth4ibdwdljldh7twabcd,service7,[],"4/15/2024, 7:47:35 AM" +"6/16/2024, 2:07:38 PM","[{""current_version"":""v2.1.1"",""host_id"":""test/host/jbeuiwruguzdqnbxhfqtmmrvmjqtoobtgu4denjumvrdgolfgrsdmmtcmrstkzbzeaqcccd"",""id"":""test/service_host/387e5b01-43c3-4c7b-9332-2ab291411234"",""service_id"":""test/service/ko47eun6oqpwj65lz3o2gtlznewwabcd"",""upgraded_at"":""2024-05-22T10:28:46Z""}]","5/22/2024, 10:27:57 AM",start,[],test/service/ko47eun6oqpwj65lz3o2gtlznewwabcd,test8,test/pool/hz7xkduhqhbrotplxy6y5pslkggsabcd,service8,[],"5/22/2024, 10:27:57 AM" +"6/16/2024, 2:07:38 PM","[{""host_id"":""test/host/jbeuiwruguzdqnbxhfqtmmrvmjqtoobtgu4denjumvrdgolfgrsdmmtcmrstkzbzeaqabcd"",""id"":""test/service_host/ae21a5bc-71e9-450c-8f1a-1b3196a61612"",""service_id"":""test/service/o6vku65j7unqdcv7gcze6yo6i3zmabcd""}]","5/21/2024, 9:16:49 AM",start,[],test/service/o6vku65j7unqdcv7gcze6yo6i3zmabcd,test9,test/pool/hz7xkduhqhbrotplxy6y5pslkggsfabcd,service9,[],"5/21/2024, 9:16:49 AM" +"6/16/2024, 2:07:38 PM","[{""current_version"":""v2.1.1"",""host_id"":""test/host/jbeuiwrwgvsdenbxmvrdkyrxhe2wcnbtgy4dmnjvmqzdgnrygjsgkojwhbqwiobseaqabcd"",""id"":""test/service_host/2f6491f0-f6f6-45c9-8e0a-e48a87a51234"",""service_id"":""test/service/riep7efxh52ewvwxfd7pq6jf3cadrabcdd"",""upgraded_at"":""2024-05-04T17:36:44Z""}]","4/17/2024, 11:19:57 AM",start,[],test/service/riep7efxh52ewvwxfd7pq6jf3cadrabcdd,test10,testfra/pool/qsjvfu5m673udtfcsnpxlyqeceuzabcd,service10,[],"4/17/2024, 11:19:57 AM" \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_atp_CL.csv b/Sample Data/Custom/Infoblox/dossier_atp_CL.csv new file mode 100644 index 00000000000..8ec342e915f --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_atp_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],status_message_for_dossier_s,data_attack_chain_collection_s,data_attack_chain_credential_access_s,data_attack_chain_defense_evasion_s,data_attack_chain_execution_s,data_attack_chain_initial_access_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_record_count_d +"6/17/2024, 8:55:41 AM",Click here to view the data,,,,,,ff214440-c666-4cf0-99e4-3ce0d06bf918,host,gmail.com,atp,success,2825,3.0.0,404 +"6/17/2024, 5:31:13 AM",Click here to view the data,,,,,,040854f4-24a6-432e-aa99-66c62ce7d8bb,host,topotop.top,atp,success,596,3.0.0,3 +"6/17/2024, 12:41:23 PM",Click here to view the data,,,,,,639cf033-585d-43f3-9bdb-6534ff15b91b,ip,34.102.13.1,atp,success,560,3.0.0,1266 +"6/15/2024, 8:00:40 PM",Click here to view the data,,,,,,59667780-5fcd-434d-870e-15214eb740ec,host,microsoft.com,atp,success,455,3.0.0,1 +"6/17/2024, 12:43:03 PM",Click here to view the data,,,,,,5be8bbe3-6abd-4557-9bda-d742803c65b6,ip,80.4.92.16,atp,success,644,3.0.0,4437 +"6/17/2024, 12:44:30 PM",Click here to view the data,,,,,,ebaa16a0-72ef-44dc-92e3-dd15865cd947,ip,10.50.7.83,atp,success,268,3.0.0,0 +"6/17/2024, 12:50:54 PM",Click here to view the data,,,,,,f425133b-4298-4cf6-9659-941e8ef2a59b,host,sheetop.com,atp,success,257,3.0.0,4 +"6/17/2024, 12:44:30 PM",Click here to view the data,,,,,,ebaa16a0-72ef-44dc-92e3-dd15865cd947,ip,10.50.7.83,atp,success,268,3.0.0,0 +"6/17/2024, 12:50:54 PM",Click here to view the data,,,,,,f425133b-4298-4cf6-9659-941e8ef2a59b,host,shee.com,atp,success,257,3.0.0,4 +"6/17/2024, 12:43:03 PM",Click here to view the data,,,,,,5be8bbe3-6abd-4557-9bda-d742803c65b6,ip,80.4.2.16,atp,success,644,3.0.0,4437 \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_atp_threat_CL.csv b/Sample Data/Custom/Infoblox/dossier_atp_threat_CL.csv new file mode 100644 index 00000000000..3abbc24c227 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_atp_threat_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],extended_registration_date_s,ip_s,target_s,email_s,extended_extended_s,extended_url_hash_g,url_s,extended_no_whitelist_s,extended_protocol_s,extended_email_id_s,extended_processor_s,extended_provider_s,extended_submitter_s,full_origin_s,extended_from_email_s,extended_subject_line_s,extended_references_s,up_s,extended_attack_chain_s,extended_reason_s,batch_id_g,class_s,confidence_d,confidence_score_d,confidence_score_rating_s,confidence_score_vector_s,detected_t [UTC],dga_s,domain_s,expiration_t [UTC],extended_cyberint_guid_g,extended_notes_s,full_profile_s,host_s,id_g,imported_t [UTC],profile_s,property_s,received_t [UTC],risk_score_d,risk_score_rating_s,risk_score_vector_s,threat_level_d,threat_score_d,threat_score_rating_s,threat_score_vector_s,tld_s,type_s,task_id_g +"6/17/2024, 12:50:54 PM",2024-04-22,1.1.1.1,gateway,abc@gmail.com,,aaf1655c49bec1d772f024b96f3824c9f3f37019e0b521da09d447a9b12c66ba6a739578c4dc05221ead11e27bdb398chttpBLOX_cyberint,,,,,,,,,,,,TRUE,,,b83c49f6-2a25-11ef-af1f-013d6c5481fc,Suspicious,100,7,High,,"6/14/2024, 8:06:37 AM",FALSE,gmail.com,"8/28/2024, 8:06:37 AM",,Domain containing known abused keywords associated with corporate MFA phishing and having other suspicious characteristics. The creation or first seen date is 2024-04-25.,IID:IID_IRD,gmail.com,b84571d8-2a25-11ef-af1f-013d6c5481fc,"6/14/2024, 8:11:37 AM",IID,Suspicious_Lookalike,"6/14/2024, 8:11:37 AM",,Low,,80,,Medium,,cc,HOST,f425133b-4298-4cf6-9659-941e8ef2a59b +"6/17/2024, 12:50:54 PM",2024-04-23,1.1.1.2,gateway,bcx@gmail.com,,8ee63d7da8f73ccc8b311fd8bf96e04ec3d904acd97d3eb24173b81f1251cac9eb8adc23532243b222b3f41579aff218httpBLOX_cyberint,http://example.com,,,,,,,,,,,TRUE,,,8379fda4-29a4-11ef-8105-f3f5bf9135c3,Policy,100,5,High,,"6/13/2024, 4:41:29 PM",FALSE,gmail.com,"6/20/2024, 4:41:29 PM",,This domain was recently observed by Infoblox and was likely created or updated within the past 90 days.,IID:IID_IRD,gmail.com,838e491a-29a4-11ef-8105-f3f5bf9135c3,"6/13/2024, 4:46:43 PM",IID,Policy_NewlyObservedDomains,"6/13/2024, 4:46:43 PM",,Low,,0,,Medium,,cc,HOST,f425133b-4298-4cf6-9659-941e8ef2a59b +"6/17/2024, 12:50:54 PM",2024-04-24,1.1.1.3,gateway,lsdhfaoi7qyon2@gmail.com,,aaf1655c49bec1d772f024b96f3824c9f3f37019e0b521da09d447a9b12c66ba6a739578c4dc05221ead11e27bdb398chttpBLOX_cyberint,http://example.com,,,,,,,,,,,TRUE,,,4d902575-2941-11ef-af1f-013d6c5481fc,Suspicious,100,6,High,,"6/13/2024, 4:52:41 AM",FALSE,gmail.com,"8/27/2024, 4:52:41 AM",,"The indicator has suspicious registration characteristics, including high risk name servers, registrar or TLD. The domain was created on 2024-04-25.",IID:IID_IRD,gmail.com,4d95a3cc-2941-11ef-af1f-013d6c5481fc,"6/13/2024, 4:56:32 AM",IID,Suspicious_EmergentDomain,"6/13/2024, 4:56:32 AM",,Low,,80,,Medium,,cc,HOST,f425133b-4298-4cf6-9659-941e8ef2a59b +"6/17/2024, 12:50:54 PM",2024-04-25,1.1.1.4,gateway,abc@gmail.com,,8ee63d7da8f73ccc8b311fd8bf96e04ec3d904acd97d3eb24173b81f1251cac9eb8adc23532243b222b3f41579aff218httpBLOX_cyberint,http://example.com,,,,,,,,,,,TRUE,,Domain is a typosquat to keyword gateway. The creation date is 2024-04-25.,6991f021-29f6-11ef-af1f-013d6c5481fc,Policy,100,2,High,,"6/14/2024, 2:31:53 AM",FALSE,gmail.com,"8/28/2024, 2:31:53 AM",,Domain is a typosquat to keyword gateway. The creation date is 2024-04-25.,IID:IID_IRD,gmail.com,699ec184-29f6-11ef-af1f-013d6c5481fc,"6/14/2024, 2:32:58 AM",IID,Policy_LookalikeDomains,"6/14/2024, 2:32:58 AM",,Low,,0,,Medium,,cc,HOST,f425133b-4298-4cf6-9659-941e8ef2a59b +"6/17/2024, 8:55:41 AM",2024-04-26,1.1.1.5,gateway,bcx@gmail.com,,aaf1655c49bec1d772f024b96f3824c9f3f37019e0b521da09d447a9b12c66ba6a739578c4dc05221ead11e27bdb398chttpBLOX_cyberint,http://example.com,,,,,,,,,,,TRUE,,,ab4b2942-a3f8-11ed-81c7-af2e8cbc0a78,Suspicious,100,7,High,,"2/3/2023, 7:25:45 PM",FALSE,gmail.com,"6/3/2023, 7:25:45 PM",,"Email sending spam, fake PayPal email saying you bought some bitcoin. Contained no links, but a phone number to call for any questions. The phone number wasn't associated with PayPal.",IID:ANALYST,gmail.com,ab4c61c3-a3f8-11ed-81c7-af2e8cbc0a78,"2/3/2023, 7:26:34 PM",IID,Suspicious_Spam,"2/3/2023, 7:26:34 PM",1.1,Low,,80,,Medium,,com,EMAIL,ff214440-c666-4cf0-99e4-3ce0d06bf918 +"6/17/2024, 8:55:41 AM",2024-04-27,1.1.1.6,gateway,lsdhfaoi7qyon2@gmail.com,,8ee63d7da8f73ccc8b311fd8bf96e04ec3d904acd97d3eb24173b81f1251cac9eb8adc23532243b222b3f41579aff218httpBLOX_cyberint,http://gmail.com/,,,,,,,,,,,TRUE,,,986c5c2d-7528-11e8-9c38-09442e51030a,Policy,100,9,High,,"6/21/2018, 8:00:24 AM",FALSE,gmail.com,"6/28/2018, 8:00:24 AM",,,IID:ANALYST,gmail.com,986c833e-7528-11e8-9c38-09442e51030a,"6/21/2018, 7:56:25 AM",IID,Policy_UnsolictedBulkEmail,"6/21/2018, 7:56:25 AM",,High,,100,,Medium,,com,URL,ff214440-c666-4cf0-99e4-3ce0d06bf918 +"6/17/2024, 8:55:41 AM",2024-04-28,1.1.1.7,gateway,abc@gmail.com,,aaf1655c49bec1d772f024b96f3824c9f3f37019e0b521da09d447a9b12c66ba6a739578c4dc05221ead11e27bdb398chttpBLOX_cyberint,http://ActivstWeb@gmail.com/,,,,,,,,,,,TRUE,,,fc957cd5-74c3-11e8-a923-ef12c30ba6fa,Policy,100,8,High,,"6/20/2018, 8:00:09 PM",FALSE,gmail.com,"6/27/2018, 8:00:09 PM",,,IID:ANALYST,gmail.com,fc95caf7-74c3-11e8-a923-ef12c30ba6fa,"6/20/2018, 7:56:14 PM",IID,Policy_UnsolictedBulkEmail,"6/20/2018, 7:56:14 PM",,High,,100,,Medium,,com,URL,ff214440-c666-4cf0-99e4-3ce0d06bf918 +"6/17/2024, 8:55:41 AM",2024-04-29,1.1.1.8,gateway,bcx@gmail.com,,aaf1655c49bec1d772f024b96f3824c9f3f37019e0b521da09d447a9b12c66ba32bc45b27d58ccc0dd8867bc63b358a0httpBLOX_cyberint,http://ActivistWeb@gmail.com/,,,,,,,,,,,TRUE,,,fe301a0e-74c3-11e8-a923-ef12c30ba6fa,Policy,100,5,High,,"6/20/2018, 8:00:15 PM",FALSE,gmail.com,"6/27/2018, 8:00:15 PM",,,IID:ANALYST,gmail.com,fe30682f-74c3-11e8-a923-ef12c30ba6fa,"6/20/2018, 7:56:17 PM",IID,Policy_UnsolictedBulkEmail,"6/20/2018, 7:56:17 PM",,High,,100,,Medium,,com,URL,ff214440-c666-4cf0-99e4-3ce0d06bf918 +"6/17/2024, 8:55:41 AM",2024-04-30,1.1.1.9,gateway,geraldyrtqb@gmail.com,,8ee63d7da8f73ccc8b311fd8bf96e04ec3d904acd97d3eb24173b81f1251cac9eb8adc23532243b222b3f41579aff218httpBLOX_cyberint,http://example.com,,,,,,,,,,,TRUE,,,6a77a87a-428e-11ee-baf7-d18af4aa0033,Scam,100,8,High,,"8/24/2023, 2:56:23 PM",FALSE,gmail.com,"8/24/2024, 2:56:23 PM",,"Email address used to send correspondence to victims by hundreds of fake shops hosted on lookalike domains impersonating popular shoes/clothes/luxury brands, such as conversesk[.]sk or coiumbia-greece[.]com.",IID:ANALYST,gmail.com,6a7bee3b-428e-11ee-baf7-d18af4aa0033,"8/24/2023, 2:56:33 PM",IID,Scam_Generic,"8/24/2023, 2:56:33 PM",7.7,High,,100,4.6,Medium,,com,EMAIL,ff214440-c666-4cf0-99e4-3ce0d06bf918 +"6/17/2024, 8:55:41 AM",2024-05-01,1.1.1.10,gateway,alinato45skaya@gmail.com,,aaf1655c49bec1d772f024b96f3824c9f3f37019e0b521da09d447a9b12c66ba6a739578c4dc05221ead11e27bdb398chttpBLOX_cyberint,http://example.com,,,,,,,,,,,TRUE,,,cdee6267-7566-11ee-b0bf-0be971d2b1a4,Scam,100,8.1,High,,"10/28/2023, 7:47:49 AM",FALSE,gmail.com,"2/25/2024, 7:47:49 AM",,Email address used as a registrant email during registration of around 70 domains (for example: alensaprofilf[.]com) which were used in a scam campaign advertised on Facebook.,IID:ANALYST,gmail.com,cdf1bdc8-7566-11ee-b0bf-0be971d2b1a4,"10/28/2023, 7:51:30 AM",IID,Scam_FinancialFraud,"10/28/2023, 7:51:30 AM",8,High,,100,6.5,Medium,,com,EMAIL,ff214440-c666-4cf0-99e4-3ce0d06bf918 \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_dns_CL.csv b/Sample Data/Custom/Infoblox/dossier_dns_CL.csv new file mode 100644 index 00000000000..632dd1458fd --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_dns_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_A_s,data_AAAA_s,data_CERT_s,data_CNAME_s,data_HTTPS_s,data_MX_s,data_NS_s,data_SOA_s,data_SVCB_s,data_TSIG_s,data_TXT_s,data_rcode_s +"6/15/2024, 8:00:41 PM",Click here to view the data,1cb2e029-3b2e-4166-8efd-6adc99a9399d,host,gmail.com,dns,success,240,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 8:55:41 AM",Click here to view the data,9eed61ce-a1dd-4aa5-824e-80db7a2d7e7b,host,gmail.com,dns,success,219,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 5:31:11 AM",Click here to view the data,f54949d0-fed5-46b7-b0a7-54e59705439d,host,gmail.com,dns,success,650,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 12:50:55 PM",Click here to view the data,57e22741-ee40-4043-bb5f-dd99974f4513,host,gmail.com,dns,success,748,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/15/2024, 8:00:41 PM",Click here to view the data,1cb2e029-3b2e-4166-8efd-6adc99a9399d,host,gmail.com,dns,success,240,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 8:55:41 AM",Click here to view the data,9eed61ce-a1dd-4aa5-824e-80db7a2d7e7b,host,gmail.com,dns,success,219,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 5:31:11 AM",Click here to view the data,f54949d0-fed5-46b7-b0a7-54e59705439d,host,gmail.com,dns,success,650,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 12:50:55 PM",Click here to view the data,57e22741-ee40-4043-bb5f-dd99974f4513,host,gmail.com,dns,success,748,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 5:31:11 AM",Click here to view the data,f54949d0-fed5-46b7-b0a7-54e59705439d,host,gmail.com,dns,success,650,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR +"6/17/2024, 12:50:55 PM",Click here to view the data,57e22741-ee40-4043-bb5f-dd99974f4513,host,gmail.com,dns,success,748,3.0.0,"[{""ip"":""13.15.6.12"",""reverse"":""Failed"",""ttl"":7207}]","[""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12"",""2607:f9y0:404:cg1f::12""]",[],[],[],[],"[""ns.domaincontrol.com."",""ns1.domaincontrol.""]","[""ns.domaincontrol.com."",""ns1.domaincontrol.""]",[],[],[],NOERROR \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_geo_CL.csv b/Sample Data/Custom/Infoblox/dossier_geo_CL.csv new file mode 100644 index 00000000000..5fdbfd6fac8 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_geo_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],data_info_s,data_reason_s,status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_asn_num_s,data_city_s,data_country_code_s,data_country_name_s,data_isp_s,data_latitude_d,data_longitude_d,data_org_s,data_postal_code_s,data_region_s +"6/17/2024, 12:44:30 PM",bad http status,bad api response status code: 500,Click here to view the data,ce0fea11-d360-4206-b34c-84df01f46dc5,ip,10.0.7.83,geo,error,8,3.0.0,,,,,,,,,, +"6/17/2024, 5:31:12 AM",bad http status,bad api response status code: 501,Click here to view the data,67a42363-a98f-4529-895f-15e033a31eb4,host,topotop.top,geo,success,8,3.0.0,9232,Gwangmyeong (Gasan digital 2-ro),KR,South Korea,IOVZ,30.47,48.151,,,Gyeonggi-do +"6/17/2024, 8:55:41 AM",bad http status,bad api response status code: 502,Click here to view the data,69c03d38-9a4e-4ab8-ba97-87f90bcfe9e0,host,gmail.com,geo,success,36,3.0.0,15169,Mountain View,US,United States,Google LLC,7.422,39.097,Google LLC,94043,California +"6/15/2024, 8:00:39 PM",bad http status,bad api response status code: 503,Click here to view the data,2075e48c-69b8-4324-b87b-f2ec7e067d91,host,gmail.com,geo,success,10,3.0.0,53831,New York,US,United States,"Squarespace, Inc.",44.729,52.676,"Squarespace, Inc.",10014,New York +"6/17/2024, 12:41:24 PM",,,Click here to view the data,854503af-65e6-4a57-b7ec-41c6ef831c11,ip,10.0.7.83,geo,success,7,3.0.0,396982,Kansas City,US,United States,Google LLC,36.0997,48.151,Google Cloud,64121,Missouri +"6/17/2024, 12:43:04 PM",,,Click here to view the data,31a4c61a-498e-4cc7-ac39-98b9f623c4e1,ip,10.0.7.83,geo,success,8,3.0.0,47890,Amsterdam,NL,The Netherlands,Unmanaged LTD,2.3676,30.47,Pptechnology Limited,1012,North Holland +"6/17/2024, 12:50:54 PM",,,Click here to view the data,29571759-b062-44bb-91a6-0e7033653d4c,host,gmail.com,geo,success,8,3.0.0,47846,Munich,DE,Germany,SEDO GmbH,48.151,7.422,SEDO,80331,Bavaria +"6/17/2024, 12:41:24 PM",,,Click here to view the data,854503af-65e6-4a57-b7ec-41c6ef831c11,ip,10.0.7.83,geo,success,7,3.0.0,396982,Kansas City,US,United States,Google LLC,39.097,44.729,Google Cloud,64121,Missouri +"6/17/2024, 12:43:04 PM",,,Click here to view the data,31a4c61a-498e-4cc7-ac39-98b9f623c4e1,ip,10.0.7.83,geo,success,8,3.0.0,47890,Amsterdam,NL,The Netherlands,Unmanaged LTD,52.676,36.0997,Pptechnology Limited,1012,North Holland +"6/17/2024, 12:50:54 PM",,,Click here to view the data,29571759-b062-44bb-91a6-0e7033653d4c,host,gmail.com,geo,success,8,3.0.0,47846,Munich,DE,Germany,SEDO GmbH,48.151,2.3676,SEDO,80331,Bavaria \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_infoblox_web_cat_CL.csv b/Sample Data/Custom/Infoblox/dossier_infoblox_web_cat_CL.csv new file mode 100644 index 00000000000..0e120af3d68 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_infoblox_web_cat_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_results_s +"6/15/2024, 8:00:40 PM",Click here to view the data,290d7eb8-d4ae-4596-8496-940fc4ad137a,host,example.com,infoblox_web_cat,success,12,3.0.0,"[{""name"":""Business Software""},{""name"":""Technology - Other""}]" +"6/17/2024, 12:50:52 PM",Click here to view the data,ff40a779-d64d-48c3-922f-0b45d7151c0b,host,example.com,infoblox_web_cat,success,12,3.0.0,"[{""name"":""Uncategorized""}]" +"6/17/2024, 5:31:11 AM",Click here to view the data,a2b5c5eb-b4ba-4fee-8d39-69bc168ba7f7,host,example.com,infoblox_web_cat,success,7,3.0.0,"[{""name"":""Uncategorized""}]" +"6/17/2024, 8:55:40 AM",Click here to view the data,5c54613f-0ba9-4432-b383-72ba9dd121e7,host,example.com,infoblox_web_cat,success,9,3.0.0,"[{""name"":""Web-based Email""}]" +"6/15/2024, 8:00:40 PM",Click here to view the data,290d7eb8-d4ae-4596-8496-940fc4ad137a,host,example.com,infoblox_web_cat,success,12,3.0.0,"[{""name"":""Business Software""},{""name"":""Technology - Other""}]" +"6/17/2024, 12:50:52 PM",Click here to view the data,ff40a779-d64d-48c3-922f-0b45d7151c0b,host,example.com,infoblox_web_cat,success,12,3.0.0,"[{""name"":""Uncategorized""}]" +"6/17/2024, 5:31:11 AM",Click here to view the data,a2b5c5eb-b4ba-4fee-8d39-69bc168ba7f7,host,example.com,infoblox_web_cat,success,7,3.0.0,"[{""name"":""Uncategorized""}]" +"6/17/2024, 8:55:40 AM",Click here to view the data,5c54613f-0ba9-4432-b383-72ba9dd121e7,host,example.com,infoblox_web_cat,success,9,3.0.0,"[{""name"":""Web-based Email""}]" +"6/17/2024, 5:31:11 AM",Click here to view the data,a2b5c5eb-b4ba-4fee-8d39-69bc168ba7f7,host,example.com,infoblox_web_cat,success,7,3.0.0,"[{""name"":""Uncategorized""}]" +"6/17/2024, 8:55:40 AM",Click here to view the data,5c54613f-0ba9-4432-b383-72ba9dd121e7,host,example.com,infoblox_web_cat,success,9,3.0.0,"[{""name"":""Web-based Email""}]" \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_inforank_CL.csv b/Sample Data/Custom/Infoblox/dossier_inforank_CL.csv new file mode 100644 index 00000000000..4c2c2cb9a1c --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_inforank_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],data_domain_s,data_interval_s,data_rank_d,status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_message_s +"6/15/2024, 8:00:39 PM",example.com,"[1546, 1573]",1560,Click here to view the data,6955e03f-e536-4182-8a95-2ae3724ac5de,host,example.com,inforank,success,142,3.0.0,domain not found in list +"6/17/2024, 8:55:40 AM",example.com,"[1546, 1573]",1560,Click here to view the data,237d70be-89f6-46eb-bbf9-701c6eb5d302,host,example.com,inforank,success,435,3.0.0,domain not found in list +"6/17/2024, 5:31:12 AM",example.com,"[1546, 1573]",1560,Click here to view the data,84ebf68b-c5db-4bfd-b4ac-bb40e8b1a94d,host,example.com,inforank,success,165,3.0.0,domain not found in list +"6/17/2024, 12:50:52 PM",example.com,"[1546, 1573]",1560,Click here to view the data,6f81564b-aa80-44e8-b866-7f1a48e981c3,host,example.com,inforank,success,144,3.0.0,domain not found in list +"6/15/2024, 8:00:39 PM",example.com,"[1546, 1573]",1560,Click here to view the data,6955e03f-e536-4182-8a95-2ae3724ac5de,host,example.com,inforank,success,142,3.0.0,domain not found in list +"6/17/2024, 8:55:40 AM",example.com,"[1546, 1573]",1560,Click here to view the data,237d70be-89f6-46eb-bbf9-701c6eb5d302,host,example.com,inforank,success,435,3.0.0,domain not found in list +"6/17/2024, 5:31:12 AM",example.com,"[1546, 1573]",1560,Click here to view the data,84ebf68b-c5db-4bfd-b4ac-bb40e8b1a94d,host,example.com,inforank,success,165,3.0.0,domain not found in list +"6/17/2024, 12:50:52 PM",example.com,"[1546, 1573]",1560,Click here to view the data,6f81564b-aa80-44e8-b866-7f1a48e981c3,host,example.com,inforank,success,144,3.0.0,domain not found in list +"6/17/2024, 8:55:40 AM",example.com,"[1546, 1573]",1560,Click here to view the data,237d70be-89f6-46eb-bbf9-701c6eb5d302,host,example.com,inforank,success,435,3.0.0,domain not found in list +"6/17/2024, 5:31:12 AM",example.com,"[1546, 1573]",1560,Click here to view the data,84ebf68b-c5db-4bfd-b4ac-bb40e8b1a94d,host,example.com,inforank,success,165,3.0.0,domain not found in list \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_malware_analysis_v3_CL.csv b/Sample Data/Custom/Infoblox/dossier_malware_analysis_v3_CL.csv new file mode 100644 index 00000000000..8df10f04429 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_malware_analysis_v3_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,v_s,data_info_s,data_reason_s +"6/17/2024, 12:50:52 PM",Click here to view the data,606778a1-6cd1-486c-ab89-32a413881b33,host,example.com,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 12:41:23 PM",Click here to view the data,43498062-6526-4d29-a02b-91299a0502d1,ip,34.12.16.18,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 12:43:02 PM",Click here to view the data,c35445f1-d74b-4242-bd53-1bf28b681b02,ip,34.12.16.18,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 12:44:30 PM",Click here to view the data,3c92b56a-e426-439d-b7fb-137e62312233,ip,34.12.16.18,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/15/2024, 8:00:39 PM",Click here to view the data,3fec9a6c-1f25-4f34-8a2b-c4131d10251d,host,example.com,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 5:31:12 AM",Click here to view the data,b189f96a-272b-4776-b417-0025837b4f33,host,example.com,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 8:55:42 AM",Click here to view the data,3c9aadea-eb66-4656-87ad-8638df9276d4,host,example.com,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 12:50:52 PM",Click here to view the data,606778a1-6cd1-486c-ab89-32a413881b33,host,example.com,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 12:41:23 PM",Click here to view the data,43498062-6526-4d29-a02b-91299a0502d1,ip,34.12.16.18,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key +"6/17/2024, 12:43:02 PM",Click here to view the data,c35445f1-d74b-4242-bd53-1bf28b681b02,ip,34.12.16.18,malware_analysis_v3,error,3.0.0,no valid key for virus_total,error getting source key \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_nameserver_CL.csv b/Sample Data/Custom/Infoblox/dossier_nameserver_CL.csv new file mode 100644 index 00000000000..a3f5732dcf2 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_nameserver_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s +"6/17/2024, 8:55:40 AM",Click here to view the data,9e96731c-924b-4c1d-8b7b-fc4189afdcf0,host,example.com,nameserver,success,34,3.0.0 +"6/17/2024, 5:31:13 AM",Click here to view the data,0ca7958e-bb9e-4759-979a-5c82a84d472b,host,example.com,nameserver,success,123,3.0.0 +"6/17/2024, 12:50:53 PM",Click here to view the data,23b70ac4-8ab5-4ccf-9d4d-4d6958e77187,host,example.com,nameserver,success,81,3.0.0 +"6/15/2024, 8:00:39 PM",Click here to view the data,97ae2e54-6db4-4af0-9ac9-35e197653f9b,host,example.com,nameserver,success,48,3.0.0 +"6/17/2024, 8:55:40 AM",Click here to view the data,9e96731c-924b-4c1d-8b7b-fc4189afdcf0,host,example.com,nameserver,success,34,3.0.0 +"6/17/2024, 5:31:13 AM",Click here to view the data,0ca7958e-bb9e-4759-979a-5c82a84d472b,host,example.com,nameserver,success,123,3.0.0 +"6/17/2024, 12:50:53 PM",Click here to view the data,23b70ac4-8ab5-4ccf-9d4d-4d6958e77187,host,example.com,nameserver,success,81,3.0.0 +"6/15/2024, 8:00:39 PM",Click here to view the data,97ae2e54-6db4-4af0-9ac9-35e197653f9b,host,example.com,nameserver,success,48,3.0.0 +"6/17/2024, 12:50:53 PM",Click here to view the data,23b70ac4-8ab5-4ccf-9d4d-4d6958e77187,host,example.com,nameserver,success,81,3.0.0 +"6/15/2024, 8:00:39 PM",Click here to view the data,97ae2e54-6db4-4af0-9ac9-35e197653f9b,host,example.com,nameserver,success,48,3.0.0 \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_nameserver_matches_CL.csv b/Sample Data/Custom/Infoblox/dossier_nameserver_matches_CL.csv new file mode 100644 index 00000000000..a5d6590d04d --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_nameserver_matches_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],domain_s,ns_reputation_confidence_s,ns_reputation_label_s,ns_reputation_malicious_counts_s,ns_reputation_popular_s,ns_reputation_rare_s,ns_reputation_raw_score_s,ns_reputation_score_s,ns_reputation_total_counts_s,task_id_g +"6/15/2024, 8:00:39 PM",ns.abc.com,high,Moderate Risk,105391,TRUE,FALSE,-2.923884892,4,2067082,97ae2e54-6db4-4af0-9ac9-35e197653f9b +"6/15/2024, 8:00:39 PM",ns.abc.com,high,Moderate Risk,105391,TRUE,FALSE,-2.923884892,4,2067082,97ae2e54-6db4-4af0-9ac9-35e197653f9b +"6/17/2024, 12:50:53 PM",ns.abc.com,high,Moderate Risk,110071,TRUE,FALSE,-0.7352914465,5,339689,23b70ac4-8ab5-4ccf-9d4d-4d6958e77187 +"6/17/2024, 12:50:53 PM",ns.abc.com,high,Moderate Risk,110071,TRUE,FALSE,-0.7352914465,5,339689,23b70ac4-8ab5-4ccf-9d4d-4d6958e77187 +"6/17/2024, 12:50:53 PM",ns.abc.com,high,Moderate Risk,105391,TRUE,FALSE,-0.7352914465,5,339689,23b70ac4-8ab5-4ccf-9d4d-4d6958e77187 +"6/17/2024, 8:55:40 AM",ns.abc.com,high,Low Risk,105391,FALSE,FALSE,-4.391357962,3,327,9e96731c-924b-4c1d-8b7b-fc4189afdcf0 +"6/17/2024, 8:55:40 AM",ns.abc.com,high,Low Risk,110071,FALSE,FALSE,-4.391357962,3,327,9e96731c-924b-4c1d-8b7b-fc4189afdcf0 +"6/17/2024, 8:55:40 AM",ns.abc.com,high,Low Risk,110071,FALSE,FALSE,-4.391357962,3,327,9e96731c-924b-4c1d-8b7b-fc4189afdcf0 +"6/17/2024, 8:55:40 AM",ns.abc.com,high,Low Risk,110071,FALSE,FALSE,-4.391357962,3,327,9e96731c-924b-4c1d-8b7b-fc4189afdcf0 +"6/17/2024, 5:31:13 AM",ns.abc.com,high,Moderate Risk,110071,TRUE,FALSE,-0.7352914465,5,339689,0ca7958e-bb9e-4759-979a-5c82a84d472b \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_ptr_CL.csv b/Sample Data/Custom/Infoblox/dossier_ptr_CL.csv new file mode 100644 index 00000000000..9094f5dc7df --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_ptr_CL.csv @@ -0,0 +1,4 @@ +TimeGenerated [UTC],data_reason_s,data_status_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_ptr_record_s,status_message_for_dossier_s +"6/17/2024, 12:44:30 PM",NXDOMAIN,error,0f7f7bc2-b013-47e3-8287-4e692e09ba0b,ip,1.5.7.8,ptr,success,2,3.0.0,,Click here to view the data +"6/17/2024, 12:41:24 PM",,,cbecb37b-f870-4c40-bb93-2b206c3339f6,ip,3.10.1.1,ptr,success,24,3.0.0,18.36.2.4.bc.googleusercontent.com,Click here to view the data +"6/17/2024, 12:43:03 PM",SERVFAIL,error,3370767e-3e18-4535-8d97-5a952115b1c6,ip,8.4.2.1,ptr,success,1019,3.0.0,,Click here to view the data \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_rpz_feeds_CL.csv b/Sample Data/Custom/Infoblox/dossier_rpz_feeds_CL.csv new file mode 100644 index 00000000000..cd18c56e0c2 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_rpz_feeds_CL.csv @@ -0,0 +1,8 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s +"6/17/2024, 8:55:40 AM",Click here to view the data,a798ebf2-9cde-4070-9037-28301d70da93,host,gmxx.com,rpz_feeds,success,2216,3.0.0 +"6/17/2024, 5:31:12 AM",,a3146e38-ce21-4679-80ee-27654519969d,host,topopo.top,rpz_feeds,success,572,3.0.0 +"6/15/2024, 8:00:39 PM",,ea2e803a-72ca-4697-b7f6-32a6536b18c6,host,crexx.ai,rpz_feeds,success,418,3.0.0 +"6/17/2024, 12:44:30 PM",Click here to view the data,aa1b43fa-437e-49ca-a98f-9a7880700b4a,ip,1.5.7.8,rpz_feeds,success,312,3.0.0 +"6/17/2024, 12:41:24 PM",Click here to view the data,70a49adf-c1a0-4236-aee9-1d42ad9bdfd4,ip,3.1.13.18,rpz_feeds,success,357,3.0.0 +"6/17/2024, 12:43:03 PM",Click here to view the data,857214cd-90b1-41f8-8556-9554e9e6ff71,ip,8.9.9.1,rpz_feeds,success,401,3.0.0 +"6/17/2024, 12:50:53 PM",Click here to view the data,942c875e-f6cf-4385-8ff9-f91779932ccd,host,ser-gate.cc,rpz_feeds,success,447,3.0.0 \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_rpz_feeds_records_CL.csv b/Sample Data/Custom/Infoblox/dossier_rpz_feeds_records_CL.csv new file mode 100644 index 00000000000..13d0aa2b95e --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_rpz_feeds_records_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],class_s,detected_t [UTC],expiration_t [UTC],feed_name_s,indicator_s,property_s,threat_level_d,task_id_g +"6/17/2024, 12:43:03 PM",Proxy,"6/17/2024, 11:30:43 AM","7/1/2024, 11:30:43 AM",ib-extre-blxx,8.9.9.1,Proxy_TorExitNode,50,857214cd-90b1-41f8-8556-9554e9e6ff71 +"6/17/2024, 12:43:03 PM",Proxy,"6/17/2024, 11:30:43 AM","7/1/2024, 11:30:43 AM",ib-hi-blxx,8.9.9.1,Proxy_TorExitNode,50,857214cd-90b1-41f8-8556-9554e9e6ff71 +"6/17/2024, 12:43:03 PM",Proxy,"6/17/2024, 11:30:43 AM","7/1/2024, 11:30:43 AM",tor-exit-ne-ixx,8.9.9.1,Proxy_TorExitNode,50,857214cd-90b1-41f8-8556-9554e9e6ff71 +"6/17/2024, 5:31:12 AM",Phishing,"6/3/2024, 11:42:48 AM","7/3/2024, 11:42:48 AM",antimalware,topopo.top,Phishing_Generic,100,a3146e38-ce21-4679-80ee-27654519969d +"6/17/2024, 5:31:12 AM",Phishing,"6/3/2024, 11:42:48 AM","7/3/2024, 11:42:48 AM",ib-extreme-blxx,topopo.top,Phishing_Generic,100,a3146e38-ce21-4679-80ee-27654519969d +"6/17/2024, 5:31:12 AM",Phishing,"6/3/2024, 11:42:48 AM","7/3/2024, 11:42:48 AM",ib-high-blxx,topopo.top,Phishing_Generic,100,a3146e38-ce21-4679-80ee-27654519969d +"6/17/2024, 5:31:12 AM",Phishing,"6/3/2024, 11:42:48 AM","7/3/2024, 11:42:48 AM",ib-low-blxx,topopo.top,Phishing_Generic,100,a3146e38-ce21-4679-80ee-27654519969d +"6/17/2024, 5:31:12 AM",Phishing,"6/3/2024, 11:42:48 AM","7/3/2024, 11:42:48 AM",ib-med-blxx,topopo.top,Phishing_Generic,100,a3146e38-ce21-4679-80ee-27654519969d +"6/17/2024, 5:31:12 AM",Phishing,"6/3/2024, 11:42:48 AM","7/3/2024, 11:42:48 AM",inlox-bxx,topopo.top,Phishing_Generic,100,a3146e38-ce21-4679-80ee-27654519969d +"6/17/2024, 5:31:12 AM",Suspicious,"5/27/2024, 5:38:51 PM","8/10/2024, 5:38:51 PM",info-high-rxxx,topopo.top,Suspicious_EmergentDomain,80,a3146e38-ce21-4679-80ee-27654519969d \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_threat_actor_CL.csv b/Sample Data/Custom/Infoblox/dossier_threat_actor_CL.csv new file mode 100644 index 00000000000..37104ed81d7 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_threat_actor_CL.csv @@ -0,0 +1,5 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_actor_description_s,data_actor_id_s,data_actor_name_s,data_customer_first_dns_query_s,data_customer_last_dns_query_s,data_display_name_s,data_external_references_s,data_ikb_first_classified_malicious_s,data_ikb_submitted_s,data_infoblox_references_s,data_page_s,data_purpose_s,data_related_count_s,data_ttp_s +"6/17/2024, 12:50:52 PM",Click here to view the data,be7b0d95-e306-4811-9301-276c832abcde,host,ser-gate.cc,threat_actor,success,13,3.0.0,,,,,,,[],,,[],0,[],0,[] +"6/17/2024, 5:31:12 AM",,28290600-3d2b-41a8-93b1-d3d0000abcd,host,topopo.top,threat_actor,success,9,3.0.0,,,,,,,[],,,[],0,[],0,[] +"6/17/2024, 8:55:42 AM",Click here to view the data,4811cabd-2528-4c00-9ed2-146fef66abcd,host,gmaxx.com,threat_actor,success,21,3.0.0,,,,,,,[],,,[],0,[],0,[] +"6/15/2024, 8:00:41 PM",,2868d3a6-372c-44b8-b3d8-4ecd390babcd,host,crexx.ai,threat_actor,success,16,3.0.0,,,,,,,[],,,[],0,[],0,[] \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_tld_risk_CL.csv b/Sample Data/Custom/Infoblox/dossier_tld_risk_CL.csv new file mode 100644 index 00000000000..5f13288f7da --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_tld_risk_CL.csv @@ -0,0 +1,5 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_matches_s +"6/17/2024, 5:31:11 AM",,aa2bbdab-6139-43eb-913a-d8c391421234,host,topopo.top,tld_risk,success,9,3.0.0,"[{""confidence"":""high"",""malicious_counts"":""273668"",""popular"":""True"",""rare"":""False"",""raw_score"":""0.23487957162020878"",""score"":""7"",""score_label"":""High Risk"",""tld"":""top"",""total_counts"":""490048""}]" +"6/17/2024, 8:55:41 AM",Click here to view the data,ee5f6f66-a936-48b3-a6a2-ea41cea521234,host,gmail.com,tld_risk,success,12,3.0.0,"[{""confidence"":""high"",""malicious_counts"":""1220883"",""popular"":""True"",""rare"":""False"",""raw_score"":""-1.5559437459373522"",""score"":""6"",""score_label"":""Moderate Risk"",""tld"":""com"",""total_counts"":""7007328""}]" +"6/17/2024, 12:50:53 PM",Click here to view the data,0975477a-32c3-4322-a88f-0f49dfdb1234,host,ser-gate.cc,tld_risk,success,8,3.0.0,"[{""confidence"":""high"",""malicious_counts"":""109912"",""popular"":""True"",""rare"":""False"",""raw_score"":""0.329574181843459"",""score"":""7"",""score_label"":""High Risk"",""tld"":""cc"",""total_counts"":""188964""}]" +"6/15/2024, 8:00:40 PM",,52ba4498-c7b6-4b74-b83c-c95925071234,host,crexx.ai,tld_risk,success,16,3.0.0,"[{""confidence"":""high"",""malicious_counts"":""1447"",""popular"":""True"",""rare"":""False"",""raw_score"":""-3.2377701437922672"",""score"":""4"",""score_label"":""Moderate Risk"",""tld"":""ai"",""total_counts"":""38312""}]" \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_whitelist_CL.csv b/Sample Data/Custom/Infoblox/dossier_whitelist_CL.csv new file mode 100644 index 00000000000..92a1fb4e66b --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_whitelist_CL.csv @@ -0,0 +1,8 @@ +TimeGenerated [UTC],status_message_for_dossier_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_value_s,data_whitelisted_b +"6/17/2024, 5:31:11 AM",,2f7431a5-a041-499a-86bd-b718bb191234,host,topopo.top,whitelist,success,15,3.0.0,topopo.top,FALSE +"6/17/2024, 8:55:42 AM",Click here to view the data,faa73770-2145-421d-9255-a9f671e491234,host,gmail.com,whitelist,success,8,3.0.0,gmail.com,TRUE +"6/17/2024, 12:41:23 PM",Click here to view the data,9170d23f-c5d4-452a-90b0-4ed5b00e1234,ip,3.1.1.1,whitelist,success,33,3.0.0,3.1.1.1,FALSE +"6/17/2024, 12:43:04 PM",Click here to view the data,d69d412e-3e3f-4f8a-90ed-0297398201234,ip,8.9.9.1,whitelist,success,23,3.0.0,8.9.9.1,FALSE +"6/17/2024, 12:44:30 PM",Click here to view the data,807dba48-cf57-4972-87ea-6c54def241234,ip,10.5.7.8,whitelist,success,81,3.0.0,10.5.7.8,FALSE +"6/17/2024, 12:50:55 PM",Click here to view the data,e1f3e455-11f1-4699-ab0d-8679d10b41234,host,ser-gate.cc,whitelist,success,74,3.0.0,ser-gate.cc,FALSE +"6/15/2024, 8:00:40 PM",,a2c67a93-43f7-4ccf-a1a4-e5a0007961234,host,crexx.ai,whitelist,success,20,3.0.0,crexx.ai,FALSE \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/dossier_whois_CL.csv b/Sample Data/Custom/Infoblox/dossier_whois_CL.csv new file mode 100644 index 00000000000..fe254b13f76 --- /dev/null +++ b/Sample Data/Custom/Infoblox/dossier_whois_CL.csv @@ -0,0 +1,95 @@ +TimeGenerated [UTC],data_info_s,data_reason_s,data_response_ip_response_country_s,data_response_ip_response_handle_s,data_response_ip_response_last_changed_t [UTC],data_response_ip_response_name_s,data_response_ip_response_net_range_s,data_response_ip_response_net_type_s,data_response_ip_response_parent_s,data_response_ip_response_registration_t [UTC],data_response_ip_response_source_registery_s,status_message_for_dossier_s,data_response_parsed_whois_created_date_t [UTC],data_response_parsed_whois_domain_s,data_response_parsed_whois_expired_date_t [UTC],data_response_parsed_whois_name_servers_s,data_response_parsed_whois_other_properties_registry_domain_id_s,data_response_parsed_whois_registrar_abuse_contact_email_s,data_response_parsed_whois_registrar_abuse_contact_phone_s,data_response_parsed_whois_registrar_iana_id_s,data_response_parsed_whois_registrar_name_s,data_response_parsed_whois_statuses_s,data_response_parsed_whois_updated_date_t [UTC],data_response_registration_created_t [UTC],data_response_registration_expires_t [UTC],data_response_registration_registrar_s,data_response_registration_statuses_s,data_response_registration_updated_t [UTC],data_response_whois_date_s,data_response_whois_record_s,task_id_g,params_type_s,params_target_s,params_source_s,status_s,time_d,v_s,data_response_nameservers_s,data_response_registrant_s +"6/15/2024, 8:00:41 PM",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3ef463bd-3711-43e8-a819-a4a8450e1234,host,crexx.ai,whois,success,1424,3.0.0,[], +"6/17/2024, 12:50:52 PM",,,,,,,,,,,,Click here to view the data,"4/25/2024, 7:31:30 AM",SERVER.CC,"4/25/2025, 7:31:30 AM","[""N1.DNSLXX.COM"",""N2.DNSLXX.COM"",""N3.DNSLXX.COM""]",2003301234_DOMAIN_CC-VRSN,,,1412,"NameSXX, LLCXX","[""client transfer prohibited""]","4/25/2024, 9:32:22 AM","4/25/2024, 7:31:30 AM","4/25/2025, 7:31:30 AM","Namloxx, LXX","[""client transfer prohibited""]","4/25/2024, 9:32:22 AM",2024-06-17,"Registrant: Naloxx, LLCXX +Registration: + Created: 2024-04-25T07:31:30Z + Expires: 2025-04-25T07:31:30Z + Updated: 2024-04-25T09:32:22Z + Registrar: Naloxx, LLCXX + Statuses: client transfer prohibited +Nameservers: N1.DNSOWLXX.COM, N2.DNSOWLXX.COM, N3.DNSOWLXX.COM",2e1e4949-57fe-495b-8292-2ff140771234,host,serv-gate.cc,whois,success,52,3.0.0,"[""N1.DNSLXX.COM"",""N2.DNSLXX.COM"",""N3.DNSLXX.COM""]","Namexx, LLCXX" +"6/17/2024, 12:41:24 PM",,,null,NET-33-12-0-0-0,"9/28/2018, 2:45:41 PM",GOOGLE-4,34.0.0.0 - 34.12.25.25,DIRECT ALLOCATION,NET-32-0-0-0-0,"9/28/2018, 2:45:37 PM",APNICXX,Click here to view the data,,,,,,,,,,,,,,,,,2024-06-17,"Handle: nro_rdap_profile_0, rdap_level_0, cidr0, arin_originas0 +Start Address: 3.6.0.0 +End Address: 3.17.25.55 +IP Version: v4 +Name: GOOGLXX-2 +Type: DIRECT ALLOCATION +Country: +Source: +Parent Handle: NET-4-1-0-1-0 +Status: active +Port43: whois.arxx.net +Remarks: + +Registrant ID: +Handle: GOOGL-2 +Remark: + Event: + Date: +Role: registrant +Registrant version:v4 + +Whois Registration: 2018-09-28T10:45:37-04:00 +Whois Last Modified: 2018-09-28T10:45:41-04:00 +Links: https://rp.in.net/registry/ip/34.86.219.25 +",509bf4e3-1d20-4e66-b410-ae67e74c1234,ip,3.1.1.1,whois,success,269,3.0.0,[],GOOGLXX-2 +"6/17/2024, 12:43:03 PM",,,NL,80.80.80.0 - 80.95.95.254,"12/21/2022, 4:42:47 PM",DMXXHOST,80.80.80.0 - 80.95.95.254,ASSIGNED PA,80.80.80.0 - 80.95.95.254,"7/15/2020, 10:20:31 PM",APNICXX,Click here to view the data,,,,,,,,,,,,,,,,,2024-06-17,"Handle: geofeed1, cidr0, rdap_level_0, nro_rdap_profile_0, redacted +Start Address: 8.4.2.0 +End Address: 8.4.2.0 +IP Version: v4 +Name: DMXXHOST +Type: ASSIGNED PA +Country: NL +Source: +Parent Handle: 8.4.2.0 - 8.4.5.25 +Status: active +Port43: whois.rixx.net +Remarks: +Title: +Data: https://dmzhost.co + +Registrant ID: +Handle: OL2665-REXX +Remark: + Event: + Date: +Handle: ORG-PA1232-REXX +Remark: + Event: + Date: +Handle: pptechnology +Remark: + Event: + Date: +Handle: ro-btel2-1-mnt +Remark: + Event: + Date: +Handle: ACRO26775-RIPE +Remark: + Event: + Date: +Role: administrative +Registrant version:v4 + +Whois Registration: 2020-07-15T22:20:31Z +Whois Last Modified: 2022-12-21T16:42:47Z +Links: https://rdap.db.ripe.net/ip/80.94.92.106 +",b9a9e0d9-abb4-46d1-b62c-6b4e85fe8abc,ip,80.1.1.1,whois,success,323,3.0.0,[],DMXXHOST +"6/17/2024, 5:31:12 AM",,,,,,,,,,,,,"5/25/2024, 9:39:16 AM",topo.top.,"5/25/2025, 9:39:16 AM","[""n1.dnslxx.com."",""n3.dnslxx.com."",""n2.dnslxx.com.""]",D20240525G112G_23778132-top,,,,,"[""client transfer prohibited""]","5/25/2024, 9:39:18 AM","5/25/2024, 9:39:16 AM","5/25/2025, 9:39:16 AM",,"[""client transfer prohibited""]","5/25/2024, 9:39:18 AM",2024-06-17,"Registrant: +Registration: + Created: 2024-05-25T09:39:16.0Z + Expires: 2025-05-25T09:39:16.0Z + Updated: 2024-05-25T09:39:18.0Z + Registrar: + Statuses: client transfer prohibited +Nameservers: n1.dnslxx.com., n3.dnslxx.com., n2.dnslxx.com.",314710b7-0f57-423d-a0f6-1c584a0f123ac,host,topopo.top,whois,success,457,3.0.0,"[""n1.dnslxx.com."",""n3.dnslxx.com."",""n2.dnslxx.com.""]", +"6/17/2024, 8:55:42 AM",,,,,,,,,,,,Click here to view the data,"8/13/1995, 4:00:00 AM",GMAIL.COM,"8/12/2024, 4:00:00 AM","[""NS1.GOOGLE.COM"",""NS2.GOOGLE.COM"",""NS3.GOOGLE.COM"",""NS4.GOOGLE.COM""]",,,,21,Monitorxx Inxx.,"[""client delete prohibited"",""client transfer prohibited"",""client update prohibited"",""server delete prohibited"",""server transfer prohibited"",""server update prohibited""]","7/11/2023, 10:10:13 AM","8/13/1995, 4:00:00 AM","8/12/2024, 4:00:00 AM",Manitor Incxx.,"[""client delete prohibited"",""client transfer prohibited"",""client update prohibited"",""server delete prohibited"",""server transfer prohibited"",""server update prohibited""]","7/11/2023, 10:10:13 AM",2024-06-17,"Registrant: MarkMonitor Inc. +Registration: + Created: 1995-08-13T04:00:00Z + Expires: 2024-08-12T04:00:00Z + Updated: 2023-07-11T10:10:13Z + Registrar: MarkMonitor Inc. + Statuses: client delete prohibited, client transfer prohibited, client update prohibited, server delete prohibited, server transfer prohibited, server update prohibited +Nameservers: NS1.GOOGLE.COM, NS2.GOOGLE.COM, NS3.GOOGLE.COM, NS4.GOOGLE.COM",a2335039-ae19-4677-bc18-2f8483c12123cc,host,gmail.com,whois,success,58,3.0.0,"[""N1.GOOGLEXX.COM"",""N2.GOOGLEXX.COM"",""N3.GOOGLEXX.COM"",""N4.GOOGLEXX.COM""]",Monitor Incxx. +"6/17/2024, 12:44:30 PM",bad http status,bad api response status code: 500,,,,,,,,,,Click here to view the data,,,,,,,,,,,,,,,,,,,8167b608-3603-4b7f-8a42-9fde1e591234a,ip,1.5.7.8,whois,error,21,3.0.0,, \ No newline at end of file diff --git a/Sample Data/Custom/Infoblox/tide_lookup_data_CL.csv b/Sample Data/Custom/Infoblox/tide_lookup_data_CL.csv new file mode 100644 index 00000000000..31ff8f0a14d --- /dev/null +++ b/Sample Data/Custom/Infoblox/tide_lookup_data_CL.csv @@ -0,0 +1,11 @@ +TimeGenerated [UTC],extended_ais_consent_s,extended_no_whitelist_s,extended_original_profile_s,email_s,extended_confidence_score_s,extended_risk_score_s,extended_threat_score_s,ip_s,hash_s,hash_type_s,threat_score_d,threat_score_rating_s,threat_score_vector_s,confidence_score_d,confidence_score_rating_s,confidence_score_vector_s,risk_score_d,risk_score_rating_s,risk_score_vector_s,extended_sample_sha256_s,confidence_d,extended_notes_s,target_s,extended_reason_s,extended_registration_date_s,extended_references_s,extended_attack_chain_s,id_g,type_s,host_s,domain_s,tld_s,profile_s,property_s,class_s,threat_level_d,detected_t [UTC],received_t [UTC],imported_t [UTC],expiration_t [UTC],dga_s,up_s,batch_id_g,extended_cyberint_guid_g,url_s,extended_url_hash_g +"6/13/2024, 12:34:57 PM",,,,,,,,1.1.1.1,,,,,,,,,,,,,100,Published as TOR exit node by the TOR project.,,,,,,6c52b708-115f-11ef-885a-fb00b077c4c2,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"5/13/2024, 7:30:43 PM","5/13/2024, 7:31:41 PM","5/13/2024, 7:31:41 PM","5/27/2024, 7:30:43 PM",,TRUE,,ee701e35-ec8f-7984-80b7-b3aaac6788ab,, +"6/13/2024, 12:34:57 PM",,,,,,,,1.1.1.1,,,,,,,,,,,,,100,Published as TOR exit node by the TOR project.,,,,,,95336391-fe9c-11ee-8d97-e72a02aeb08c,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"4/19/2024, 10:30:43 PM","4/19/2024, 10:31:37 PM","4/19/2024, 10:31:37 PM","5/3/2024, 10:30:43 PM",,TRUE,,6ac1fa1e-95d3-f0f0-d30b-91f1bdadabcd,, +"6/13/2024, 12:34:57 PM",,,,,,,,1.1.1.1,,,,,,,,,,,,,100,Published as TOR exit node by the TOR project.,,,,,,0868d63a-f416-11ee-a9b9-416f1a2f1ccb,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"4/6/2024, 8:30:43 AM","4/6/2024, 1:03:03 PM","4/6/2024, 1:03:03 PM","4/20/2024, 8:30:43 AM",,TRUE,,06c70435-ff15-efe2-3c63-02bdfb7ac548,, +"6/13/2024, 12:34:57 PM",,FALSE,,,,,,1.1.1.1,,,,,,,,,,,,,100,,,,,,,a9526c04-4826-11eb-aad7-9f7c1af0b24e,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"12/27/2020, 9:30:43 AM","12/27/2020, 9:34:05 AM","12/27/2020, 9:34:05 AM","1/10/2021, 9:30:43 AM",,TRUE,,5d9ebbc5-242a-07b7-bec4-8bed817bc6e0,, +"6/13/2024, 12:34:57 PM",,,,,,,,1.1.1.1,,,,,,,,,,,,,100,Published as TOR exit node by the TOR project.,,,,,,d0f03097-23d6-11ef-9d27-fd4c80262154,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"6/6/2024, 7:30:44 AM","6/6/2024, 7:31:41 AM","6/6/2024, 7:31:41 AM","6/20/2024, 7:30:44 AM",,TRUE,,ad45ae1d-2674-7cfc-762d-e7997c6babc2,, +"6/13/2024, 12:34:57 PM",,,,,,,,1.1.1.1,,,,,,,,,,,,,100,Published as TOR exit node by the TOR project.,,,,,,68f0baf7-0938-11ef-89f0-656d657921f8,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"5/3/2024, 10:30:42 AM","5/3/2024, 10:32:15 AM","5/3/2024, 10:32:15 AM","5/17/2024, 10:30:42 AM",,TRUE,,f9c82718-9363-f6f3-f80d-80e74302bc40,, +"6/13/2024, 12:34:57 PM",,FALSE,,,,,,1.1.1.1,,,,,,,,,,,,,100,,,,,,,db6c7751-4d6b-11eb-9c8e-05123cd42648,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"1/3/2021, 2:30:43 AM","1/3/2021, 2:32:00 AM","1/3/2021, 2:32:00 AM","1/17/2021, 2:30:43 AM",,TRUE,,b33c654f-4083-605e-c4a0-97a086198acd,, +"6/13/2024, 12:34:57 PM",,FALSE,,,,,,1.1.1.1,,,,,,,,,,,,,100,,,,,,,23427011-41b3-11eb-9c8e-05123cd42184,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"12/19/2020, 4:30:42 AM","12/19/2020, 4:32:00 AM","12/19/2020, 4:32:00 AM","1/2/2021, 4:30:42 AM",,TRUE,,81122e86-ab30-f8a5-23d1-aac1cbac1234,, +"6/13/2024, 12:34:57 PM",,,,,,,,1.1.1.1,,,,,,,,,,,,,100,Published as TOR exit node by the TOR project.,,,,,,270c08c4-fe51-11ee-8a87-fd43f12b25f5,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"4/19/2024, 1:30:42 PM","4/19/2024, 1:31:40 PM","4/19/2024, 1:31:40 PM","5/3/2024, 1:30:42 PM",,TRUE,,85ded201-ed4a-d3c4-ed8e-c35085ed1ab7,, +"6/13/2024, 12:34:57 PM",,FALSE,,,,,,1.1.1.1,,,,,,,,,,,,,100,,,,,,,a7802e8f-473b-11eb-aad7-9f7c1af0b21c,IP,,,,IID,Proxy_TorExitNode,Proxy,50,"12/26/2020, 5:30:44 AM","12/26/2020, 5:31:50 AM","12/26/2020, 5:31:50 AM","1/9/2021, 5:30:44 AM",,TRUE,,0fa1c4bc-8c6c-3bd8-7701-4fdea841b6cc,, \ No newline at end of file diff --git a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip index da1fd28a6b3..01e90cb1bb1 100644 Binary files a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip and b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip differ diff --git a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_API_FunctionApp.json b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_API_FunctionApp.json index 2b4d4c95073..17881e3f682 100644 --- a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_API_FunctionApp.json +++ b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurity_API_FunctionApp.json @@ -130,7 +130,7 @@ }, { "title": "", - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-abnormalsecurity-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AbnormalSecurityXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-abnormalsecurity-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AbnormalSecurityXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "title": "", diff --git a/Solutions/AbnormalSecurity/Data Connectors/azuredeploy_AbnormalSecurity_API_FunctionApp.json b/Solutions/AbnormalSecurity/Data Connectors/azuredeploy_AbnormalSecurity_API_FunctionApp.json index 504d08a88d8..14788370ccb 100644 --- a/Solutions/AbnormalSecurity/Data Connectors/azuredeploy_AbnormalSecurity_API_FunctionApp.json +++ b/Solutions/AbnormalSecurity/Data Connectors/azuredeploy_AbnormalSecurity_API_FunctionApp.json @@ -139,7 +139,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, "resources": [ diff --git a/Solutions/AbnormalSecurity/Data/Solution_AbnormalSecurity.json b/Solutions/AbnormalSecurity/Data/Solution_AbnormalSecurity.json index fc1e7dd10ae..2410fb8b3cd 100644 --- a/Solutions/AbnormalSecurity/Data/Solution_AbnormalSecurity.json +++ b/Solutions/AbnormalSecurity/Data/Solution_AbnormalSecurity.json @@ -7,7 +7,7 @@ "Data Connectors/AbnormalSecurity_API_FunctionApp.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\AbnormalSecurity", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/AbnormalSecurity/Package/3.0.1.zip b/Solutions/AbnormalSecurity/Package/3.0.1.zip new file mode 100644 index 00000000000..63ad387d379 Binary files /dev/null and b/Solutions/AbnormalSecurity/Package/3.0.1.zip differ diff --git a/Solutions/AbnormalSecurity/Package/createUiDefinition.json b/Solutions/AbnormalSecurity/Package/createUiDefinition.json index 425d2344992..f3a17a6ea47 100644 --- a/Solutions/AbnormalSecurity/Package/createUiDefinition.json +++ b/Solutions/AbnormalSecurity/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AbnormalSecurity/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\nThe Abnormal Security Events solution provides the capability to ingest threat and case logs into Microsoft Sentinel using the [Abnormal Security Rest API](https://app.swaggerhub.com/apis/abnormal-security/abx/).\r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r \n \r \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r \n \r \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AbnormalSecurity/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Abnormal Security Events solution provides the capability to ingest threat and case logs into Microsoft Sentinel using the [Abnormal Security Rest API](https://app.swaggerhub.com/apis/abnormal-security/abx/).\r \n \r \n **Underlying Microsoft Technologies used:** \r \n \r \n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r \n \r \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r \n \r \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for Abnormal Security. You can get Abnormal Security custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for AbnormalSecurity. You can get AbnormalSecurity custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/AbnormalSecurity/Package/mainTemplate.json b/Solutions/AbnormalSecurity/Package/mainTemplate.json index a862e2dfe15..b735dbf24a9 100644 --- a/Solutions/AbnormalSecurity/Package/mainTemplate.json +++ b/Solutions/AbnormalSecurity/Package/mainTemplate.json @@ -33,16 +33,16 @@ "email": "support@abnormalsecurity.com", "_email": "[variables('email')]", "_solutionName": "AbnormalSecurity", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "abnormalsecuritycorporation1593011233180.fe1b4806-215b-4610-bf95-965a7a65579c", - "_solutionId": "[variables('solutionId')]", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AbnormalSecurity", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "AbnormalSecurity", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" @@ -57,7 +57,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AbnormalSecurity data connector with template version 3.0.0", + "description": "AbnormalSecurity data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -73,7 +73,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "AbnormalSecurity (using Azure Functions)", + "title": "AbnormalSecurity (using Azure Functions)", "publisher": "AbnormalSecurity", "descriptionMarkdown": "The Abnormal Security data connector provides the capability to ingest threat and case logs into Microsoft Sentinel using the [Abnormal Security Rest API.](https://app.swaggerhub.com/apis/abnormal-security/abx/)", "graphQueries": [ @@ -199,7 +199,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-abnormalsecurity-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AbnormalSecurityXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-abnormalsecurity-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AbnormalSecurityXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSENTINEL_WORKSPACE_ID\n\t\tSENTINEL_SHARED_KEY\n\t\tABNORMAL_SECURITY_REST_API_TOKEN\n\t\tlogAnalyticsUri (optional)\n(add any other settings required by the Function App)\nSet the `uri` value to: `` \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Azure Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us.` \n4. Once all application settings have been entered, click **Save**." @@ -227,7 +227,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -259,7 +259,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "AbnormalSecurity (using Azure Functions)", + "displayName": "AbnormalSecurity (using Azure Functions)", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -267,7 +267,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -302,7 +302,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "AbnormalSecurity (using Azure Functions)", + "title": "AbnormalSecurity (using Azure Functions)", "publisher": "AbnormalSecurity", "descriptionMarkdown": "The Abnormal Security data connector provides the capability to ingest threat and case logs into Microsoft Sentinel using the [Abnormal Security Rest API.](https://app.swaggerhub.com/apis/abnormal-security/abx/)", "graphQueries": [ @@ -428,7 +428,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-abnormalsecurity-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AbnormalSecurityXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-abnormalsecurity-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. AbnormalSecurityXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tSENTINEL_WORKSPACE_ID\n\t\tSENTINEL_SHARED_KEY\n\t\tABNORMAL_SECURITY_REST_API_TOKEN\n\t\tlogAnalyticsUri (optional)\n(add any other settings required by the Function App)\nSet the `uri` value to: `` \n>Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Azure Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us.` \n4. Once all application settings have been entered, click **Save**." @@ -443,12 +443,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "AbnormalSecurity", "publisherDisplayName": "Abnormal Security", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Abnormal Security Events solution provides the capability to ingest threat and case logs into Microsoft Sentinel using the Abnormal Security Rest API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Abnormal Security Events solution provides the capability to ingest threat and case logs into Microsoft Sentinel using the Abnormal Security Rest API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/AbnormalSecurity/Package/testParameters.json b/Solutions/AbnormalSecurity/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/AbnormalSecurity/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/AbnormalSecurity/ReleaseNotes.md b/Solutions/AbnormalSecurity/ReleaseNotes.md index 73e101f1008..9757e63dc78 100644 --- a/Solutions/AbnormalSecurity/ReleaseNotes.md +++ b/Solutions/AbnormalSecurity/ReleaseNotes.md @@ -1,3 +1,3 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| -| 3.0.0 | 29-06-2023 | Renaming Azure Function to Azure Functions in **Data Connector** Description | +| 3.0.0 | 29-06-2023 | Renaming Azure Function to Azure Functions in **Data Connector** Description and Updated the python runtime version to 3.11 | diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py new file mode 100644 index 00000000000..b12deb66a85 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py @@ -0,0 +1,375 @@ +"""This __init__ file will be called once triggered is generated.""" + +import datetime +import logging +import azure.functions as func +import json +from .sentinel import AzureSentinel +from Exceptions.ArmisExceptions import ArmisException, ArmisDataNotFoundException +from .utils import Utils +from . import consts +import inspect + + +class ArmisAlertsActivities(Utils): + """This class will process the Alert Activity data and post it into the Microsoft sentinel.""" + + def __init__(self): + """__init__ method will initialize object of class.""" + super().__init__() + self.data_alert_from = 0 + self.azuresentinel = AzureSentinel() + self.total_alerts_posted = 0 + self.total_activities_posted = 0 + + def get_alert_data(self, parameter): + """get_alert_data is used to get data using api. + + Args: + parameter (json): will contain the json data to sends to parameter to get data from REST API. + + """ + __method_name = inspect.currentframe().f_code.co_name + try: + results = self.make_rest_call( + method="GET", + url=consts.URL + consts.SEARCH_SUFFIX, + params=parameter, + headers=self.header, + retry_401=consts.RETRY_COUNT_401, + ) + if results["data"]["count"] == 0: + raise ArmisDataNotFoundException(consts.LOG_FORMAT.format(__method_name, "Alert Data not found.")) + + if ( + "data" in results + and "results" in results["data"] + and "total" in results["data"] + and "count" in results["data"] + and "next" in results["data"] + ): + count_per_frame_data = results["data"]["count"] + data = results["data"]["results"] + for i in data: + i["armis_alert_time"] = i["time"] + + logging.info( + consts.LOG_FORMAT.format(__method_name, "Alerts From {} length 1000".format(self.data_alert_from)) + ) + self.data_alert_from = results["data"]["next"] + alert_time = self.get_formatted_time(data[-1]["time"][:19]) + + return data, alert_time, count_per_frame_data + else: + logging.error(consts.LOG_FORMAT.format(__method_name, "There are no proper keys in alerts data.")) + raise ArmisException() + + except KeyError as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Key error : {}.".format(err))) + raise ArmisException() + + except ArmisException: + raise ArmisException() + + except ArmisDataNotFoundException as err: + logging.info(err) + raise ArmisDataNotFoundException() + except Exception as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Error while fetching Alerts. : {}.".format(err))) + raise ArmisException() + + def get_activity_data(self, activity_uuids): + """Get armis activity data. + + Args: + activity_uuids (list): list of activity uuid + + Returns: + list: list of activity + """ + __method_name = inspect.currentframe().f_code.co_name + try: + parameters_activity = { + "aql": "in:activity", + "orderBy": "time", + "from": 0, + "length": consts.CHUNK_SIZE, + "fields": ",".join(consts.ACTIVITY_FIELDS), + } + aql_formatted_ids = ",".join(str(activity_uuid) for activity_uuid in activity_uuids) + parameters_activity["aql"] = "in:activity UUID:{}".format(aql_formatted_ids) + results = self.make_rest_call( + method="GET", + url=consts.URL + consts.SEARCH_SUFFIX, + params=parameters_activity, + headers=self.header, + retry_401=consts.RETRY_COUNT_401, + ) + if results["data"]["count"] == 0: + logging.warning(consts.LOG_FORMAT.format(__method_name, "Activity Data not found.")) + return [] + if ( + "data" in results + and "results" in results["data"] + and "total" in results["data"] + and "count" in results["data"] + and "next" in results["data"] + ): + data = results["data"]["results"] + for i in data: + i["armis_activity_time"] = i["time"] + return data + else: + logging.error(consts.LOG_FORMAT.format(__method_name, "There are no proper keys in activity data.")) + raise ArmisException() + + except KeyError as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Key error : {}.".format(err))) + raise ArmisException() + + except ArmisException: + raise ArmisException() + + except Exception as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Error while fetching Activity : {}.".format(err))) + raise ArmisException() + + def post_alert_activity_data(self, alerts_data_to_post, activity_uuid_list): + """Post alert and activity data to respective table in sentinel. + + Args: + alerts_data_to_post (list): alerts data to post + activity_uuid_list (list): list of activity uuids to post + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if alerts_data_to_post: + if activity_uuid_list: + logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching activities data.")) + activity_data = self.get_activity_data(activity_uuid_list) + self.azuresentinel.post_data( + json.dumps(activity_data, indent=2), consts.ARMIS_ACTIVITIES_TABLE, "armis_activity_time" + ) + self.total_activities_posted += len(activity_data) + logging.info( + consts.LOG_FORMAT.format( + __method_name, "Posted Activities count : {}.".format(len(activity_data)) + ) + ) + self.azuresentinel.post_data( + json.dumps(alerts_data_to_post, indent=2), consts.ARMIS_ALERTS_TABLE, "armis_alert_time" + ) + self.total_alerts_posted += len(alerts_data_to_post) + logging.info( + consts.LOG_FORMAT.format( + __method_name, "Posted Alerts count : {}.".format(len(alerts_data_to_post)) + ) + ) + self.post_alert_checkpoint(alerts_data_to_post[-1]) + except ArmisException: + raise ArmisException() + except Exception as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, "Error while posting alerts and activity data : {}.".format(err) + ) + ) + raise ArmisException() + + def process_alerts_data(self, alerts): + """Process alerts data to fetch related activity. + + Args: + alerts (list): list of alerts + """ + __method_name = inspect.currentframe().f_code.co_name + try: + activity_uuid_list = [] + alerts_data_to_post = [] + for alert in alerts: + activity_uuids = alert.get("activityUUIDs", []) + if len(activity_uuid_list) + len(activity_uuids) <= consts.CHUNK_SIZE: + activity_uuid_list.extend(activity_uuids) + alerts_data_to_post.append(alert) + else: + self.post_alert_activity_data(alerts_data_to_post, activity_uuid_list) + alerts_data_to_post = [] + activity_uuid_list = [] + if len(activity_uuids) < consts.CHUNK_SIZE: + activity_uuid_list.extend(activity_uuids) + alerts_data_to_post.append(alert) + else: + for index in range(0, len(activity_uuids), consts.CHUNK_SIZE): + chunk_of_activity_uuids = activity_uuids[index: index + consts.CHUNK_SIZE] + activity_data = self.get_activity_data(chunk_of_activity_uuids) + self.azuresentinel.post_data( + json.dumps(activity_data, indent=2), + consts.ARMIS_ACTIVITIES_TABLE, + "armis_activity_time", + ) + self.total_activities_posted += len(activity_data) + logging.info( + consts.LOG_FORMAT.format( + __method_name, "Posted Activities count : {}.".format(len(activity_data)) + ) + ) + self.azuresentinel.post_data( + json.dumps([alert], indent=2), consts.ARMIS_ALERTS_TABLE, "armis_alert_time" + ) + self.total_alerts_posted += 1 + logging.info(consts.LOG_FORMAT.format(__method_name, "Posted Alerts count : 1.")) + self.post_alert_checkpoint(alert) + self.post_alert_activity_data(alerts_data_to_post, activity_uuid_list) + except ArmisException: + raise ArmisException() + + except Exception as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, "Error while processing alerts and activity data : {}.".format(err) + ) + ) + raise ArmisException() + + def fetch_alert_data(self, type_data, is_checkpoint_not_exist, last_time=None): + """Fetch_alert_data is used to push all the data into table. + + Args: + type_data (json): will contain the json data to use in parameters. + is_checkpoint_not_exist (bool): it is a flag that contains the value if checkpoint exists or not. + last_time (String): it will contain checkpoint time stamp. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if is_checkpoint_not_exist: + aql_data = """{}""".format(type_data["aql"]) + else: + aql_data = """{} after:{}""".format(type_data["aql"], last_time) + type_data["aql"] = aql_data + while self.data_alert_from is not None: + parameter_alert = { + "aql": type_data["aql"], + "from": self.data_alert_from, + "orderBy": "time", + "length": 1000, + "fields": type_data["fields"], + } + logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching alerts data.")) + ( + data, + alert_time, + count_per_frame_data, + ) = self.get_alert_data(parameter_alert) + self.process_alerts_data(data) + logging.info( + consts.LOG_FORMAT.format( + __method_name, + "Collected {} alert data from alerts api.".format(count_per_frame_data), + ) + ) + + if str(consts.IS_AVOID_DUPLICATES).lower() == "true": + alert_time = datetime.datetime.strptime(alert_time, "%Y-%m-%dT%H:%M:%S") + alert_time += datetime.timedelta(seconds=1) + alert_time = alert_time.strftime("%Y-%m-%dT%H:%M:%S") + logging.info( + consts.LOG_FORMAT.format( + __method_name, "Last timestamp with plus one second that is added : {}".format(alert_time) + ) + ) + self.state_manager_obj.post(str(alert_time)) + logging.info( + consts.LOG_FORMAT.format( + __method_name, + "" + "Last timestamp is added with plus one second into the StateManager successfully.", + ) + ) + + except ArmisException: + raise ArmisException() + + except ArmisDataNotFoundException: + raise ArmisDataNotFoundException() + + except Exception as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Error occurred : {}.".format(err))) + raise ArmisException() + + def check_data_exists_or_not_alert(self): + """Check_data_exists_or_not is to check if the data is exists or not using the timestamp file.""" + __method_name = inspect.currentframe().f_code.co_name + try: + parameter_alert = { + "aql": "in:alerts", + "orderBy": "time", + "fields": ",".join(consts.ALERT_FIELDS), + } + last_time_alerts = self.state_manager_obj.get() + if last_time_alerts is None: + logging.info( + consts.LOG_FORMAT.format(__method_name, "The checkpoint timestamp is not available for the alerts!") + ) + self.fetch_alert_data( + parameter_alert, + True, + last_time_alerts, + ) + else: + logging.info( + consts.LOG_FORMAT.format( + __method_name, "The checkpoint is available for alerts: {}.".format(last_time_alerts) + ) + ) + self.fetch_alert_data( + parameter_alert, + False, + last_time_alerts, + ) + logging.info( + consts.LOG_FORMAT.format( + __method_name, + "Total Posted alerts {}, Total Posted activities : {}.".format( + self.total_alerts_posted, + self.total_activities_posted, + ), + ) + ) + except ArmisException: + raise ArmisException() + + except ArmisDataNotFoundException: + raise ArmisDataNotFoundException() + + except Exception as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, "Error occurred during checking whether checkpoint exist or not : {}.".format(err) + ) + ) + raise ArmisException() + + +def main(mytimer: func.TimerRequest) -> None: + """ + Start the execution. + + Args: + mytimer (func.TimerRequest): This variable will be used to trigger the function. + + """ + __method_name = inspect.currentframe().f_code.co_name + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + logging.info( + consts.LOG_FORMAT.format(__method_name, "Python timer trigger function ran at {}".format(utc_timestamp)) + ) + + armis_obj = ArmisAlertsActivities() + try: + armis_obj.check_data_exists_or_not_alert() + except ArmisDataNotFoundException: + logging.warning(consts.LOG_FORMAT.format(__method_name, "Alert Data not found hence, stopping the execution.")) + + utc_timestamp_final = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + logging.info(consts.LOG_FORMAT.format(__method_name, "execution completed at {}.".format(utc_timestamp_final))) + if mytimer.past_due: + logging.info(consts.LOG_FORMAT.format(__method_name, "The timer is past due!")) diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py new file mode 100644 index 00000000000..11ef7d4f818 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py @@ -0,0 +1,35 @@ +"""Module for constants.""" + +import os + +# Armis constants +API_KEY = os.environ.get("ArmisSecretKey", "") +URL = os.environ.get("ArmisURL", "") +ACCESS_TOKEN_SUFFIX = "/access_token/" +SEARCH_SUFFIX = "/search/" +ACTIVITY_FIELDS = ["title", "type", "time", "site", "sensor", "protocol", "content", "activityUUID"] +ALERT_FIELDS = [ + "alertId", + "type", + "title", + "description", + "severity", + "time", + "status", + "deviceIds", + "activityUUIDs", +] +RETRY_COUNT_401 = 3 + +# Sentinel constants +CONNECTION_STRING = os.environ.get("AzureWebJobsStorage", "") +ARMIS_ALERTS_TABLE = os.environ.get("ArmisAlertsTableName", "") +ARMIS_ACTIVITIES_TABLE = os.environ.get("ArmisActivitiesTableName", "") +IS_AVOID_DUPLICATES = os.environ.get("AvoidDuplicates", "") +WORKSPACE_ID = os.environ.get("WorkspaceID", "") +WORKSPACE_KEY = os.environ.get("WorkspaceKey", "") +CHUNK_SIZE = 35 +FILE_SHARE = "funcstatemarkershare" +CHECKPOINT_FILE = "funcarmisalertsfile" +LOG_FORMAT = "Armis Alerts Activities Connector: (method = {}) : {}" +REQUEST_TIMEOUT = 300 diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/function.json b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/sentinel.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/sentinel.py new file mode 100644 index 00000000000..c8c626c698d --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/sentinel.py @@ -0,0 +1,163 @@ +"""Module for Sentinel utility.""" + +import inspect +import base64 +import hashlib +import hmac +import logging +import datetime +import requests +from Exceptions.ArmisExceptions import ArmisException +from . import consts + +customer_id = consts.WORKSPACE_ID +shared_key = consts.WORKSPACE_KEY + + +class AzureSentinel: + """AzureSentinel is Used to post data to log analytics.""" + + def build_signature( + self, + date, + content_length, + method, + content_type, + resource, + ): + """To build the signature.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(shared_key) + encoded_hash = base64.b64encode( + hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest() + ).decode() + authorization = "SharedKey {}:{}".format(customer_id, encoded_hash) + return authorization + + # Build and send a request to the POST API + def post_data(self, body, log_type, timestamp): + """Build and send a request to the POST API.""" + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + timestamp_date = timestamp + __method_name = inspect.currentframe().f_code.co_name + try: + signature = self.build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + uri = "https://" + customer_id + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + "time-generated-field": timestamp_date, + } + + response = requests.post(uri, data=body, headers=headers, timeout=consts.REQUEST_TIMEOUT) + if response.status_code >= 200 and response.status_code <= 299: + logging.info(consts.LOG_FORMAT.format(__method_name, "Data posted successfully to microsoft sentinel.")) + elif response.status_code == 400: + logging.error( + consts.LOG_FORMAT.format( + __method_name, "Bad Request = {}, Status code : {}.".format(response.text, response.status_code) + ) + ) + raise ArmisException() + elif response.status_code == 403: + logging.error( + consts.LOG_FORMAT.format(__method_name, "Forbidden, Status code : {}.".format(response.status_code)) + ) + raise ArmisException() + elif response.status_code == 404: + logging.error( + consts.LOG_FORMAT.format( + __method_name, "Request Not Found , Status code : {}.".format(response.status_code) + ) + ) + raise ArmisException() + elif response.status_code == 429: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Too Many Requests, Status code : {}.".format(response.status_code), + ) + ) + raise ArmisException() + elif response.status_code == 500: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Internal Server Error, Status code : {}.".format(response.status_code), + ) + ) + raise ArmisException() + elif response.status_code == 503: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Service Unavailable, Status code : {}.".format(response.status_code), + ) + ) + raise ArmisException() + else: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Error while posting data to microsoft sentinel Response code: {}.".format( + response.status_code + ), + ) + ) + raise ArmisException() + except requests.ConnectionError as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Connection Error while posting data to microsoft sentinel : {}.".format(err), + ) + ) + raise ArmisException() + except requests.HTTPError as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "HTTP Error while posting data to microsoft sentinel : {}.".format(err), + ) + ) + raise ArmisException() + except requests.Timeout as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Timeout Error while posting data to microsoft sentinel : {}.".format(err), + ) + ) + raise ArmisException() + except requests.exceptions.InvalidURL as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Invalid URL Error while posting data to microsoft sentinel : {}.".format(err), + ) + ) + raise ArmisException() + except ArmisException: + raise ArmisException() + except Exception as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, "Error while posting data to microsoft sentinel : {}.".format(err) + ) + ) + raise ArmisException() diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py new file mode 100644 index 00000000000..624a40b0665 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py @@ -0,0 +1,38 @@ +"""This module will help to save file to statemanager.""" +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError +from . import consts + + +class StateManager: + """State manager class for specific operation.""" + + def __init__( + self, + connection_string, + file_path, + share_name=consts.FILE_SHARE, + ): + """Initialize the share_cli and file_client.""" + self.share_cli = ShareClient.from_connection_string( + conn_str=connection_string, share_name=share_name + ) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + + def post(self, marker_text: str): + """Post method for posting the data to azure storage.""" + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + + def get(self): + """Get method for getting the data from azure storage.""" + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + return None diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py new file mode 100644 index 00000000000..ba868876765 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py @@ -0,0 +1,270 @@ +"""Utility module.""" + +import inspect +import logging +from Exceptions.ArmisExceptions import ArmisException +import requests +from . import consts +from .state_manager import StateManager + + +class Utils: + """Utils Class.""" + + def __init__(self) -> None: + """Init Function.""" + self.retry_count = 0 + self.header = {} + self.check_environment_var_exist( + [ + {"ArmisURL": consts.URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"ArmisSecretKey": consts.API_KEY}, + {"AzureWebJobsStorage": consts.CONNECTION_STRING}, + {"AvoidDuplicates": consts.IS_AVOID_DUPLICATES}, + {"ArmisAlertsTableName": consts.ARMIS_ALERTS_TABLE}, + {"ArmisActivitiesTableName": consts.ARMIS_ACTIVITIES_TABLE}, + ] + ) + self._secret_key = consts.API_KEY + self.get_access_token() + self.state_manager_obj = StateManager( + connection_string=consts.CONNECTION_STRING, file_path=consts.CHECKPOINT_FILE + ) + + def check_environment_var_exist(self, environment_var): + """Check the existence of required environment variables. + + Args: + environment_var(list) : variables to check for existence + """ + __method_name = inspect.currentframe().f_code.co_name + try: + logging.info(consts.LOG_FORMAT.format(__method_name, "Validating Environment Variables.")) + missing_required_field = False + for var in environment_var: + key, val = next(iter(var.items())) + if not val: + missing_required_field = True + logging.error( + consts.LOG_FORMAT.format(__method_name, "Environment variable {} is not set.".format(key)) + ) + if missing_required_field: + logging.error(consts.LOG_FORMAT.format(__method_name, "Environment Variables validation failed.")) + raise ArmisException() + logging.info(consts.LOG_FORMAT.format(__method_name, "Environment Variables validation Success.")) + except ArmisException: + raise ArmisException() + except Exception as err: + logging.error( + consts.LOG_FORMAT.format(__method_name, "Error while checking environment variables: {}".format(err)) + ) + raise ArmisException() + + def make_rest_call(self, method, url, params=None, headers=None, data=None, retry_401=0): + """Make a rest call. + + Args: + url (str): The URL to make the call to. + method (str): The HTTP method to use for the call. + params (dict, optional): The parameters to pass in the call (default is None). + headers (dict, optional): The headers to pass in the call (default is None). + data (dict, optional): The body of the request (default is None). + retry_401(int): Number of retry in 401(default is 0). + + Returns: + dict: The JSON response if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response = requests.request( + method, url, headers=headers, params=params, data=data, timeout=consts.REQUEST_TIMEOUT + ) + for _ in range(retry_401 + 1): + if response.status_code == 200: + response_json = response.json() + logging.info( + consts.LOG_FORMAT.format( + __method_name, "Success, Status code : {}.".format(response.status_code) + ) + ) + return response_json + elif response.status_code == 400: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Bad Request = {}, Status code : {}.".format(response.text, response.status_code), + ) + ) + raise ArmisException() + elif response.status_code == 401: + logging.error( + consts.LOG_FORMAT.format( + __method_name, "Unauthorized, Status code : {}, Retrying...".format(response.status_code) + ) + ) + self.get_access_token() + self.retry_count += 1 + continue + elif response.status_code == 429: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Too Many Requests, Status code : {}.".format(response.status_code), + ) + ) + raise ArmisException() + elif response.status_code == 500: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Internal Server Error, Status code : {}.".format(response.status_code), + ) + ) + raise ArmisException() + elif response.status_code == 502: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Bad GateWay, Status code : {}.".format(response.status_code), + ) + ) + raise ArmisException() + else: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Unexpected Error = {}, Status code : {}.".format(response.text, response.status_code), + ) + ) + raise ArmisException() + logging.error(consts.LOG_FORMAT.format(__method_name, "Max retries exceeded.")) + raise ArmisException() + except ArmisException: + raise ArmisException() + except requests.ConnectionError as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Connection error : {}.".format(err), + ) + ) + raise ArmisException() + except requests.HTTPError as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "HTTP error : {}.".format(err), + ) + ) + raise ArmisException() + except requests.Timeout as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Timeout error : {}.".format(err), + ) + ) + raise ArmisException() + except requests.exceptions.InvalidURL as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Invalid URL error : {}.".format(err), + ) + ) + raise ArmisException() + except Exception as err: + logging.error( + consts.LOG_FORMAT.format( + __method_name, + "Unexpected error : {}.".format(err), + ) + ) + raise ArmisException() + + def get_formatted_time(self, alert_time): + """Format alert time. + + Args: + alert_time (str): time to format + + Returns: + str: formatted time + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if len(alert_time) != 19: + if len(alert_time) == 10: + alert_time += "T00:00:00" + logging.info( + consts.LOG_FORMAT.format(__method_name, "'T:00:00:00' added as only date is available.") + ) + else: + splited_time = alert_time.split("T") + if len(splited_time[1]) == 5: + splited_time[1] += ":00" + logging.info(consts.LOG_FORMAT.format(__method_name, "':00' added as seconds not available.")) + elif len(splited_time[1]) == 2: + splited_time[1] += ":00:00" + logging.info( + consts.LOG_FORMAT.format(__method_name, "':00:00' added as only hour is available.") + ) + alert_time = "T".join(splited_time) + return alert_time + except KeyError as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Key error : {}.".format(err))) + raise ArmisException() + except Exception as err: + logging.error( + consts.LOG_FORMAT.format(__method_name, "Error while posting alerts checkpoint : {}.".format(err)) + ) + raise ArmisException() + + def post_alert_checkpoint(self, alert): + """Post alert checkpoint. + + Args: + alert (dict): last alert from data + """ + __method_name = inspect.currentframe().f_code.co_name + try: + alert_time = self.get_formatted_time(alert["time"][:19]) + self.state_manager_obj.post(str(alert_time)) + logging.info( + consts.LOG_FORMAT.format(__method_name, "Alerts checkpoint updated : {}.".format(str(alert_time))) + ) + except KeyError as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Key error : {}.".format(err))) + raise ArmisException() + + except ArmisException: + raise ArmisException() + + except Exception as err: + logging.error( + consts.LOG_FORMAT.format(__method_name, "Error while posting alerts checkpoint : {}.".format(err)) + ) + raise ArmisException() + + def get_access_token(self): + """get_access_token method will fetch the access token using api and set it in header for further use.""" + __method_name = inspect.currentframe().f_code.co_name + try: + body = {"secret_key": self._secret_key} + logging.info(consts.LOG_FORMAT.format(__method_name, "Getting access token.")) + response = self.make_rest_call(method="POST", url=consts.URL + consts.ACCESS_TOKEN_SUFFIX, data=body) + access_token = response["data"]["access_token"] + self.header.update({"Authorization": access_token}) + logging.info(consts.LOG_FORMAT.format(__method_name, "Generated access token Successfully.")) + except KeyError as err: + logging.error(consts.LOG_FORMAT.format(__method_name, "Key error : {}.".format(err))) + raise ArmisException() + except ArmisException: + raise ArmisException() + except Exception as err: + logging.error( + consts.LOG_FORMAT.format(__method_name, "Error while generating the access token : {}.".format(err)) + ) + raise ArmisException() diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip new file mode 100644 index 00000000000..f7219c0f5be Binary files /dev/null and b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip differ diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivities_API_FunctionApp.json b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivities_API_FunctionApp.json new file mode 100644 index 00000000000..f2209d0d96a --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivities_API_FunctionApp.json @@ -0,0 +1,145 @@ +{ + "id": "ArmisAlertsActivities", + "title": "Armis Alerts Activities", + "publisher": "Armis", + "descriptionMarkdown": "The [Armis](https://www.armis.com/) Alerts Activities connector gives the capability to ingest Armis Alerts and Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert and activity information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. ", + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. which is deployed as part of the solution.", + "graphQueries": [ + { + "metricName": "Total Alerts data received", + "legend": "Armis_Alerts_CL", + "baseQuery": "Armis_Alerts_CL" + }, + { + "metricName": "Total Activities data received", + "legend": "Armis_Activities_CL", + "baseQuery": "Armis_Activities_CL" + } + ], + "sampleQueries": [ + { + "description" : "Armis Alert Events - All Alerts.", + "query": "Armis_Alerts_CL\n | sort by TimeGenerated desc" + }, + { + "description" : "Armis Activity Events - All Activities.", + "query": "Armis_Activities_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Armis_Alerts_CL", + "lastDataReceivedQuery": "Armis_Alerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Armis_Activities_CL", + "lastDataReceivedQuery": "Armis_Activities_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Armis_Alerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Armis_Activities_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [{ + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Armis Secret Key** is required. See the documentation to learn more about API on the `https://.armis.com/api/v1/doc`" + } + ] + }, + "instructionSteps": [{ + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArmisActivities/ArmisAlerts and load the function code. The function usually takes 10-15 minutes to activate after solution installation/update." + }, + { + "title": "", + "description": "**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Alerts Activities connector configuration" + }, + { + "title": "", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Alerts Activities data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)", + "instructions": [{ + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Functions", + "description": "Use the following step-by-step instructions to deploy the Armis Alerts Activities data connector manually with Azure Functions (Deployment via Visual Studio Code)." + }, + { + "title": "", + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + }, + { + "title": "", + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + } + ] +} \ No newline at end of file diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/Exceptions/ArmisExceptions.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/Exceptions/ArmisExceptions.py new file mode 100644 index 00000000000..511169b052f --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/Exceptions/ArmisExceptions.py @@ -0,0 +1,13 @@ +"""ArmisException module is for generating exception.""" + + +class ArmisException(Exception): + """ArmisException class will inherit Exception class.""" + + pass + + +class ArmisDataNotFoundException(Exception): + """ArmisDataNotFoundException class will inherit Exception class.""" + + pass diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/README.md b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/README.md new file mode 100644 index 00000000000..6c8eeb6999b --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/README.md @@ -0,0 +1,60 @@ +# ArmisAlertsActivities Integration for Microsoft Sentinel + +## Introduction + +This folder contains the Azure function time trigger code for ArmisAlertsActivities-Microsoft Sentinel connector. The connector will run periodically and ingest the Armis Alerts & Activities data into the Microsoft Sentinel logs custom table `Armis_Alerts_CL` and `Armis_Activities_CL`. +## Folders + +1. `ArmisAlertsActivities/` - This contains the package, requirements, ARM JSON file, connector page template JSON, and other dependencies. +2. `ArmisAlertActivitySentinelConnector/` - This contains the Azure function source code along with sample data. + + +## Installing for the users + +After the solution is published, we can find the connector in the connector gallery of Microsoft Sentinel among other connectors in Data connectors section of Sentinel. + +i. Go to Microsoft Sentinel -> Data Connectors + +ii. Click on the ArmisAlertsActivities connector, connector page will open. + +iii. Click on the blue `Deploy to Azure` button. + + +It will lead to a custom deployment page where after user need to select **Subscription**, **Resource Group** and **Location**. +And need to enter below information to configure Armis Alerts data connector. +```Function Name + Workspace ID + Workspace Key + Armis Secret Key + Armis URL (https://.armis.com/api/v1/) + Armis Alert Table Name + Armis Activity Table Name + Armis Schedule + Avoid Duplicates (Default: true) +``` + + +The connector should start ingesting the data into the logs at every time interval specified during configuration. + + +## Installing for testing + + +i. Log in to Azure portal using the URL - [https://preview.portal.azure.com/?feature.BringYourOwnConnector=true](https://preview.portal.azure.com/?feature.BringYourOwnConnector=true). + +ii. Go to Microsoft Sentinel -> Data Connectors + +iii. Click the “import” button at the top and select the json file `ArmisAlertsActivities_API_FunctionApp.json` downloaded on your local machine from Github. + +iv. This will load the connector page and rest of the process will be same as the Installing for users guideline above. + + +Each invocation and its logs of the function can be seen in Function App service of Azure, available in the Azure Portal outside the Microsoft Sentinel. + +i. Go to Function App and click on the function which you have deployed, identified with the given name at the deployment stage. + +ii. Go to Functions -> ArmisAlertActivitySentinelConnector -> Monitor + +iii. By clicking on invocation time, you can see all the logs for that run. + +**Note: Furthermore we can check logs in Application Insights of the given function in detail if needed. We can search the logs by operation ID in Transaction search section.** diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json new file mode 100644 index 00000000000..5b927cf63a3 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json @@ -0,0 +1,226 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionName": { + "defaultValue": "Alerts", + "minLength": 1, + "maxLength": 11, + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "defaultValue": "" + }, + "WorkspaceKey": { + "type": "securestring", + "defaultValue": "" + }, + "ArmisSecretKey": { + "type": "securestring", + "defaultValue": "" + }, + "ArmisURL":{ + "type": "string", + "defaultValue": "" + }, + "ArmisAlertsTableName":{ + "type": "string", + "defaultValue": "Armis_Alerts_CL" + }, + "ArmisActivitiesTableName":{ + "type": "string", + "defaultValue": "Armis_Activities_CL" + }, + "ArmisSchedule":{ + "type": "string", + "defaultValue": "" + }, + "AvoidDuplicates":{ + "type": "bool", + "defaultValue": true + }, + "AppInsightsWorkspaceResourceID": { + "type": "string", + "metadata": { + "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" + } + } + }, + "variables": { + "FunctionName": "[concat(toLower(parameters('FunctionName')), uniqueString(resourceGroup().id))]", + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionName')]", + "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionName'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionName')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionName'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "WorkspaceID": "[parameters('WorkspaceID')]", + "WorkspaceKey": "[parameters('WorkspaceKey')]", + "ArmisSecretKey": "[parameters('ArmisSecretKey')]", + "ArmisURL": "[parameters('ArmisURL')]", + "ArmisAlertsTableName": "[parameters('ArmisAlertsTableName')]", + "ArmisActivitiesTableName": "[parameters('ArmisActivitiesTableName')]", + "Schedule": "[parameters('ArmisSchedule')]", + "AvoidDuplicates": "[parameters('AvoidDuplicates')]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-ArmisAlertsActivities-functionapp" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/host.json b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/host.json new file mode 100644 index 00000000000..1531bf9b495 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/host.json @@ -0,0 +1,16 @@ +{ + "version": "2.0", + "functionTimeout": "00:10:00", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[3.*, 4.0.0)" + } + } diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/proxies.json b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/proxies.json new file mode 100644 index 00000000000..b20e0c7f210 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/proxies.json @@ -0,0 +1,4 @@ +{ + "$schema": "http://json.schemastore.org/proxies", + "proxies": {} +} diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt new file mode 100644 index 00000000000..19af94f97bf --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt @@ -0,0 +1,7 @@ +# DO NOT include azure-functions-worker in this file +# The Python Worker is managed by Azure Functions platform +# Manually managing azure-functions-worker may cause unexpected issues + +azure-functions +azure-storage-file-share==12.3.0 +requests \ No newline at end of file diff --git a/Solutions/Armis/Data/Solution_Armis.json b/Solutions/Armis/Data/Solution_Armis.json index 092988bc2af..b0d4aa04ea5 100644 --- a/Solutions/Armis/Data/Solution_Armis.json +++ b/Solutions/Armis/Data/Solution_Armis.json @@ -9,15 +9,14 @@ "Parsers/ArmisAlerts.yaml" ], "Data Connectors": [ - "Data Connectors/ArmisActivities/ArmisActivities_API_FunctionApp.json", - "Data Connectors/ArmisDevice/ArmisDevice_API_FunctionApp.json", - "Data Connectors/ArmisAlerts/ArmisAlerts_API_FunctionApp.json" + "Data Connectors/ArmisAlertsActivities/ArmisAlertsActivities_API_FunctionApp.json", + "Data Connectors/ArmisDevice/ArmisDevice_API_FunctionApp.json" ], "Playbooks":[ "Playbooks/ArmisUpdateAlertStatus/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Armis", - "Version": "3.0.2", + "Version": "3.1.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Armis/Package/3.1.0.zip b/Solutions/Armis/Package/3.1.0.zip new file mode 100644 index 00000000000..3fb3e9cbbfc Binary files /dev/null and b/Solutions/Armis/Package/3.1.0.zip differ diff --git a/Solutions/Armis/Package/createUiDefinition.json b/Solutions/Armis/Package/createUiDefinition.json index 11646b14b01..ed83acd51b6 100644 --- a/Solutions/Armis/Package/createUiDefinition.json +++ b/Solutions/Armis/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Armis/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Armis](https://www.armis.com/) Solution gives the capability to ingest Armis Devices, Alerts and device Activities into Microsoft Sentinel through the Armis REST API.\n\n**Data Connectors:** 3, **Parsers:** 3, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Armis/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Armis](https://www.armis.com/) Solution gives the capability to ingest Armis Devices, Alerts and device Activities into Microsoft Sentinel through the Armis REST API.\n\n**Data Connectors:** 2, **Parsers:** 3, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Armis/Package/mainTemplate.json b/Solutions/Armis/Package/mainTemplate.json index 635ff91896e..250b5582ca0 100644 --- a/Solutions/Armis/Package/mainTemplate.json +++ b/Solutions/Armis/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@armis.com}", "_email": "[variables('email')]", "_solutionName": "Armis", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.1.0", "solutionId": "armisinc1668090987837.armis-solution", "_solutionId": "[variables('solutionId')]", "parserObject1": { @@ -57,9 +57,9 @@ "parserVersion3": "1.0.0", "parserContentId3": "ArmisAlerts-Parser" }, - "uiConfigId1": "ArmisActivities", + "uiConfigId1": "ArmisAlertsActivities", "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "ArmisActivities", + "dataConnectorContentId1": "ArmisAlertsActivities", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", @@ -75,15 +75,6 @@ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", "dataConnectorVersion2": "1.0.0", "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", - "uiConfigId3": "ArmisAlerts", - "_uiConfigId3": "[variables('uiConfigId3')]", - "dataConnectorContentId3": "ArmisAlerts", - "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", - "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", - "_dataConnectorId3": "[variables('dataConnectorId3')]", - "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", - "dataConnectorVersion3": "1.0.0", - "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", "ArmisUpdateAlertStatus": "ArmisUpdateAlertStatus", "_ArmisUpdateAlertStatus": "[variables('ArmisUpdateAlertStatus')]", "playbookVersion1": "1.0", @@ -106,7 +97,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ArmisActivities Data Parser with template version 3.0.3", + "description": "ArmisActivities Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -123,7 +114,7 @@ "displayName": "Parser for ArmisActivities", "category": "Microsoft Sentinel Parser", "functionAlias": "ArmisActivities", - "query": "let ArmisActivities_view = view () { \n Armis_Activities_CL\n | extend \n EventVendor=\"ArmisActivities\",\n EventProduct=\"ArmisActivities\",\n ActivityUUID = column_ifexists('activityUUID_s', ''),\n Content = column_ifexists('content_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n SensorName = column_ifexists('sensor_name_s', ''),\n SensorType = column_ifexists('sensor_type_s', ''),\n SiteLocation = column_ifexists('site_location_s', ''),\n SiteName = column_ifexists('site_name_s', ''),\n Time = column_ifexists('time_t', ''),\n Title = column_ifexists('title_s', ''),\n Type = column_ifexists('type_s', '')\n | project\n TimeGenerated,\n\t\t\t\tEventVendor,\n EventProduct,\n ActivityUUID,\n Content,\n Protocol,\n SensorName,\n SensorType,\n SiteLocation,\n SiteName,\n Time,\n Title,\n Type\n};\nArmisActivities_view\n", + "query": "let ArmisActivities_view = view () { \n Armis_Activities_CL\n | extend \n EventVendor=\"ArmisActivities\",\n EventProduct=\"ArmisActivities\",\n ActivityUUID = coalesce(column_ifexists('activityUUID_s', ''),column_ifexists('activityUUID_g', ''),''),\n Content = column_ifexists('content_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n SensorName = column_ifexists('sensor_name_s', ''),\n SensorType = column_ifexists('sensor_type_s', ''),\n SiteLocation = column_ifexists('site_location_s', ''),\n SiteName = column_ifexists('site_name_s', ''),\n Time = column_ifexists('time_t', ''),\n Title = column_ifexists('title_s', ''),\n Type = column_ifexists('type_s', '')\n | project\n TimeGenerated,\n\t\t\t\tEventVendor,\n EventProduct,\n ActivityUUID,\n Content,\n Protocol,\n SensorName,\n SensorType,\n SiteLocation,\n SiteName,\n Time,\n Title,\n Type\n};\nArmisActivities_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -188,7 +179,7 @@ "displayName": "Parser for ArmisActivities", "category": "Microsoft Sentinel Parser", "functionAlias": "ArmisActivities", - "query": "let ArmisActivities_view = view () { \n Armis_Activities_CL\n | extend \n EventVendor=\"ArmisActivities\",\n EventProduct=\"ArmisActivities\",\n ActivityUUID = column_ifexists('activityUUID_s', ''),\n Content = column_ifexists('content_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n SensorName = column_ifexists('sensor_name_s', ''),\n SensorType = column_ifexists('sensor_type_s', ''),\n SiteLocation = column_ifexists('site_location_s', ''),\n SiteName = column_ifexists('site_name_s', ''),\n Time = column_ifexists('time_t', ''),\n Title = column_ifexists('title_s', ''),\n Type = column_ifexists('type_s', '')\n | project\n TimeGenerated,\n\t\t\t\tEventVendor,\n EventProduct,\n ActivityUUID,\n Content,\n Protocol,\n SensorName,\n SensorType,\n SiteLocation,\n SiteName,\n Time,\n Title,\n Type\n};\nArmisActivities_view\n", + "query": "let ArmisActivities_view = view () { \n Armis_Activities_CL\n | extend \n EventVendor=\"ArmisActivities\",\n EventProduct=\"ArmisActivities\",\n ActivityUUID = coalesce(column_ifexists('activityUUID_s', ''),column_ifexists('activityUUID_g', ''),''),\n Content = column_ifexists('content_s', ''),\n Protocol = column_ifexists('protocol_s', ''),\n SensorName = column_ifexists('sensor_name_s', ''),\n SensorType = column_ifexists('sensor_type_s', ''),\n SiteLocation = column_ifexists('site_location_s', ''),\n SiteName = column_ifexists('site_name_s', ''),\n Time = column_ifexists('time_t', ''),\n Title = column_ifexists('title_s', ''),\n Type = column_ifexists('type_s', '')\n | project\n TimeGenerated,\n\t\t\t\tEventVendor,\n EventProduct,\n ActivityUUID,\n Content,\n Protocol,\n SensorName,\n SensorType,\n SiteLocation,\n SiteName,\n Time,\n Title,\n Type\n};\nArmisActivities_view\n", "functionParameters": "", "version": 2, "tags": [ @@ -238,7 +229,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ArmisDevice Data Parser with template version 3.0.3", + "description": "ArmisDevice Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -370,7 +361,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ArmisAlerts Data Parser with template version 3.0.3", + "description": "ArmisAlerts Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -502,7 +493,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Armis data connector with template version 3.0.3", + "description": "Armis data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -518,11 +509,16 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Armis Activities (using Azure Functions)", + "title": "Armis Alerts Activities (using Azure Functions)", "publisher": "Armis", - "descriptionMarkdown": "The [Armis](https://www.armis.com/) Activities connector gives the capability to ingest Armis device Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/doc` for more information. The connector provides the ability to get device activity information from the Armis platform. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. Armis detects what all devices are doing in your environment and classifies those activities to get a complete picture of device behavior. These activities are analyzed for an understanding of normal and abnormal device behavior and used to assess device and network risk.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", + "descriptionMarkdown": "The [Armis](https://www.armis.com/) Alerts Activities connector gives the capability to ingest Armis Alerts and Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert and activity information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. ", + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. which is deployed as part of the solution.", "graphQueries": [ + { + "metricName": "Total Alerts data received", + "legend": "Armis_Alerts_CL", + "baseQuery": "Armis_Alerts_CL" + }, { "metricName": "Total Activities data received", "legend": "Armis_Activities_CL", @@ -531,17 +527,31 @@ ], "sampleQueries": [ { - "description": "Armis Activity Events - All Activities Activities.", + "description": "Armis Alert Events - All Alerts.", + "query": "Armis_Alerts_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Armis Activity Events - All Activities.", "query": "Armis_Activities_CL\n | sort by TimeGenerated desc" } ], "dataTypes": [ + { + "name": "Armis_Alerts_CL", + "lastDataReceivedQuery": "Armis_Alerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, { "name": "Armis_Activities_CL", "lastDataReceivedQuery": "Armis_Activities_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Armis_Alerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, { "type": "IsConnectedQuery", "value": [ @@ -595,13 +605,13 @@ "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." }, { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArmisActivities and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis/Parsers/ArmisActivities.yaml). The function usually takes 10-15 minutes to activate after solution installation/update." + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArmisActivities/ArmisAlerts and load the function code. The function usually takes 10-15 minutes to activate after solution installation/update." }, { - "description": "**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Activities connector configuration" + "description": "**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Alerts Activities connector configuration" }, { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Activities data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Alerts Activities data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)", "instructions": [ { "parameters": { @@ -624,18 +634,18 @@ ] }, { - "description": "Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisActivitiesAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisActivitiesAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: false) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "description": "Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", "title": "Option 1 - Azure Resource Manager (ARM) Template" }, { - "description": "Use the following step-by-step instructions to deploy the Armis Activity data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "description": "Use the following step-by-step instructions to deploy the Armis Alerts Activities data connector manually with Azure Functions (Deployment via Visual Studio Code).", "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisActivitiesAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: false) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." } ] } @@ -676,7 +686,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Armis Activities (using Azure Functions)", + "displayName": "Armis Alerts Activities (using Azure Functions)", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -720,10 +730,15 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Armis Activities (using Azure Functions)", + "title": "Armis Alerts Activities (using Azure Functions)", "publisher": "Armis", - "descriptionMarkdown": "The [Armis](https://www.armis.com/) Activities connector gives the capability to ingest Armis device Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/doc` for more information. The connector provides the ability to get device activity information from the Armis platform. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. Armis detects what all devices are doing in your environment and classifies those activities to get a complete picture of device behavior. These activities are analyzed for an understanding of normal and abnormal device behavior and used to assess device and network risk.", + "descriptionMarkdown": "The [Armis](https://www.armis.com/) Alerts Activities connector gives the capability to ingest Armis Alerts and Activities into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert and activity information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. ", "graphQueries": [ + { + "metricName": "Total Alerts data received", + "legend": "Armis_Alerts_CL", + "baseQuery": "Armis_Alerts_CL" + }, { "metricName": "Total Activities data received", "legend": "Armis_Activities_CL", @@ -731,12 +746,22 @@ } ], "dataTypes": [ + { + "name": "Armis_Alerts_CL", + "lastDataReceivedQuery": "Armis_Alerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, { "name": "Armis_Activities_CL", "lastDataReceivedQuery": "Armis_Activities_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Armis_Alerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + }, { "type": "IsConnectedQuery", "value": [ @@ -746,7 +771,11 @@ ], "sampleQueries": [ { - "description": "Armis Activity Events - All Activities Activities.", + "description": "Armis Alert Events - All Alerts.", + "query": "Armis_Alerts_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Armis Activity Events - All Activities.", "query": "Armis_Activities_CL\n | sort by TimeGenerated desc" } ], @@ -796,13 +825,13 @@ "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." }, { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArmisActivities and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Armis/Parsers/ArmisActivities.yaml). The function usually takes 10-15 minutes to activate after solution installation/update." + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArmisActivities/ArmisAlerts and load the function code. The function usually takes 10-15 minutes to activate after solution installation/update." }, { - "description": "**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Activities connector configuration" + "description": "**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Alerts Activities connector configuration" }, { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Activities data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)", + "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Alerts Activities data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)", "instructions": [ { "parameters": { @@ -825,22 +854,22 @@ ] }, { - "description": "Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisActivitiesAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisActivitiesAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: false) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "description": "Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", "title": "Option 1 - Azure Resource Manager (ARM) Template" }, { - "description": "Use the following step-by-step instructions to deploy the Armis Activity data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "description": "Use the following step-by-step instructions to deploy the Armis Alerts Activities data connector manually with Azure Functions (Deployment via Visual Studio Code).", "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisActivitiesAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisAlertsActivitiesAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: false) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Activity Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." } ], "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. which is deployed as part of the solution." } } }, @@ -853,7 +882,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Armis data connector with template version 3.0.3", + "description": "Armis data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -1195,357 +1224,6 @@ } } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Armis data connector with template version 3.0.3", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId3')]", - "title": "Armis Alerts (using Azure Functions)", - "publisher": "Armis", - "descriptionMarkdown": "The [Armis](https://www.armis.com/) Alerts connector gives the capability to ingest Armis Alerts into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. ", - "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. Follow the steps to use this Kusto functions alias **ArmisAlerts** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-ArmisAlertsAPI-parser).", - "graphQueries": [ - { - "metricName": "Total Alerts data received", - "legend": "Armis_Alerts_CL", - "baseQuery": "Armis_Alerts_CL" - } - ], - "sampleQueries": [ - { - "description": "Armis Alert Events - All Alerts Activities.", - "query": "Armis_Alerts_CL\n | sort by TimeGenerated desc" - } - ], - "dataTypes": [ - { - "name": "Armis_Alerts_CL", - "lastDataReceivedQuery": "Armis_Alerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Armis_Alerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**Armis Secret Key** is required. See the documentation to learn more about API on the `https://.armis.com/api/v1/doc`" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-ArmisAlertsAPI-parser) to create the Kusto functions alias, **ArmisAlerts**" - }, - { - "description": "**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Alerts connector configuration" - }, - { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Alert data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisAlertsAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisAlertsAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Armis Alert data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisAlertsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", - "contentId": "[variables('_dataConnectorContentId3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion3')]", - "source": { - "kind": "Solution", - "name": "Armis", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "{Armis", - "email": "[variables('_email')]" - }, - "support": { - "name": "Armis Corporation", - "email": "support@armis.com", - "tier": "Partner", - "link": "https://support.armis.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId3')]", - "contentKind": "DataConnector", - "displayName": "Armis Alerts (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId3')]", - "id": "[variables('_dataConnectorcontentProductId3')]", - "version": "[variables('dataConnectorVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId3')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", - "contentId": "[variables('_dataConnectorContentId3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion3')]", - "source": { - "kind": "Solution", - "name": "Armis", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "{Armis", - "email": "[variables('_email')]" - }, - "support": { - "name": "Armis Corporation", - "email": "support@armis.com", - "tier": "Partner", - "link": "https://support.armis.com/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Armis Alerts (using Azure Functions)", - "publisher": "Armis", - "descriptionMarkdown": "The [Armis](https://www.armis.com/) Alerts connector gives the capability to ingest Armis Alerts into Microsoft Sentinel through the Armis REST API. Refer to the API documentation: `https://.armis.com/api/v1/docs` for more information. The connector provides the ability to get alert information from the Armis platform and to identify and prioritize threats in your environment. Armis uses your existing infrastructure to discover and identify devices without having to deploy any agents. ", - "graphQueries": [ - { - "metricName": "Total Alerts data received", - "legend": "Armis_Alerts_CL", - "baseQuery": "Armis_Alerts_CL" - } - ], - "dataTypes": [ - { - "name": "Armis_Alerts_CL", - "lastDataReceivedQuery": "Armis_Alerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "Armis_Alerts_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Armis Alert Events - All Alerts Activities.", - "query": "Armis_Alerts_CL\n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "REST API Credentials/permissions", - "description": "**Armis Secret Key** is required. See the documentation to learn more about API on the `https://.armis.com/api/v1/doc`" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the Armis API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." - }, - { - "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. [Follow these steps](https://aka.ms/sentinel-ArmisAlertsAPI-parser) to create the Kusto functions alias, **ArmisAlerts**" - }, - { - "description": "**STEP 1 - Configuration steps for the Armis API**\n\n Follow these instructions to create an Armis API secret key.\n 1. Log into your Armis instance\n 2. Navigate to Settings -> API Management\n 3. If the secret key has not already been created, press the Create button to create the secret key\n 4. To access the secret key, press the Show button\n 5. The secret key can now be copied and used during the Armis Alerts connector configuration" - }, - { - "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Armis Alert data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Armis API Authorization Key(s)", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Workspace ID" - }, - "type": "CopyableLabel" - }, - { - "parameters": { - "fillWith": [ - "PrimaryKey" - ], - "label": "Primary Key" - }, - "type": "CopyableLabel" - } - ] - }, - { - "description": "Use this method for automated deployment of the Armis connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ArmisAlertsAPI-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-ArmisAlertsAPI-azuredeploy-gov)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tFunction Name \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Armis Alert data connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-ArmisAlertsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. ARMISXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." - }, - { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tArmis Secret Key \n\t\tArmis URL (https://.armis.com/api/v1/) \n\t\tArmis Alert Table Name \n\t\tArmis Schedule \n\t\tAvoid Duplicates (Default: true) \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." - } - ], - "id": "[variables('_uiConfigId3')]", - "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. Follow the steps to use this Kusto functions alias **ArmisAlerts** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-ArmisAlertsAPI-parser)." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -1555,7 +1233,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ArmisUpdateAlertStatus Playbook with template version 3.0.3", + "description": "ArmisUpdateAlertStatus Playbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -2119,12 +1797,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Armis", "publisherDisplayName": "Armis Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Armis Solution gives the capability to ingest Armis Devices, Alerts and device Activities into Microsoft Sentinel through the Armis REST API.

\n

Data Connectors: 3, Parsers: 3, Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Armis Solution gives the capability to ingest Armis Devices, Alerts and device Activities into Microsoft Sentinel through the Armis REST API.

\n

Data Connectors: 2, Parsers: 3, Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2174,11 +1852,6 @@ "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId3')]", - "version": "[variables('dataConnectorVersion3')]" - }, { "kind": "Playbook", "contentId": "[variables('_ArmisUpdateAlertStatus')]", @@ -2187,7 +1860,7 @@ ] }, "firstPublishDate": "2022-08-02", - "lastPublishDate": "2022-08-02", + "lastPublishDate": "2024-08-23", "providers": [ "Armis" ], diff --git a/Solutions/Armis/Parsers/ArmisActivities.yaml b/Solutions/Armis/Parsers/ArmisActivities.yaml index 76228fa02b6..c83f8cc8ff6 100644 --- a/Solutions/Armis/Parsers/ArmisActivities.yaml +++ b/Solutions/Armis/Parsers/ArmisActivities.yaml @@ -12,7 +12,7 @@ FunctionQuery: | | extend EventVendor="ArmisActivities", EventProduct="ArmisActivities", - ActivityUUID = column_ifexists('activityUUID_s', ''), + ActivityUUID = coalesce(column_ifexists('activityUUID_s', ''),column_ifexists('activityUUID_g', ''),''), Content = column_ifexists('content_s', ''), Protocol = column_ifexists('protocol_s', ''), SensorName = column_ifexists('sensor_name_s', ''), diff --git a/Solutions/Armis/ReleaseNotes.md b/Solutions/Armis/ReleaseNotes.md index eca8b30c557..c3420f3ca65 100644 --- a/Solutions/Armis/ReleaseNotes.md +++ b/Solutions/Armis/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.1.0 | 11-09-2024 | Updated Armis Alerts Data connector to ingest Armis Activities associated with only Armis Alerts.| | 3.0.3 | 26-08-2024 | Updated the python runtime version to **3.11**| | 3.0.2 | 03-05-2024 | Repackaged for parser issue fix on reinstall| | 3.0.1 | 15-04-2024 | Added Deploy to Azure Government button in **Data connectors**| -| 3.0.0 | 03-11-2023 | Fixed vulnerability related issue by passing the scret key in the body of the request instead of the param in the data connector and playbook | +| 3.0.0 | 03-11-2023 | Fixed vulnerability related issue by passing the scret key in the body of the request instead of the param in the data connector and playbook | \ No newline at end of file diff --git a/Solutions/Armis/SolutionMetadata.json b/Solutions/Armis/SolutionMetadata.json index 1cc085ac34b..a189bbe686b 100644 --- a/Solutions/Armis/SolutionMetadata.json +++ b/Solutions/Armis/SolutionMetadata.json @@ -2,7 +2,7 @@ "publisherId": "armisinc1668090987837", "offerId": "armis-solution", "firstPublishDate": "2022-08-02", - "lastPublishDate": "2022-08-02", + "lastPublishDate": "2024-08-23", "providers": ["Armis"], "categories": { "domains" : ["Security - Network"], diff --git a/Solutions/CTM360/Data Connectors/CBS/CTM360_CBS_API_functionApp.json b/Solutions/CTM360/Data Connectors/CBS/CTM360_CBS_API_functionApp.json index 75c24bcf383..8eef2bd27a3 100644 --- a/Solutions/CTM360/Data Connectors/CBS/CTM360_CBS_API_functionApp.json +++ b/Solutions/CTM360/Data Connectors/CBS/CTM360_CBS_API_functionApp.json @@ -1,6 +1,6 @@ { "id": "CBSPollingIDAzureFunctions", - "title": "Cyber Blind Spot Intergration", + "title": "Cyber Blind Spot Integration", "publisher": "CTM360", "descriptionMarkdown": "Through the API integration, you have the capability to retrieve all the issues related to your CBS organizations via a RESTful interface.", "graphQueries": [ @@ -118,4 +118,4 @@ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCTM360AccountID\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tCTM360Key\n\t\tFUNCTION_NAME\n\t\tlogAnalyticsUri - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." } ] -} \ No newline at end of file +} diff --git a/Solutions/Cisco ETD/Data Connectors/CiscoETDAzureFunction.zip b/Solutions/Cisco ETD/Data Connectors/CiscoETDAzureFunction.zip index 9d3556a960b..79128f77ff4 100644 Binary files a/Solutions/Cisco ETD/Data Connectors/CiscoETDAzureFunction.zip and b/Solutions/Cisco ETD/Data Connectors/CiscoETDAzureFunction.zip differ diff --git a/Solutions/Cisco ETD/Data Connectors/azuredeploy_CiscoETD_API_FunctionApp.json b/Solutions/Cisco ETD/Data Connectors/azuredeploy_CiscoETD_API_FunctionApp.json index 22580a5a548..b234349e8d1 100644 --- a/Solutions/Cisco ETD/Data Connectors/azuredeploy_CiscoETD_API_FunctionApp.json +++ b/Solutions/Cisco ETD/Data Connectors/azuredeploy_CiscoETD_API_FunctionApp.json @@ -293,7 +293,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, "resources": [ diff --git a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip index 0c2bad393c1..67b5ff25943 100644 Binary files a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip and b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip differ diff --git a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_API_FunctionApp.json b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_API_FunctionApp.json index 361275d24db..dd514d68b72 100644 --- a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_API_FunctionApp.json +++ b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrella_API_FunctionApp.json @@ -171,14 +171,14 @@ }, { "title": "Option 2 - Manual Deployment of Azure Functions", - "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "description": "Use the following step-by-step instructions to deploy the Cisco Umbrella data connector manually with Azure Functions (Deployment via Visual Studio Code).", "instructions": [ { "parameters": { "instructionSteps": [ { "title": "Step 1 - Deploy a Function App", - "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." }, { "title": "Step 2 - Configure the Function App", diff --git a/Solutions/CiscoUmbrella/Data Connectors/azuredeploy_CiscoUmbrella_API_FunctionApp.json b/Solutions/CiscoUmbrella/Data Connectors/azuredeploy_CiscoUmbrella_API_FunctionApp.json index 3e18a91acf1..7f2c5255712 100644 --- a/Solutions/CiscoUmbrella/Data Connectors/azuredeploy_CiscoUmbrella_API_FunctionApp.json +++ b/Solutions/CiscoUmbrella/Data Connectors/azuredeploy_CiscoUmbrella_API_FunctionApp.json @@ -143,7 +143,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.9" } }, "resources": [ diff --git a/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json b/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json index f22374b5fdd..3ab071d1eb2 100644 --- a/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json +++ b/Solutions/CiscoUmbrella/Data/Solution_CiscoUmbrella.json @@ -34,7 +34,7 @@ "Hunting Queries/CiscoUmbrellaRequestsUncategorizedURI.yaml" ], "Parsers": [ - "Parsers/Cisco_Umbrella" + "Parsers/Cisco_Umbrella.yaml" ], "Playbooks": [ "Playbooks/CiscoUmbrellaEnforcementAPIConnector/azuredeploy.json", diff --git a/Solutions/CiscoUmbrella/Package/3.0.2.zip b/Solutions/CiscoUmbrella/Package/3.0.2.zip index 51cb04ee24c..2e2304681e6 100644 Binary files a/Solutions/CiscoUmbrella/Package/3.0.2.zip and b/Solutions/CiscoUmbrella/Package/3.0.2.zip differ diff --git a/Solutions/CiscoUmbrella/Package/createUiDefinition.json b/Solutions/CiscoUmbrella/Package/createUiDefinition.json index ea0ec41ed68..879fa666de3 100644 --- a/Solutions/CiscoUmbrella/Package/createUiDefinition.json +++ b/Solutions/CiscoUmbrella/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoUmbrella/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10, **Custom Azure Logic Apps Connectors:** 4, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoUmbrella/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Umbrella](https://umbrella.cisco.com/) solution for Microsoft Sentinel enables you to ingest [Cisco Umbrella events](https://docs.umbrella.com/deployment-umbrella/docs/log-formats-and-versioning) stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10, **Custom Azure Logic Apps Connectors:** 4, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/CiscoUmbrella/Package/mainTemplate.json b/Solutions/CiscoUmbrella/Package/mainTemplate.json index 07c990f4810..b25cb36997f 100644 --- a/Solutions/CiscoUmbrella/Package/mainTemplate.json +++ b/Solutions/CiscoUmbrella/Package/mainTemplate.json @@ -180,6 +180,13 @@ "_huntingQuerycontentId10": "de2ec986-ee24-465f-adf2-b718997074c1", "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('de2ec986-ee24-465f-adf2-b718997074c1')))]" }, + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','CiscoUmbrella Data Parser')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoUmbrella Data Parser')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('Cisco_Umbrella-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "Cisco_Umbrella-Parser" + }, "CiscoUmbrellaEnforcementAPIConnector": "CiscoUmbrellaEnforcementAPIConnector", "_CiscoUmbrellaEnforcementAPIConnector": "[variables('CiscoUmbrellaEnforcementAPIConnector')]", "TemplateEmptyArray": "[json('[]')]", @@ -435,14 +442,14 @@ }, { "title": "Option 2 - Manual Deployment of Azure Functions", - "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "description": "Use the following step-by-step instructions to deploy the Cisco Umbrella data connector manually with Azure Functions (Deployment via Visual Studio Code).", "instructions": [ { "parameters": { "instructionSteps": [ { "title": "Step 1 - Deploy a Function App", - "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." }, { "title": "Step 2 - Configure the Function App", @@ -707,14 +714,14 @@ }, { "title": "Option 2 - Manual Deployment of Azure Functions", - "description": "Use the following step-by-step instructions to deploy the Sophos Endpoint Protection data connector manually with Azure Functions (Deployment via Visual Studio Code).", + "description": "Use the following step-by-step instructions to deploy the Cisco Umbrella data connector manually with Azure Functions (Deployment via Visual Studio Code).", "instructions": [ { "parameters": { "instructionSteps": [ { "title": "Step 1 - Deploy a Function App", - "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." + "description": "**NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/create-first-function-vs-code-python) for Azure Functions development.\n\n1. Download the [Azure Functions App](https://aka.ms/sentinel-CiscoUmbrellaConn-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." }, { "title": "Step 2 - Configure the Function App", @@ -891,13 +898,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1000,22 +1007,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1120,22 +1127,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1236,22 +1243,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1359,22 +1366,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1479,22 +1486,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1597,22 +1604,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1715,22 +1722,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1830,22 +1837,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -1945,22 +1952,22 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlOriginal" + "columnName": "UrlOriginal", + "identifier": "Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -2857,6 +2864,138 @@ "version": "1.0.0" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Cisco_Umbrella Data Parser with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CiscoUmbrella Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "Cisco_Umbrella", + "query": "let Cisco_Umbrella_dns_view = view () { \n Cisco_Umbrella_dns_CL\n | extend \n EventEndTime=column_ifexists('Timestamp_t', ''),\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n DnsQueryName=column_ifexists('Domain_s', ''),\n UrlCategory=column_ifexists('Categories_s', ''),\n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n Identities=column_ifexists('Identities_s', ''),\n DnsQueryTypeName=column_ifexists('QueryType_s', ''),\n DnsResponseCodeName=column_ifexists('ResponseCode_s', ''),\n IdentityTypes=column_ifexists('Identity_Types_s', ''),\n EventType=column_ifexists('EventType_s', ''),\n PolicyIdentity=column_ifexists('Policy_Identity_s', ''),\n PolicyIdentityType=column_ifexists('Policy_Identity_Type_s', '')\n | project \n TimeGenerated,\n EventEndTime,\n SrcIpAddr,\n SrcNatIpAddr,\n DvcAction,\n DnsQueryName,\n UrlCategory,\n ThreatCategory,\n Identities,\n DnsQueryTypeName,\n DnsResponseCodeName,\n IdentityTypes,\n EventType,\n PolicyIdentity,\n PolicyIdentityType\n};\nlet Cisco_Umbrella_proxy_view = view () { \n Cisco_Umbrella_proxy_CL\n | extend \n EventType=column_ifexists('EventType_s', ''),\n EventEndTime=column_ifexists('Timestamp_t', ''),\n Identities=column_ifexists('Identities_s', ''),\n SrcIpAddr=column_ifexists('Internal_IP_s', ''),\n SrcNatIpAddr=column_ifexists('External_IP_s', ''),\n DstIpAddr=column_ifexists('Destination_IP_s', ''),\n HttpContentType=column_ifexists('Content_Type_s', ''),\n DvcAction=column_ifexists('Verdict_s', ''),\n UrlOriginal=column_ifexists('URL_s', ''),\n HttpReferrerOriginal=column_ifexists('Referer_s', ''),\n HttpUserAgentOriginal=column_ifexists('userAgent_s', ''),\n HttpStatusCode=column_ifexists('statusCode_s', ''),\n SrcBytes=column_ifexists('requestSize_d', ''),\n DstBytes=column_ifexists('responseSize_d', ''),\n HttpResponseBodyBytes=column_ifexists('responseBodySize_d', ''),\n HashSha256=column_ifexists('SHA-SHA256_s', ''),\n UrlCategory=column_ifexists('Categories_s', ''),\n AvDetections=column_ifexists('AVDetections_s', ''),\n Puas=column_ifexists('PUAs_s', ''),\n AmpDisposition=column_ifexists('AMP_Disposition_s', ''), \n ThreatName=column_ifexists('AMP_Malware_Name_s', ''),\n AmpScore=column_ifexists('AMP_Score_s', ''),\n IdentityType=column_ifexists('Identity_Type_s', ''),\n ThreatCategory=column_ifexists('Blocked_Categories_s', '')\n | project\n TimeGenerated,\n EventType,\n EventEndTime,\n Identities,\n SrcIpAddr,\n SrcNatIpAddr,\n DstIpAddr,\n HttpContentType,\n DvcAction,\n UrlOriginal,\n HttpReferrerOriginal,\n HttpUserAgentOriginal,\n HttpStatusCode,\n SrcBytes,\n DstBytes,\n HttpResponseBodyBytes,\n HashSha256,\n UrlCategory,\n AvDetections,\n Puas,\n AmpDisposition,\n ThreatName,\n AmpScore,\n IdentityType,\n ThreatCategory\n};\nlet Cisco_Umbrella_ip_view = view () { \n Cisco_Umbrella_ip_CL\n | extend \n EventType=column_ifexists('EventType_s', ''),\n EventEndTime=column_ifexists('Timestamp_t', ''),\n Identities=column_ifexists('Identity_s', ''),\n SrcIpAddr=column_ifexists('Source_IP_s', ''),\n SrcPortNumber=column_ifexists('Source_Port_s', ''),\n DstIpAddr=column_ifexists('Destination_IP_s', ''),\n DstPortNumber=column_ifexists('Destination_Port_s', ''),\n UrlCategory=column_ifexists('Categories_s', '')\n | project\n TimeGenerated,\n EventType,\n EventEndTime,\n Identities,\n SrcIpAddr,\n SrcPortNumber,\n DstIpAddr,\n DstPortNumber,\n UrlCategory\n};\nlet Cisco_Umbrella_cloudfirewall_view = view () { \n Cisco_Umbrella_cloudfirewall_CL\n | extend \n EventType=column_ifexists('EventType_s', ''),\n EventEndTime=column_ifexists('Timestamp_t', ''),\n NetworkSessionId=column_ifexists('originId_s', ''),\n NetworkRuleName=column_ifexists('Identity_s', ''),\n IdentityType=column_ifexists('Identity_Type_s', ''),\n NetworkDirection=column_ifexists('Direction_s', ''),\n NetworkProtocol=column_ifexists('ipProtocol_s', ''),\n NetworkPackets=column_ifexists('packetSize_s', ''),\n SrcIpAddr=column_ifexists('SourceIP', ''),\n SrcPortNumber=column_ifexists('sourcePort_s', ''),\n DstIpAddr=column_ifexists('destinationIp_s', ''),\n DstPortNumber=column_ifexists('destinationPort_s', ''),\n DvcHostname=column_ifexists('dataCenter_s', ''),\n NetworkRuleNumber=column_ifexists('ruleId_s', ''),\n DvcAction=column_ifexists('verdict_s', '')\n | project\n TimeGenerated,\n EventType,\n EventEndTime,\n NetworkSessionId,\n NetworkRuleName,\n IdentityType,\n NetworkDirection,\n NetworkProtocol,\n NetworkPackets,\n SrcIpAddr,\n SrcPortNumber,\n DstIpAddr,\n DstPortNumber,\n DvcHostname,\n NetworkRuleNumber,\n DvcAction\n};\nunion isfuzzy=true Cisco_Umbrella_dns_view, Cisco_Umbrella_proxy_view, Cisco_Umbrella_ip_view, Cisco_Umbrella_cloudfirewall_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoUmbrella Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "CiscoUmbrella", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "CiscoUmbrella Data Parser", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CiscoUmbrella Data Parser", + "category": "Microsoft Sentinel Parser", + "functionAlias": "Cisco_Umbrella", + "query": "let Cisco_Umbrella_dns_view = view () { \n Cisco_Umbrella_dns_CL\n | extend \n EventEndTime=column_ifexists('Timestamp_t', ''),\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n DnsQueryName=column_ifexists('Domain_s', ''),\n UrlCategory=column_ifexists('Categories_s', ''),\n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n Identities=column_ifexists('Identities_s', ''),\n DnsQueryTypeName=column_ifexists('QueryType_s', ''),\n DnsResponseCodeName=column_ifexists('ResponseCode_s', ''),\n IdentityTypes=column_ifexists('Identity_Types_s', ''),\n EventType=column_ifexists('EventType_s', ''),\n PolicyIdentity=column_ifexists('Policy_Identity_s', ''),\n PolicyIdentityType=column_ifexists('Policy_Identity_Type_s', '')\n | project \n TimeGenerated,\n EventEndTime,\n SrcIpAddr,\n SrcNatIpAddr,\n DvcAction,\n DnsQueryName,\n UrlCategory,\n ThreatCategory,\n Identities,\n DnsQueryTypeName,\n DnsResponseCodeName,\n IdentityTypes,\n EventType,\n PolicyIdentity,\n PolicyIdentityType\n};\nlet Cisco_Umbrella_proxy_view = view () { \n Cisco_Umbrella_proxy_CL\n | extend \n EventType=column_ifexists('EventType_s', ''),\n EventEndTime=column_ifexists('Timestamp_t', ''),\n Identities=column_ifexists('Identities_s', ''),\n SrcIpAddr=column_ifexists('Internal_IP_s', ''),\n SrcNatIpAddr=column_ifexists('External_IP_s', ''),\n DstIpAddr=column_ifexists('Destination_IP_s', ''),\n HttpContentType=column_ifexists('Content_Type_s', ''),\n DvcAction=column_ifexists('Verdict_s', ''),\n UrlOriginal=column_ifexists('URL_s', ''),\n HttpReferrerOriginal=column_ifexists('Referer_s', ''),\n HttpUserAgentOriginal=column_ifexists('userAgent_s', ''),\n HttpStatusCode=column_ifexists('statusCode_s', ''),\n SrcBytes=column_ifexists('requestSize_d', ''),\n DstBytes=column_ifexists('responseSize_d', ''),\n HttpResponseBodyBytes=column_ifexists('responseBodySize_d', ''),\n HashSha256=column_ifexists('SHA-SHA256_s', ''),\n UrlCategory=column_ifexists('Categories_s', ''),\n AvDetections=column_ifexists('AVDetections_s', ''),\n Puas=column_ifexists('PUAs_s', ''),\n AmpDisposition=column_ifexists('AMP_Disposition_s', ''), \n ThreatName=column_ifexists('AMP_Malware_Name_s', ''),\n AmpScore=column_ifexists('AMP_Score_s', ''),\n IdentityType=column_ifexists('Identity_Type_s', ''),\n ThreatCategory=column_ifexists('Blocked_Categories_s', '')\n | project\n TimeGenerated,\n EventType,\n EventEndTime,\n Identities,\n SrcIpAddr,\n SrcNatIpAddr,\n DstIpAddr,\n HttpContentType,\n DvcAction,\n UrlOriginal,\n HttpReferrerOriginal,\n HttpUserAgentOriginal,\n HttpStatusCode,\n SrcBytes,\n DstBytes,\n HttpResponseBodyBytes,\n HashSha256,\n UrlCategory,\n AvDetections,\n Puas,\n AmpDisposition,\n ThreatName,\n AmpScore,\n IdentityType,\n ThreatCategory\n};\nlet Cisco_Umbrella_ip_view = view () { \n Cisco_Umbrella_ip_CL\n | extend \n EventType=column_ifexists('EventType_s', ''),\n EventEndTime=column_ifexists('Timestamp_t', ''),\n Identities=column_ifexists('Identity_s', ''),\n SrcIpAddr=column_ifexists('Source_IP_s', ''),\n SrcPortNumber=column_ifexists('Source_Port_s', ''),\n DstIpAddr=column_ifexists('Destination_IP_s', ''),\n DstPortNumber=column_ifexists('Destination_Port_s', ''),\n UrlCategory=column_ifexists('Categories_s', '')\n | project\n TimeGenerated,\n EventType,\n EventEndTime,\n Identities,\n SrcIpAddr,\n SrcPortNumber,\n DstIpAddr,\n DstPortNumber,\n UrlCategory\n};\nlet Cisco_Umbrella_cloudfirewall_view = view () { \n Cisco_Umbrella_cloudfirewall_CL\n | extend \n EventType=column_ifexists('EventType_s', ''),\n EventEndTime=column_ifexists('Timestamp_t', ''),\n NetworkSessionId=column_ifexists('originId_s', ''),\n NetworkRuleName=column_ifexists('Identity_s', ''),\n IdentityType=column_ifexists('Identity_Type_s', ''),\n NetworkDirection=column_ifexists('Direction_s', ''),\n NetworkProtocol=column_ifexists('ipProtocol_s', ''),\n NetworkPackets=column_ifexists('packetSize_s', ''),\n SrcIpAddr=column_ifexists('SourceIP', ''),\n SrcPortNumber=column_ifexists('sourcePort_s', ''),\n DstIpAddr=column_ifexists('destinationIp_s', ''),\n DstPortNumber=column_ifexists('destinationPort_s', ''),\n DvcHostname=column_ifexists('dataCenter_s', ''),\n NetworkRuleNumber=column_ifexists('ruleId_s', ''),\n DvcAction=column_ifexists('verdict_s', '')\n | project\n TimeGenerated,\n EventType,\n EventEndTime,\n NetworkSessionId,\n NetworkRuleName,\n IdentityType,\n NetworkDirection,\n NetworkProtocol,\n NetworkPackets,\n SrcIpAddr,\n SrcPortNumber,\n DstIpAddr,\n DstPortNumber,\n DvcHostname,\n NetworkRuleNumber,\n DvcAction\n};\nunion isfuzzy=true Cisco_Umbrella_dns_view, Cisco_Umbrella_proxy_view, Cisco_Umbrella_ip_view, Cisco_Umbrella_cloudfirewall_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CiscoUmbrella Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "CiscoUmbrella", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -7172,7 +7311,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "CiscoUmbrella", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cisco Umbrella solution for Microsoft Sentinel enables you to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 4, Playbooks: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cisco Umbrella solution for Microsoft Sentinel enables you to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10, Custom Azure Logic Apps Connectors: 4, Playbooks: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -7307,6 +7446,11 @@ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, { "kind": "LogicAppsCustomConnector", "contentId": "[variables('_CiscoUmbrellaEnforcementAPIConnector')]", diff --git a/Solutions/CiscoUmbrella/ReleaseNotes.md b/Solutions/CiscoUmbrella/ReleaseNotes.md index 9e6888ac4c1..0ef7a4b39e4 100644 --- a/Solutions/CiscoUmbrella/ReleaseNotes.md +++ b/Solutions/CiscoUmbrella/ReleaseNotes.md @@ -1,5 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-------------------------------------------------------------| -| 3.0.2 | 26-07-2024 | Update **Analytic rules** for Entity mapping and missing TTP| +| 3.0.2 | 20-09-2024 | Update **Analytic rules** for Entity mapping and missing TTP and Updated the python runtime version to 3.11 | | 3.0.1 | 03-05-2024 | Added Deploy to Azure Government button in **Data connector**
Fixed **Parser** issue for Parser name and ParentID mismatch| | 3.0.0 | 28-09-2023 | Updated **Data Connector** with step by step guidelines | diff --git a/Solutions/Dynamics 365/Data Connectors/template_Dynamics365.json b/Solutions/Dynamics 365/Data Connectors/template_Dynamics365.json index 146f492fd24..7a3cf374f1b 100644 --- a/Solutions/Dynamics 365/Data Connectors/template_Dynamics365.json +++ b/Solutions/Dynamics 365/Data Connectors/template_Dynamics365.json @@ -1,6 +1,6 @@ { "id": "Dynamics365", - "title": "Dynamics365", + "title": "Dynamics 365", "publisher": "Microsoft", "descriptionMarkdown": "The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com//fwlink/p/?linkid=2226719&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "logo": "DynamicsLogo.svg", diff --git a/Solutions/Dynamics 365/Package/3.0.0.zip b/Solutions/Dynamics 365/Package/3.0.0.zip new file mode 100644 index 00000000000..c9fb4c9bf89 Binary files /dev/null and b/Solutions/Dynamics 365/Package/3.0.0.zip differ diff --git a/Solutions/Dynamics 365/Package/createUiDefinition.json b/Solutions/Dynamics 365/Package/createUiDefinition.json index b8de2bd564b..bf2f1e5d6d0 100644 --- a/Solutions/Dynamics 365/Package/createUiDefinition.json +++ b/Solutions/Dynamics 365/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Dynamics 365](https://dynamics.microsoft.com) continuous Threat Monitoring Solution for Microsoft Sentinel provides you with ability to collect Dynamics 365 CRM logs, gain visibility of activities within Dynamics 365 and analyze them to detect threats and malicious activities. You can view admin, user and support activities, as well as Microsoft Social Engagement logging events data in workbooks, use it to create custom alerts, and improve your investigation process.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n a. [Office 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Dynamics%20365/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Dynamics 365](https://dynamics.microsoft.com) continuous Threat Monitoring Solution for Microsoft Sentinel provides you with ability to collect Dynamics 365 CRM logs, gain visibility of activities within Dynamics 365 and analyze them to detect threats and malicious activities. You can view admin, user and support activities, as well as Microsoft Social Engagement logging events data in workbooks, use it to create custom alerts, and improve your investigation process.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n a. [Office 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview)\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting Dynamics 365 CRM logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Dynamics 365. You can get Dynamics 365 custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/Dynamics 365/Package/mainTemplate.json b/Solutions/Dynamics 365/Package/mainTemplate.json index 1fd64f45293..80da3e069c4 100644 --- a/Solutions/Dynamics 365/Package/mainTemplate.json +++ b/Solutions/Dynamics 365/Package/mainTemplate.json @@ -30,49 +30,34 @@ } }, "variables": { - "solutionId": "sentinel4dynamics365.dynamics365connector", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_solutionName": "Dynamics 365", + "_solutionVersion": "3.0.0", + "solutionId": "sentinel4dynamics365.dynamics365connector", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "Dynamics365", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "Dynamics365", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0" + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Dynamics 365 data connector with template", - "displayName": "Dynamics 365 template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Dynamics 365 data connector with template version 2.0.1", + "description": "Dynamics 365 data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -88,7 +73,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Dynamics365", + "title": "Dynamics 365", "publisher": "Microsoft", "descriptionMarkdown": "The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com//fwlink/p/?linkid=2226719&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "graphQueries": [ @@ -117,7 +102,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -142,12 +127,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Dynamics 365", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -183,7 +179,7 @@ "kind": "StaticUI", "properties": { "connectorUiConfig": { - "title": "Dynamics365", + "title": "Dynamics 365", "publisher": "Microsoft", "descriptionMarkdown": "The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com//fwlink/p/?linkid=2226719&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", "graphQueries": [ @@ -212,13 +208,20 @@ } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Dynamics 365", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Dynamics 365 continuous Threat Monitoring Solution for Microsoft Sentinel provides you with ability to collect Dynamics 365 CRM logs, gain visibility of activities within Dynamics 365 and analyze them to detect threats and malicious activities. You can view admin, user and support activities, as well as Microsoft Social Engagement logging events data in workbooks, use it to create custom alerts, and improve your investigation process.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Office 365 Management APIs
    2. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { diff --git a/Solutions/Dynamics 365/Package/testParameters.json b/Solutions/Dynamics 365/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/Dynamics 365/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/Dynamics 365/ReleaseNotes.md b/Solutions/Dynamics 365/ReleaseNotes.md index ef18085645e..a52e74980c6 100644 --- a/Solutions/Dynamics 365/ReleaseNotes.md +++ b/Solutions/Dynamics 365/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------| -| 3.0.1 (Dynamics 365 CE Apps Solution) | 02-09-2024 | Fixed duplicate analytics rule query | +| 3.0.1 (Dynamics 365 CE Apps Solution) | 02-09-2024 | Fixed duplicate analytics rule query | +| 3.0.0 | 24-09-2024 | Fixed **Data Connector** Title | diff --git a/Solutions/GitHub/Data Connectors/GithubWebhook/GithubWebhookConnector.zip b/Solutions/GitHub/Data Connectors/GithubWebhook/GithubWebhookConnector.zip index fd867283845..5469a640135 100644 Binary files a/Solutions/GitHub/Data Connectors/GithubWebhook/GithubWebhookConnector.zip and b/Solutions/GitHub/Data Connectors/GithubWebhook/GithubWebhookConnector.zip differ diff --git a/Solutions/GitHub/Data Connectors/GithubWebhook/azuredeploy_GithubWebhook_API_FunctionApp.json b/Solutions/GitHub/Data Connectors/GithubWebhook/azuredeploy_GithubWebhook_API_FunctionApp.json index 5ddf98e4df9..1109568fca9 100644 --- a/Solutions/GitHub/Data Connectors/GithubWebhook/azuredeploy_GithubWebhook_API_FunctionApp.json +++ b/Solutions/GitHub/Data Connectors/GithubWebhook/azuredeploy_GithubWebhook_API_FunctionApp.json @@ -131,7 +131,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, "resources": [ diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml index 7a57a9cc563..ae3352d6865 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml @@ -1,5 +1,5 @@ -id: bff058b2-500e-4ae5-bb49-a5b1423cbd5b -name: Accessed files shared by temporary external user +id: 4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac +name: Office 365 - Accessed files shared by temporary external user description: | 'This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.' severity: Low @@ -82,5 +82,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.1.1 +version: 2.1.2 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml index c5abd2a5184..ee67b9c0881 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml @@ -1,5 +1,5 @@ -id: bff093b2-500e-4ae5-bb49-a5b1423cbd5b -name: External User Added and Removed in Short Timeframe +id: 1a8f1297-23a4-4f09-a20b-90af8fc3641a +name: Office 365 - External User Added and Removed in Short Timeframe description: | This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour. severity: Low @@ -67,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIp -version: 2.1.2 +version: 2.1.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml index e4de8b515ba..b4e3a1357d2 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml @@ -1,5 +1,5 @@ -id: 500415fb-bba7-4227-a08a-9857fb61b6a7 -name: Mail redirect via ExO transport rule +id: edcfc2e0-3134-434c-8074-9101c530d419 +name: Office 365 - Mail redirect via ExO transport rule description: | 'Identifies when Exchange Online transport rule configured to forward emails. This could be an adversary mailbox configured to collect mail from multiple user accounts.' @@ -51,5 +51,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 2.0.4 +version: 2.0.5 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml index 61c3566f5da..7f9c6b7ec7f 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml @@ -1,5 +1,5 @@ -id: 7b907bf7-77d4-41d0-a208-5643ff75bf9a -name: Malicious Inbox Rule +id: a9c76c8d-f60d-49ec-9b1f-bdfee6db3807 +name: Office 365 - Malicious Inbox Rule description: | 'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this. @@ -52,5 +52,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIPAddress -version: 2.0.4 +version: 2.0.5 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml index b4cbec0fe75..aa8d9a37b48 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - MultipleTeamsDeletes.yaml @@ -1,5 +1,5 @@ -id: 173f8699-6af5-484a-8b06-8c47ba89b380 -name: Multiple Teams deleted by a single user +id: db60e4b6-a845-4f28-a18c-94ebbaad6c6c +name: Office 365 - Multiple Teams deleted by a single user description: | 'This detection flags the occurrences of deleting multiple teams within an hour. This data is a part of Office 365 Connector in Microsoft Sentinel.' @@ -35,5 +35,5 @@ entityMappings: columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix -version: 2.0.4 +version: 2.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_MailForwarding.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_MailForwarding.yaml index 30f77b434f4..f68c7dc7d3b 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_MailForwarding.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_MailForwarding.yaml @@ -1,5 +1,5 @@ -id: 871ba14c-88ef-48aa-ad38-810f26760ca3 -name: Multiple Users Email Forwarded to Same Destination +id: d75e8289-d1cb-44d4-bd59-2f44a9172478 +name: Office 365 - Multiple Users Email Forwarded to Same Destination description: | Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. This could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts. @@ -57,5 +57,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_Uploaded_Executables.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_Uploaded_Executables.yaml index 0251d7c8d55..81fcfb8ad1d 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_Uploaded_Executables.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Office_Uploaded_Executables.yaml @@ -1,5 +1,5 @@ -id: d722831e-88f5-4e25-b106-4ef6e29f8c13 -name: New Executable via Office FileUploaded Operation +id: 178c62b4-d5e5-40f5-8eab-7fccd0051e7a +name: Office 365 - New Executable via Office FileUploaded Operation description: | Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive. List currently includes exe, inf, gzip, cmd, bat file extensions. @@ -76,5 +76,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileNames -version: 2.0.5 +version: 2.0.6 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml index d3a1629fa52..5f7d2be46b2 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - RareOfficeOperations.yaml @@ -1,5 +1,5 @@ -id: 957cb240-f45d-4491-9ba5-93430a3c08be -name: Rare and Potentially High-Risk Office Operations +id: 433c254d-4b84-46f7-99ec-9dfefb5f6a7b +name: Office 365 - Rare and Potentially High-Risk Office Operations description: | Identifies Office operations that are typically rare and can provide capabilities useful to attackers. severity: Low @@ -41,5 +41,5 @@ entityMappings: fieldMappings: - identifier: AppId columnName: AppId -version: 2.0.5 +version: 2.0.6 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewIP.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewIP.yaml index 69506a34f3b..563af53e1cf 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewIP.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewIP.yaml @@ -1,5 +1,5 @@ -id: 4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7 -name: SharePoint File Operation via Previously Unseen IPs +id: 7460e34e-4c99-47b2-b7c0-c42e339fc586 +name: Office 365 - SharePoint File Operation via Previously Unseen IPs description: | Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25. severity: Medium @@ -68,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Site_Url -version: 2.0.4 +version: 2.0.5 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml index aaa2bee9ac7..29733099212 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - SharePoint_Downloads_byNewUserAgent.yaml @@ -1,5 +1,5 @@ -id: 5dd76a87-9f87-4576-bab3-268b0e2b338b -name: SharePointFileOperation via devices with previously unseen user agents +id: efd17c5f-5167-40f8-a1e9-0818940785d9 +name: Office 365 - SharePointFileOperation via devices with previously unseen user agents description: | Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%). severity: Medium @@ -81,5 +81,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: Site_Url -version: 2.2.4 +version: 2.2.5 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml index 506248a86c6..0db9fcc31d4 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml @@ -1,5 +1,5 @@ -id: 194dd92e-d6e7-4249-85a5-273350a7f5ce -name: Exchange AuditLog Disabled +id: dc451755-8ab3-4059-b805-e454c45d1d44 +name: Office 365 - Exchange AuditLog Disabled description: | 'Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.' severity: Medium @@ -45,5 +45,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.6 +version: 2.0.7 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - office_policytampering.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - office_policytampering.yaml index 9b6a41d2e7b..5dec3404600 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - office_policytampering.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - office_policytampering.yaml @@ -1,5 +1,5 @@ -id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3 -name: Office Policy Tampering +id: 0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb +name: Office 365 - Office Policy Tampering description: | Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. An adversary may use this technique to evade detection or avoid other policy-based defenses. @@ -55,5 +55,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_above_threshold.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_above_threshold.yaml index 97ac45b3517..418804b6049 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_above_threshold.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_above_threshold.yaml @@ -1,5 +1,5 @@ -id: 299e96a8-5524-41b2-ac72-4527742590f1 -name: Office365 Sharepoint File Transfer Above Threshold +id: 30375d00-68cc-4f95-b89a-68064d566358 +name: Office 365 - Sharepoint File Transfer Above Threshold description: | Identifies Office365 Sharepoint File Transfers above a certain threshold in a 15-minute time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur. @@ -55,5 +55,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_folders_above_threshold.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_folders_above_threshold.yaml index 73bf59cbc7b..3ed1db4effb 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_folders_above_threshold.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - sharepoint_file_transfer_folders_above_threshold.yaml @@ -1,5 +1,5 @@ -id: bfe81463-814b-4fa5-9885-c95a579f1957 -name: Office365 Sharepoint File Transfer Above Threshold +id: abd6976d-8f71-4851-98c4-4d086201319c +name: Office 365 - Sharepoint File Transfer Above Threshold description: | Identifies Office365 Sharepoint File Transfers with a distinct folder count above a certain threshold in a 15-minute time period. Please note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur. @@ -57,5 +57,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Global Secure Access/Package/3.0.0.zip b/Solutions/Global Secure Access/Package/3.0.0.zip index e2e881b448b..eb1e2882427 100644 Binary files a/Solutions/Global Secure Access/Package/3.0.0.zip and b/Solutions/Global Secure Access/Package/3.0.0.zip differ diff --git a/Solutions/Global Secure Access/Package/createUiDefinition.json b/Solutions/Global Secure Access/Package/createUiDefinition.json index 7edea43d12a..dec8e52b06d 100644 --- a/Solutions/Global Secure Access/Package/createUiDefinition.json +++ b/Solutions/Global Secure Access/Package/createUiDefinition.json @@ -164,7 +164,7 @@ { "name": "analytic3", "type": "Microsoft.Common.Section", - "label": "Exchange AuditLog Disabled", + "label": "Office 365 - Exchange AuditLog Disabled", "elements": [ { "name": "analytic3-text", @@ -178,7 +178,7 @@ { "name": "analytic4", "type": "Microsoft.Common.Section", - "label": "Accessed files shared by temporary external user", + "label": "Office 365 - Accessed files shared by temporary external user", "elements": [ { "name": "analytic4-text", @@ -192,7 +192,7 @@ { "name": "analytic5", "type": "Microsoft.Common.Section", - "label": "External User Added and Removed in Short Timeframe", + "label": "Office 365 - External User Added and Removed in Short Timeframe", "elements": [ { "name": "analytic5-text", @@ -206,7 +206,7 @@ { "name": "analytic6", "type": "Microsoft.Common.Section", - "label": "Mail redirect via ExO transport rule", + "label": "Office 365 - Mail redirect via ExO transport rule", "elements": [ { "name": "analytic6-text", @@ -220,7 +220,7 @@ { "name": "analytic7", "type": "Microsoft.Common.Section", - "label": "Malicious Inbox Rule", + "label": "Office 365 - Malicious Inbox Rule", "elements": [ { "name": "analytic7-text", @@ -234,7 +234,7 @@ { "name": "analytic8", "type": "Microsoft.Common.Section", - "label": "Multiple Teams deleted by a single user", + "label": "Office 365 - Multiple Teams deleted by a single user", "elements": [ { "name": "analytic8-text", @@ -248,7 +248,7 @@ { "name": "analytic9", "type": "Microsoft.Common.Section", - "label": "Multiple Users Email Forwarded to Same Destination", + "label": "Office 365 - Multiple Users Email Forwarded to Same Destination", "elements": [ { "name": "analytic9-text", @@ -262,7 +262,7 @@ { "name": "analytic10", "type": "Microsoft.Common.Section", - "label": "Office Policy Tampering", + "label": "Office 365 - Office Policy Tampering", "elements": [ { "name": "analytic10-text", @@ -276,7 +276,7 @@ { "name": "analytic11", "type": "Microsoft.Common.Section", - "label": "New Executable via Office FileUploaded Operation", + "label": "Office 365 - New Executable via Office FileUploaded Operation", "elements": [ { "name": "analytic11-text", @@ -290,7 +290,7 @@ { "name": "analytic12", "type": "Microsoft.Common.Section", - "label": "Rare and Potentially High-Risk Office Operations", + "label": "Office 365 - Rare and Potentially High-Risk Office Operations", "elements": [ { "name": "analytic12-text", @@ -304,7 +304,7 @@ { "name": "analytic13", "type": "Microsoft.Common.Section", - "label": "SharePoint File Operation via Previously Unseen IPs", + "label": "Office 365 - SharePoint File Operation via Previously Unseen IPs", "elements": [ { "name": "analytic13-text", @@ -318,7 +318,7 @@ { "name": "analytic14", "type": "Microsoft.Common.Section", - "label": "SharePointFileOperation via devices with previously unseen user agents", + "label": "Office 365 - SharePointFileOperation via devices with previously unseen user agents", "elements": [ { "name": "analytic14-text", @@ -332,7 +332,7 @@ { "name": "analytic15", "type": "Microsoft.Common.Section", - "label": "Office365 Sharepoint File Transfer Above Threshold", + "label": "Office 365 - Sharepoint File Transfer Above Threshold", "elements": [ { "name": "analytic15-text", @@ -346,7 +346,7 @@ { "name": "analytic16", "type": "Microsoft.Common.Section", - "label": "Office365 Sharepoint File Transfer Above Threshold", + "label": "Office 365 - Sharepoint File Transfer Above Threshold", "elements": [ { "name": "analytic16-text", diff --git a/Solutions/Global Secure Access/Package/mainTemplate.json b/Solutions/Global Secure Access/Package/mainTemplate.json index 8e7bffefd90..239fc11ce62 100644 --- a/Solutions/Global Secure Access/Package/mainTemplate.json +++ b/Solutions/Global Secure Access/Package/mainTemplate.json @@ -80,102 +80,102 @@ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57abf863-1c1e-46c6-85b2-35370b712c1e','-', '1.0.0')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "2.0.6", - "_analyticRulecontentId3": "194dd92e-d6e7-4249-85a5-273350a7f5ce", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '194dd92e-d6e7-4249-85a5-273350a7f5ce')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('194dd92e-d6e7-4249-85a5-273350a7f5ce')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','194dd92e-d6e7-4249-85a5-273350a7f5ce','-', '2.0.6')))]" + "analyticRuleVersion3": "2.0.7", + "_analyticRulecontentId3": "dc451755-8ab3-4059-b805-e454c45d1d44", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dc451755-8ab3-4059-b805-e454c45d1d44')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dc451755-8ab3-4059-b805-e454c45d1d44')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc451755-8ab3-4059-b805-e454c45d1d44','-', '2.0.7')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "2.1.1", - "_analyticRulecontentId4": "bff058b2-500e-4ae5-bb49-a5b1423cbd5b", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bff058b2-500e-4ae5-bb49-a5b1423cbd5b')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bff058b2-500e-4ae5-bb49-a5b1423cbd5b')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bff058b2-500e-4ae5-bb49-a5b1423cbd5b','-', '2.1.1')))]" + "analyticRuleVersion4": "2.1.2", + "_analyticRulecontentId4": "4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.2')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "2.1.2", - "_analyticRulecontentId5": "bff093b2-500e-4ae5-bb49-a5b1423cbd5b", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bff093b2-500e-4ae5-bb49-a5b1423cbd5b')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bff093b2-500e-4ae5-bb49-a5b1423cbd5b')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bff093b2-500e-4ae5-bb49-a5b1423cbd5b','-', '2.1.2')))]" + "analyticRuleVersion5": "2.1.3", + "_analyticRulecontentId5": "1a8f1297-23a4-4f09-a20b-90af8fc3641a", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1a8f1297-23a4-4f09-a20b-90af8fc3641a')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1a8f1297-23a4-4f09-a20b-90af8fc3641a')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a8f1297-23a4-4f09-a20b-90af8fc3641a','-', '2.1.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "2.0.4", - "_analyticRulecontentId6": "500415fb-bba7-4227-a08a-9857fb61b6a7", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '500415fb-bba7-4227-a08a-9857fb61b6a7')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('500415fb-bba7-4227-a08a-9857fb61b6a7')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','500415fb-bba7-4227-a08a-9857fb61b6a7','-', '2.0.4')))]" + "analyticRuleVersion6": "2.0.5", + "_analyticRulecontentId6": "edcfc2e0-3134-434c-8074-9101c530d419", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edcfc2e0-3134-434c-8074-9101c530d419')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edcfc2e0-3134-434c-8074-9101c530d419')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.0.5')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "2.0.4", - "_analyticRulecontentId7": "7b907bf7-77d4-41d0-a208-5643ff75bf9a", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7b907bf7-77d4-41d0-a208-5643ff75bf9a')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7b907bf7-77d4-41d0-a208-5643ff75bf9a')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7b907bf7-77d4-41d0-a208-5643ff75bf9a','-', '2.0.4')))]" + "analyticRuleVersion7": "2.0.5", + "_analyticRulecontentId7": "a9c76c8d-f60d-49ec-9b1f-bdfee6db3807", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a9c76c8d-f60d-49ec-9b1f-bdfee6db3807')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a9c76c8d-f60d-49ec-9b1f-bdfee6db3807','-', '2.0.5')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "2.0.4", - "_analyticRulecontentId8": "173f8699-6af5-484a-8b06-8c47ba89b380", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '173f8699-6af5-484a-8b06-8c47ba89b380')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('173f8699-6af5-484a-8b06-8c47ba89b380')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','173f8699-6af5-484a-8b06-8c47ba89b380','-', '2.0.4')))]" + "analyticRuleVersion8": "2.0.5", + "_analyticRulecontentId8": "db60e4b6-a845-4f28-a18c-94ebbaad6c6c", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'db60e4b6-a845-4f28-a18c-94ebbaad6c6c')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('db60e4b6-a845-4f28-a18c-94ebbaad6c6c')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','db60e4b6-a845-4f28-a18c-94ebbaad6c6c','-', '2.0.5')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "2.0.3", - "_analyticRulecontentId9": "871ba14c-88ef-48aa-ad38-810f26760ca3", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '871ba14c-88ef-48aa-ad38-810f26760ca3')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('871ba14c-88ef-48aa-ad38-810f26760ca3')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','871ba14c-88ef-48aa-ad38-810f26760ca3','-', '2.0.3')))]" + "analyticRuleVersion9": "2.0.4", + "_analyticRulecontentId9": "d75e8289-d1cb-44d4-bd59-2f44a9172478", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd75e8289-d1cb-44d4-bd59-2f44a9172478')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d75e8289-d1cb-44d4-bd59-2f44a9172478')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d75e8289-d1cb-44d4-bd59-2f44a9172478','-', '2.0.4')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "2.0.3", - "_analyticRulecontentId10": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fbd72eb8-087e-466b-bd54-1ca6ea08c6d3')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fbd72eb8-087e-466b-bd54-1ca6ea08c6d3')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fbd72eb8-087e-466b-bd54-1ca6ea08c6d3','-', '2.0.3')))]" + "analyticRuleVersion10": "2.0.4", + "_analyticRulecontentId10": "0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0f1f2b17-f9d6-4d2a-a0fb-a7ae1659e3eb','-', '2.0.4')))]" }, "analyticRuleObject11": { - "analyticRuleVersion11": "2.0.5", - "_analyticRulecontentId11": "d722831e-88f5-4e25-b106-4ef6e29f8c13", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd722831e-88f5-4e25-b106-4ef6e29f8c13')]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d722831e-88f5-4e25-b106-4ef6e29f8c13')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d722831e-88f5-4e25-b106-4ef6e29f8c13','-', '2.0.5')))]" + "analyticRuleVersion11": "2.0.6", + "_analyticRulecontentId11": "178c62b4-d5e5-40f5-8eab-7fccd0051e7a", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '178c62b4-d5e5-40f5-8eab-7fccd0051e7a')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('178c62b4-d5e5-40f5-8eab-7fccd0051e7a')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','178c62b4-d5e5-40f5-8eab-7fccd0051e7a','-', '2.0.6')))]" }, "analyticRuleObject12": { - "analyticRuleVersion12": "2.0.5", - "_analyticRulecontentId12": "957cb240-f45d-4491-9ba5-93430a3c08be", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '957cb240-f45d-4491-9ba5-93430a3c08be')]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('957cb240-f45d-4491-9ba5-93430a3c08be')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','957cb240-f45d-4491-9ba5-93430a3c08be','-', '2.0.5')))]" + "analyticRuleVersion12": "2.0.6", + "_analyticRulecontentId12": "433c254d-4b84-46f7-99ec-9dfefb5f6a7b", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '433c254d-4b84-46f7-99ec-9dfefb5f6a7b')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('433c254d-4b84-46f7-99ec-9dfefb5f6a7b')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','433c254d-4b84-46f7-99ec-9dfefb5f6a7b','-', '2.0.6')))]" }, "analyticRuleObject13": { - "analyticRuleVersion13": "2.0.4", - "_analyticRulecontentId13": "4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7')]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7')))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7','-', '2.0.4')))]" + "analyticRuleVersion13": "2.0.5", + "_analyticRulecontentId13": "7460e34e-4c99-47b2-b7c0-c42e339fc586", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7460e34e-4c99-47b2-b7c0-c42e339fc586')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7460e34e-4c99-47b2-b7c0-c42e339fc586')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7460e34e-4c99-47b2-b7c0-c42e339fc586','-', '2.0.5')))]" }, "analyticRuleObject14": { - "analyticRuleVersion14": "2.2.4", - "_analyticRulecontentId14": "5dd76a87-9f87-4576-bab3-268b0e2b338b", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5dd76a87-9f87-4576-bab3-268b0e2b338b')]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5dd76a87-9f87-4576-bab3-268b0e2b338b')))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5dd76a87-9f87-4576-bab3-268b0e2b338b','-', '2.2.4')))]" + "analyticRuleVersion14": "2.2.5", + "_analyticRulecontentId14": "efd17c5f-5167-40f8-a1e9-0818940785d9", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'efd17c5f-5167-40f8-a1e9-0818940785d9')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('efd17c5f-5167-40f8-a1e9-0818940785d9')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','efd17c5f-5167-40f8-a1e9-0818940785d9','-', '2.2.5')))]" }, "analyticRuleObject15": { - "analyticRuleVersion15": "1.0.4", - "_analyticRulecontentId15": "299e96a8-5524-41b2-ac72-4527742590f1", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '299e96a8-5524-41b2-ac72-4527742590f1')]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('299e96a8-5524-41b2-ac72-4527742590f1')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','299e96a8-5524-41b2-ac72-4527742590f1','-', '1.0.4')))]" + "analyticRuleVersion15": "1.0.5", + "_analyticRulecontentId15": "30375d00-68cc-4f95-b89a-68064d566358", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30375d00-68cc-4f95-b89a-68064d566358')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30375d00-68cc-4f95-b89a-68064d566358')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.5')))]" }, "analyticRuleObject16": { - "analyticRuleVersion16": "1.0.4", - "_analyticRulecontentId16": "bfe81463-814b-4fa5-9885-c95a579f1957", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bfe81463-814b-4fa5-9885-c95a579f1957')]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bfe81463-814b-4fa5-9885-c95a579f1957')))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bfe81463-814b-4fa5-9885-c95a579f1957','-', '1.0.4')))]" + "analyticRuleVersion16": "1.0.5", + "_analyticRulecontentId16": "abd6976d-8f71-4851-98c4-4d086201319c", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'abd6976d-8f71-4851-98c4-4d086201319c')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('abd6976d-8f71-4851-98c4-4d086201319c')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','abd6976d-8f71-4851-98c4-4d086201319c','-', '1.0.5')))]" }, "analyticRuleObject17": { "analyticRuleVersion17": "1.0.0", @@ -511,10 +511,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -526,22 +526,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -625,10 +625,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -640,22 +640,22 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] } ] } @@ -726,7 +726,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.", - "displayName": "Exchange AuditLog Disabled", + "displayName": "Office 365 - Exchange AuditLog Disabled", "enabled": false, "query": "EnrichedMicrosoft365AuditLogs\n| where Workload =~ \"Exchange\"\n| where UserType in~ (\"Admin\", \"DcAdmin\")\n| where Operation =~ \"Set-AdminAuditLogConfig\"\n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(tostring(AdditionalProperties.Parameters)), 3, 3)))[0])).Value)\n| where AdminAuditLogEnabledValue =~ \"False\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = SourceIp, ResultStatus, Parameters = tostring(AdditionalProperties.Parameters), AdminAuditLogEnabledValue\n| extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId)\n| extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '')\n| extend AccountName = iff(UserId contains '\\\\', tostring(split(UserId, '\\\\')[1]), AccountName)\n| extend AccountNTDomain = iff(UserId contains '\\\\', tostring(split(UserId, '\\\\')[0]), '')\n", "queryFrequency": "P1D", @@ -739,10 +739,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -753,6 +753,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -766,26 +767,25 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountNTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIP" } - ], - "entityType": "IP" + ] } ] } @@ -826,7 +826,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", - "displayName": "Exchange AuditLog Disabled", + "displayName": "Office 365 - Exchange AuditLog Disabled", "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" @@ -856,7 +856,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.", - "displayName": "Accessed files shared by temporary external user", + "displayName": "Office 365 - Accessed files shared by temporary external user", "enabled": false, "query": "let fileAccessThreshold = 10;\nEnrichedMicrosoft365AuditLogs\n| where Workload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberAdded\"\n| extend MemberAdded = tostring(parse_json(tostring(AdditionalProperties)).Members[0].UPN)\n| where MemberAdded contains \"#EXT#\"\n| project TimeAdded = TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)\n| join kind=inner (\n EnrichedMicrosoft365AuditLogs\n | where Workload =~ \"MicrosoftTeams\"\n | where Operation =~ \"MemberRemoved\"\n | extend MemberAdded = tostring(parse_json(tostring(AdditionalProperties)).Members[0].UPN)\n | where MemberAdded contains \"#EXT#\"\n | project TimeDeleted = TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)\n) on MemberAdded, TeamName\n| where TimeDeleted > TimeAdded\n| join kind=inner (\n EnrichedMicrosoft365AuditLogs\n | where RecordType == \"SharePointFileOperation\"\n | where Operation == \"FileUploaded\"\n | extend MemberAdded = UserId, SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl), TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)\n | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n | join kind=inner (\n EnrichedMicrosoft365AuditLogs\n | where RecordType == \"SharePointFileOperation\"\n | where Operation == \"FileAccessed\"\n | extend SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl), TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)\n | where SourceRelativeUrl has \"Microsoft Teams Chat Files\"\n | summarize FileAccessCount = count() by ObjectId, TeamName\n | where FileAccessCount > fileAccessThreshold\n ) on ObjectId, TeamName\n) on MemberAdded, TeamName\n| project-away MemberAdded1, MemberAdded2, ObjectId1, Operation1, Operation2\n| extend MemberAddedAccountName = tostring(split(MemberAdded, \"@\")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded, \"@\")[1])\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \"@\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \"@\")[1])\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \"@\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \"@\")[1])\n", "queryFrequency": "PT1H", @@ -869,10 +869,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -883,6 +883,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -896,10 +897,10 @@ "identifier": "UPNSuffix", "columnName": "MemberAddedAccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -913,10 +914,10 @@ "identifier": "UPNSuffix", "columnName": "UserWhoAddedAccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -930,17 +931,16 @@ "identifier": "UPNSuffix", "columnName": "UserWhoDeletedAccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIP" } - ], - "entityType": "IP" + ] } ] } @@ -981,7 +981,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", - "displayName": "Accessed files shared by temporary external user", + "displayName": "Office 365 - Accessed files shared by temporary external user", "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" @@ -1011,7 +1011,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.", - "displayName": "External User Added and Removed in Short Timeframe", + "displayName": "Office 365 - External User Added and Removed in Short Timeframe", "enabled": false, "query": "let TeamsAddDel = (Op:string){\nEnrichedMicrosoft365AuditLogs\n | where Workload =~ \"MicrosoftTeams\"\n | where Operation == Op\n | where tostring(AdditionalProperties.Members) has (\"#EXT#\")\n | mv-expand Members = parse_json(tostring(AdditionalProperties.Members))\n | extend UPN = tostring(Members.UPN)\n | where UPN has (\"#EXT#\")\n | project TimeGenerated, Operation, UPN, UserId, TeamName = tostring(AdditionalProperties.TeamName), ClientIP = SourceIp\n};\nlet TeamsAdd = TeamsAddDel(\"MemberAdded\")\n| project TimeAdded = TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;\nlet TeamsDel = TeamsAddDel(\"MemberRemoved\")\n| project TimeDeleted = TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;\nTeamsAdd\n| join kind = inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved\n| where TimeDeleted > TimeAdded\n| project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName\n| extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, \"@\")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded_Removed, \"@\")[1])\n| extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, \"@\")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, \"@\")[1])\n| extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, \"@\")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, \"@\")[1])\n", "queryFrequency": "PT1H", @@ -1024,10 +1024,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1038,6 +1038,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1051,10 +1052,10 @@ "identifier": "UPNSuffix", "columnName": "MemberAddedAccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1068,10 +1069,10 @@ "identifier": "UPNSuffix", "columnName": "UserWhoAddedAccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1085,17 +1086,16 @@ "identifier": "UPNSuffix", "columnName": "UserWhoDeletedAccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ], - "entityType": "IP" + ] } ] } @@ -1136,7 +1136,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", - "displayName": "External User Added and Removed in Short Timeframe", + "displayName": "Office 365 - External User Added and Removed in Short Timeframe", "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" @@ -1166,7 +1166,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies when Exchange Online transport rule configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.", - "displayName": "Mail redirect via ExO transport rule", + "displayName": "Office 365 - Mail redirect via ExO transport rule", "enabled": false, "query": "EnrichedMicrosoft365AuditLogs\n| where Workload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n| mv-apply DynamicParameters = todynamic(tostring(AdditionalProperties.Parameters)) on (\n summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n )\n| extend RuleName = case(\n Operation =~ \"Set-TransportRule\", ObjectId, // Assuming ObjectId maps to what was previously OfficeObjectId\n Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n \"Unknown\"\n )\n| mv-expand ExpandedParameters = todynamic(tostring(AdditionalProperties.Parameters))\n| where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n| extend RedirectTo = ExpandedParameters.Value\n| extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIp)[0]\n| extend From = ParsedParameters.From\n| project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters = tostring(AdditionalProperties.Parameters)\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "PT1H", @@ -1179,10 +1179,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1195,6 +1195,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1208,17 +1209,16 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -1259,7 +1259,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", - "displayName": "Mail redirect via ExO transport rule", + "displayName": "Office 365 - Mail redirect via ExO transport rule", "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" @@ -1289,7 +1289,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.\n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/", - "displayName": "Malicious Inbox Rule", + "displayName": "Office 365 - Malicious Inbox Rule", "enabled": false, "query": "let Keywords = dynamic([\"helpdesk\", \"alert\", \"suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\nEnrichedMicrosoft365AuditLogs\n| where Workload =~ \"Exchange\"\n| where Operation =~ \"New-InboxRule\" and (ResultStatus =~ \"True\" or ResultStatus =~ \"Succeeded\")\n| where tostring(parse_json(tostring(AdditionalProperties)).Parameters) has \"Deleted Items\" or tostring(parse_json(tostring(AdditionalProperties)).Parameters) has \"Junk Email\" or tostring(parse_json(tostring(AdditionalProperties)).Parameters) has \"DeleteMessage\"\n| extend Events = parse_json(tostring(AdditionalProperties)).Parameters\n| extend SubjectContainsWords = tostring(Events.SubjectContainsWords), BodyContainsWords = tostring(Events.BodyContainsWords), SubjectOrBodyContainsWords = tostring(Events.SubjectOrBodyContainsWords)\n| where SubjectContainsWords has_any (Keywords) or BodyContainsWords has_any (Keywords) or SubjectOrBodyContainsWords has_any (Keywords)\n| extend ClientIPAddress = case(ClientIp has \".\", tostring(split(ClientIp, \":\")[0]), ClientIp has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIp, \"]\")[0]))), ClientIp)\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords), BodyContainsWords, SubjectOrBodyContainsWords)))\n| extend RuleDetail = case(ObjectId contains '/', tostring(split(ObjectId, '/')[-1]), tostring(split(ObjectId, '\\\\')[-1]))\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, ObjectId, RuleDetail\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "P1D", @@ -1302,10 +1302,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1318,6 +1318,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1331,26 +1332,25 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "OriginatingServer" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIPAddress" } - ], - "entityType": "IP" + ] } ] } @@ -1391,7 +1391,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "contentKind": "AnalyticsRule", - "displayName": "Malicious Inbox Rule", + "displayName": "Office 365 - Malicious Inbox Rule", "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" @@ -1421,7 +1421,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "This detection flags the occurrences of deleting multiple teams within an hour.\nThis data is a part of Office 365 Connector in Microsoft Sentinel.", - "displayName": "Multiple Teams deleted by a single user", + "displayName": "Office 365 - Multiple Teams deleted by a single user", "enabled": false, "query": "let max_delete_count = 3;\nEnrichedMicrosoft365AuditLogs\n| where Workload =~ \"MicrosoftTeams\"\n| where Operation =~ \"TeamDeleted\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(tostring(AdditionalProperties.TeamName), 1000) by UserId\n| where array_length(DeletedTeams) > max_delete_count\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "P1D", @@ -1434,10 +1434,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1449,6 +1449,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1462,8 +1463,7 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1504,7 +1504,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "contentKind": "AnalyticsRule", - "displayName": "Multiple Teams deleted by a single user", + "displayName": "Office 365 - Multiple Teams deleted by a single user", "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" @@ -1534,7 +1534,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies when multiple (more than one) users' mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.", - "displayName": "Multiple Users Email Forwarded to Same Destination", + "displayName": "Office 365 - Multiple Users Email Forwarded to Same Destination", "enabled": false, "query": "let queryfrequency = 1d;\n let queryperiod = 7d;\n EnrichedMicrosoft365AuditLogs\n | where TimeGenerated > ago(queryperiod)\n | where Workload =~ \"Exchange\"\n //| where Operation in (\"Set-Mailbox\", \"New-InboxRule\", \"Set-InboxRule\") // Uncomment or adjust based on actual field usage\n | where tostring(AdditionalProperties.Parameters) has_any (\"ForwardTo\", \"RedirectTo\", \"ForwardingSmtpAddress\")\n | mv-apply DynamicParameters = todynamic(tostring(AdditionalProperties.Parameters)) on (\n summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n )\n | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source')\n | extend DestinationMailAddress = tolower(case(\n isnotempty(column_ifexists(\"ForwardTo\", \"\")), column_ifexists(\"ForwardTo\", \"\"),\n isnotempty(column_ifexists(\"RedirectTo\", \"\")), column_ifexists(\"RedirectTo\", \"\"),\n isnotempty(column_ifexists(\"ForwardingSmtpAddress\", \"\")), trim_start(@\"smtp:\", column_ifexists(\"ForwardingSmtpAddress\", \"\")),\n \"\"))\n | where isnotempty(DestinationMailAddress)\n | mv-expand split(DestinationMailAddress, \";\")\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIp)[0]\n | extend ClientIP = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1])\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP\n | where DistinctUserCount > 1 and EndTime > ago(queryfrequency)\n | mv-expand UserId to typeof(string)\n | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "P1D", @@ -1547,10 +1547,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1563,6 +1563,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1576,17 +1577,16 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIP" } - ], - "entityType": "IP" + ] } ] } @@ -1627,7 +1627,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "contentKind": "AnalyticsRule", - "displayName": "Multiple Users Email Forwarded to Same Destination", + "displayName": "Office 365 - Multiple Users Email Forwarded to Same Destination", "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" @@ -1657,7 +1657,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies if any tampering is done to either audit log, ATP Safelink, SafeAttachment, AntiPhish, or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy-based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.", - "displayName": "Office Policy Tampering", + "displayName": "Office 365 - Office Policy Tampering", "enabled": false, "query": "let opList = EnrichedMicrosoft365AuditLogs \n | summarize by Operation\n | where Operation has_any (\"Remove\", \"Disable\")\n | where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\n | summarize make_set(Operation, 500);\nEnrichedMicrosoft365AuditLogs\n | where RecordType == \"ExchangeAdmin\"\n | where UserType in~ (\"Admin\", \"DcAdmin\")\n | where Operation in~ (opList)\n | extend ClientIPOnly = case( \n ClientIp has \".\", tostring(split(ClientIp, \":\")[0]), \n ClientIp has \"[\", tostring(trim_start(@'[[]', tostring(split(ClientIp, \"]\")[0]))),\n ClientIp\n ) \n | extend Port = case(\n ClientIp has \".\", tostring(split(ClientIp, \":\")[1]),\n ClientIp has \"[\", tostring(split(ClientIp, \"]:\")[1]),\n \"\"\n )\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters = tostring(AdditionalProperties.Parameters)\n | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "P1D", @@ -1670,10 +1670,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1686,6 +1686,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1699,17 +1700,16 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIP" } - ], - "entityType": "IP" + ] } ] } @@ -1750,7 +1750,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "contentKind": "AnalyticsRule", - "displayName": "Office Policy Tampering", + "displayName": "Office 365 - Office Policy Tampering", "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" @@ -1780,7 +1780,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes exe, inf, gzip, cmd, bat file extensions.\nAdditionally, identifies when a given user is uploading these files to another user's workspace.\nThis may be an indication of a staging location for malware or other malicious activity.", - "displayName": "New Executable via Office FileUploaded Operation", + "displayName": "Office 365 - New Executable via Office FileUploaded Operation", "enabled": false, "query": "let threshold = 2;\nlet uploadOp = 'FileUploaded';\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\nlet starttime = 8d;\nlet endtime = 1d;\nEnrichedMicrosoft365AuditLogs\n| where TimeGenerated >= ago(endtime)\n| where Operation == uploadOp\n| extend SourceFileExtension = extract(@\"\\.([^\\./]+)$\", 1, tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)) // Extract file extension\n| where SourceFileExtension in (execExt)\n| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)\n| extend SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl)\n| extend SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)\n| project TimeGenerated, Id, Workload, RecordType, Operation, UserType, UserKey, UserId, ClientIp, UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent), Site_Url, SourceRelativeUrl, SourceFileName\n| join kind=leftanti (\n EnrichedMicrosoft365AuditLogs\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | where Operation == uploadOp\n | extend SourceFileExtension = extract(@\"\\.([^\\./]+)$\", 1, tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)) // Extract file extension\n | where SourceFileExtension in (execExt)\n | extend SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl)\n | summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000), PrevSeenCount = count() by SourceFileName = tostring(parse_json(tostring(AdditionalProperties)).SourceFileName)\n // Uncomment the line below to enforce the threshold\n // | where PrevSeenCount > threshold\n | mvexpand SourceRelativeUrl, UserId\n | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\n) on SourceFileName, SourceRelativeUrl, UserId\n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\n| extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\\\.', '_'))\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true, false)\n| summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), UserAgents = make_list(UserAgent, 100000), Ids = make_list(Id, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000)\nby Workload, RecordType, Operation, UserType, UserKey, UserId, ClientIp, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "P1D", @@ -1793,10 +1793,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1809,6 +1809,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1822,35 +1823,34 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "Site_Url" } - ], - "entityType": "URL" + ] }, { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "FileNames" } - ], - "entityType": "File" + ] } ] } @@ -1891,7 +1891,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", "contentKind": "AnalyticsRule", - "displayName": "New Executable via Office FileUploaded Operation", + "displayName": "Office 365 - New Executable via Office FileUploaded Operation", "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" @@ -1921,7 +1921,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers.", - "displayName": "Rare and Potentially High-Risk Office Operations", + "displayName": "Office 365 - Rare and Potentially High-Risk Office Operations", "enabled": false, "query": "EnrichedMicrosoft365AuditLogs\n| where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", \"Set-Mailbox\", \"New-ManagementRoleAssignment\", \"New-InboxRule\", \"Set-InboxRule\", \"Set-TransportRule\")\nand not(UserId has_any ('NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n| extend ClientIPOnly = tostring(extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?', dynamic([\"IPAddress\"]), ClientIp)[0])\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "P1D", @@ -1934,10 +1934,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -1950,6 +1950,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1963,26 +1964,25 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIPOnly" } - ], - "entityType": "IP" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "AppId", "columnName": "AppId" } - ], - "entityType": "CloudApplication" + ] } ] } @@ -2023,7 +2023,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", "contentKind": "AnalyticsRule", - "displayName": "Rare and Potentially High-Risk Office Operations", + "displayName": "Office 365 - Rare and Potentially High-Risk Office Operations", "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" @@ -2053,7 +2053,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.", - "displayName": "SharePoint File Operation via Previously Unseen IPs", + "displayName": "Office 365 - SharePoint File Operation via Previously Unseen IPs", "enabled": false, "query": "let threshold = 0.25;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\n// Define a baseline of normal user behavior\nlet userBaseline = EnrichedMicrosoft365AuditLogs\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType == szSharePointFileOperation\n| where Operation in (szOperations)\n| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)\n| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)\n| where isnotempty(UserAgent)\n| summarize Count = count() by UserId, Operation, Site_Url, ClientIp\n| summarize AvgCount = avg(Count) by UserId, Operation, Site_Url, ClientIp;\n// Get recent user activity\nlet recentUserActivity = EnrichedMicrosoft365AuditLogs\n| where TimeGenerated > ago(endtime)\n| where RecordType == szSharePointFileOperation\n| where Operation in (szOperations)\n| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)\n| extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)\n| where isnotempty(UserAgent)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), RecentCount = count() by UserId, UserType, Operation, Site_Url, ClientIp, ObjectId, Workload, UserAgent;\n// Join the baseline and recent activity, and calculate the deviation\nlet UserBehaviorAnalysis = userBaseline \n| join kind=inner (recentUserActivity) on UserId, Operation, Site_Url, ClientIp\n| extend Deviation = abs(RecentCount - AvgCount) / AvgCount;\n// Filter for significant deviations\nUserBehaviorAnalysis\n| where Deviation > threshold\n| project StartTimeUtc, EndTimeUtc, UserId, UserType, Operation, ClientIp, Site_Url, ObjectId, Workload, UserAgent, Deviation, Count=RecentCount\n| order by Count desc, ClientIp asc, Operation asc, UserId asc\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "P1D", @@ -2066,10 +2066,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2080,6 +2080,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2093,26 +2094,25 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "Site_Url" } - ], - "entityType": "URL" + ] } ] } @@ -2153,7 +2153,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", "contentKind": "AnalyticsRule", - "displayName": "SharePoint File Operation via Previously Unseen IPs", + "displayName": "Office 365 - SharePoint File Operation via Previously Unseen IPs", "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" @@ -2183,7 +2183,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25%).", - "displayName": "SharePointFileOperation via devices with previously unseen user agents", + "displayName": "Office 365 - SharePointFileOperation via devices with previously unseen user agents", "enabled": false, "query": "// Set threshold for the number of downloads/uploads from a new user agent\nlet threshold = 5;\n// Define constants for SharePoint file operations\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\n// Define the historical activity for analysis\nlet starttime = 14d; // Define the start time for historical data (14 days ago)\nlet endtime = 1d; // Define the end time for historical data (1 day ago)\n// Extract the base events for analysis\nlet Baseevents =\n EnrichedMicrosoft365AuditLogs\n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | where RecordType == szSharePointFileOperation\n | where Operation in (szOperations)\n | extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)\n | extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)\n | where isnotempty(UserAgent);\n// Identify frequently occurring user agents\nlet FrequentUA = Baseevents\n | summarize FUACount = count() by UserAgent, RecordType, Operation\n | where FUACount >= threshold\n | distinct UserAgent;\n// Calculate a user baseline for further analysis\nlet UserBaseLine = Baseevents\n | summarize Count = count() by UserId, Operation, Site_Url\n | summarize AvgCount = avg(Count) by UserId, Operation, Site_Url;\n// Extract recent activity for analysis\nlet RecentActivity = EnrichedMicrosoft365AuditLogs\n | where TimeGenerated > ago(endtime)\n | where RecordType == szSharePointFileOperation\n | where Operation in (szOperations)\n | extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)\n | extend Site_Url = tostring(parse_json(tostring(AdditionalProperties)).SiteUrl)\n | where isnotempty(UserAgent)\n | where UserAgent in (FrequentUA)\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ObjectIdCount = dcount(ObjectId), ObjectIdList = make_set(ObjectId), UserAgentSeenCount = count()\n by RecordType, Operation, UserAgent, UserId, ClientIp, Site_Url;\n// Analyze user behavior based on baseline and recent activity\nlet UserBehaviorAnalysis = UserBaseLine\n | join kind=inner (RecentActivity) on UserId, Operation, Site_Url\n | extend Deviation = abs(UserAgentSeenCount - AvgCount) / AvgCount;\n// Filter and format results for specific user behavior analysis\nUserBehaviorAnalysis\n | where Deviation > 0.25\n | extend UserIdName = tostring(split(UserId, '@')[0]), UserIdUPNSuffix = tostring(split(UserId, '@')[1])\n | project-reorder StartTime, EndTime, UserAgent, UserAgentSeenCount, UserId, ClientIp, Site_Url\n | order by UserAgentSeenCount desc, UserAgent asc, UserId asc, Site_Url asc\n", "queryFrequency": "P1D", @@ -2196,10 +2196,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2210,6 +2210,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2223,26 +2224,25 @@ "identifier": "UPNSuffix", "columnName": "UserIdUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "Site_Url" } - ], - "entityType": "URL" + ] } ] } @@ -2283,7 +2283,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", "contentKind": "AnalyticsRule", - "displayName": "SharePointFileOperation via devices with previously unseen user agents", + "displayName": "Office 365 - SharePointFileOperation via devices with previously unseen user agents", "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" @@ -2313,7 +2313,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies Office365 Sharepoint File Transfers above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.", - "displayName": "Office365 Sharepoint File Transfer Above Threshold", + "displayName": "Office 365 - Sharepoint File Transfer Above Threshold", "enabled": false, "query": "let threshold = 5000;\nEnrichedMicrosoft365AuditLogs\n| where Workload has_any(\"SharePoint\", \"OneDrive\") and Operation has_any(\"FileDownloaded\", \"FileSyncDownloadedFull\", \"FileSyncUploadedFull\", \"FileUploaded\")\n| summarize count_distinct_ObjectId=dcount(ObjectId), fileslist=make_set(ObjectId, 10000) by UserId, ClientIp, bin(TimeGenerated, 15m)\n| where count_distinct_ObjectId >= threshold\n| extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat(\"SeeFilesListField\",\"_\", tostring(hash(tostring(fileslist)))))\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "PT15M", @@ -2326,10 +2326,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2340,6 +2340,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2353,26 +2354,25 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "FileSample" } - ], - "entityType": "File" + ] } ], "customDetails": { @@ -2382,13 +2382,13 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": true, + "lookbackDuration": "5h", "groupByEntities": [ "Account" ], - "lookbackDuration": "5h", - "reopenClosedIncident": false, - "enabled": true, - "matchingMethod": "Selected" + "matchingMethod": "Selected", + "reopenClosedIncident": false } } } @@ -2429,7 +2429,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", "contentKind": "AnalyticsRule", - "displayName": "Office365 Sharepoint File Transfer Above Threshold", + "displayName": "Office 365 - Sharepoint File Transfer Above Threshold", "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" @@ -2459,7 +2459,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies Office365 Sharepoint File Transfers with a distinct folder count above a certain threshold in a 15-minute time period.\nPlease note that entity mapping for arrays is not supported, so when there is a single value in an array, we will pull that value from the array as a single string to populate the entity to support entity mapping features within Sentinel. Additionally, if the array is multivalued, we will input a string to indicate this with a unique hash so that matching will not occur.", - "displayName": "Office365 Sharepoint File Transfer Above Threshold", + "displayName": "Office 365 - Sharepoint File Transfer Above Threshold", "enabled": false, "query": "let threshold = 500;\nEnrichedMicrosoft365AuditLogs\n| where Workload has_any(\"SharePoint\", \"OneDrive\") and Operation has_any(\"FileDownloaded\", \"FileSyncDownloadedFull\", \"FileSyncUploadedFull\", \"FileUploaded\")\n| extend EventSource = tostring(parse_json(tostring(AdditionalProperties)).EventSource)\n| extend UserAgent = tostring(parse_json(tostring(AdditionalProperties)).UserAgent)\n| summarize count_distinct_ObjectId = dcount(ObjectId), dirlist = make_set(ObjectId, 10000) by UserId, ClientIp, UserAgent, bin(TimeGenerated, 15m)\n| where count_distinct_ObjectId >= threshold\n| extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat(\"SeeDirListField\",\"_\", tostring(hash(tostring(dirlist)))))\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n", "queryFrequency": "PT15M", @@ -2472,10 +2472,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2486,6 +2486,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2499,26 +2500,25 @@ "identifier": "UPNSuffix", "columnName": "AccountUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "DirSample" } - ], - "entityType": "File" + ] } ], "customDetails": { @@ -2528,13 +2528,13 @@ "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { + "enabled": true, + "lookbackDuration": "5h", "groupByEntities": [ "Account" ], - "lookbackDuration": "5h", - "reopenClosedIncident": false, - "enabled": true, - "matchingMethod": "Selected" + "matchingMethod": "Selected", + "reopenClosedIncident": false } } } @@ -2575,7 +2575,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", "contentKind": "AnalyticsRule", - "displayName": "Office365 Sharepoint File Transfer Above Threshold", + "displayName": "Office 365 - Sharepoint File Transfer Above Threshold", "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" @@ -2618,10 +2618,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "NetworkAccessTrafficLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2631,22 +2631,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SourceIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "DestinationIp" } - ], - "entityType": "URL" + ] } ] } @@ -2730,10 +2730,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2743,22 +2743,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "FqdnCustomEntity" } - ], - "entityType": "URL" + ] } ] } @@ -2842,10 +2842,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ] + ], + "connectorId": "AzureActiveDirectory" } ], "tactics": [ @@ -2856,22 +2856,22 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SourceIp" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "Fqdn" } - ], - "entityType": "URL" + ] } ] } diff --git a/Solutions/GoogleWorkspaceReports/Package/3.0.0.zip b/Solutions/GoogleWorkspaceReports/Package/3.0.0.zip index 08e26829b13..ca10448b2c3 100644 Binary files a/Solutions/GoogleWorkspaceReports/Package/3.0.0.zip and b/Solutions/GoogleWorkspaceReports/Package/3.0.0.zip differ diff --git a/Solutions/GoogleWorkspaceReports/Package/createUiDefinition.json b/Solutions/GoogleWorkspaceReports/Package/createUiDefinition.json index 20bf36941b3..4ae6c74f3fa 100644 --- a/Solutions/GoogleWorkspaceReports/Package/createUiDefinition.json +++ b/Solutions/GoogleWorkspaceReports/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/GoogleWorkspaceReports/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Google Workspace](https://workspace.google.com/) solution for Microsoft Sentinel enables you to ingest Google Workspace Activity events into Microsoft Sentinel. \n \n **Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/GoogleWorkspaceReports/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Google Workspace](https://workspace.google.com/) solution for Microsoft Sentinel enables you to ingest Google Workspace Activity events into Microsoft Sentinel. \n \n **Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n \n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \n \n b. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 12\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,14 +60,14 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Google Workspace data connector allows you to easily to ingest Google Workspace Activity events into Microsoft Sentinel through the REST API. The connector provides ability to get events which help to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems, track who signs in and when, analyze administrator activity, understand how users create and share content, and review events in your organization. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for GoogleWorkspaceReports. You can get GoogleWorkspaceReports custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs a parser that transforms ingested data. The transformed logs can be accessed using the GWorkspace Kusto Function alias." + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." } }, { diff --git a/Solutions/GoogleWorkspaceReports/Package/mainTemplate.json b/Solutions/GoogleWorkspaceReports/Package/mainTemplate.json index d1deb3fa9fe..69f0c4427ba 100644 --- a/Solutions/GoogleWorkspaceReports/Package/mainTemplate.json +++ b/Solutions/GoogleWorkspaceReports/Package/mainTemplate.json @@ -51,6 +51,13 @@ "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','GWorkspaceActivityReports')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'GWorkspaceActivityReports')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('GWorkspaceActivityReports-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "GWorkspaceActivityReports-Parser" + }, "analyticRuleObject1": { "analyticRuleVersion1": "1.0.1", "_analyticRulecontentId1": "03f25156-6172-11ec-90d6-0242ac120003", @@ -301,6 +308,138 @@ "version": "[variables('workbookVersion1')]" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GWorkspaceActivityReports Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for GWorkspaceActivityReports", + "category": "Microsoft Sentinel Parser", + "functionAlias": "GWorkspaceActivityReports", + "query": "let GWorkspace_ReportsAPI_view = view () { \nunion isfuzzy=true GWorkspace_ReportsAPI_access_transparency_CL, GWorkspace_ReportsAPI_admin_CL,\n GWorkspace_ReportsAPI_calendar_CL, GWorkspace_ReportsAPI_chat_CL,\n GWorkspace_ReportsAPI_drive_CL, GWorkspace_ReportsAPI_gcp_CL,\n GWorkspace_ReportsAPI_gplus_CL, GWorkspace_ReportsAPI_groups_CL,\n GWorkspace_ReportsAPI_groups_enterprise_CL, GWorkspace_ReportsAPI_jamboard_CL,\n GWorkspace_ReportsAPI_login_CL, GWorkspace_ReportsAPI_meet_CL,\n GWorkspace_ReportsAPI_mobile_CL, GWorkspace_ReportsAPI_rules_CL,\n GWorkspace_ReportsAPI_saml_CL, GWorkspace_ReportsAPI_token_CL,\n GWorkspace_ReportsAPI_user_accounts_CL, GWorkspace_ReportsAPI_context_aware_access_CL,\n GWorkspace_ReportsAPI_chrome_CL, GWorkspace_ReportsAPI_data_studio_CL,\n GWorkspace_ReportsAPI_keep_CL\n| extend \n AccountState=column_ifexists('ACCOUNT_STATE_s', ''),\n ActorCallerType=column_ifexists('actor_callerType_s', ''),\n ActorEmail=column_ifexists('actor_email_s', ''),\n ActorIsCollaboratorAccount=column_ifexists('actor_is_collaborator_account_b', ''),\n ActorKey=column_ifexists('actor_key_s', ''),\n ActorProfileId=column_ifexists('actor_profileId_s', ''),\n ApiKind=column_ifexists('api_kind_s', ''),\n AppName=column_ifexists('app_name_s', ''),\n ApplicationEdition=column_ifexists('APPLICATION_EDITION_s', ''),\n ApplicationName=column_ifexists('APPLICATION_NAME_s', ''),\n Billable=column_ifexists('billable_b', ''),\n CalendarId=column_ifexists('calendar_id_s', ''),\n ClientId=column_ifexists('client_id_s', ''),\n ClientType=column_ifexists('client_type_s', ''),\n DestinationFolderId=column_ifexists('destination_folder_id_s', ''),\n DestinationFolderTitle=column_ifexists('destination_folder_title_s', ''),\n DocId=column_ifexists('doc_id_s', ''),\n DocTitle=column_ifexists('doc_title_s', ''),\n DocType=column_ifexists('doc_type_s', ''),\n DstUserUpn=column_ifexists('USER_EMAIL_s', ''),\n DestUserUpn=column_ifexists('recipient_email_s', ''),\n DvcGuid=column_ifexists('DEVICE_ID_g', ''),\n DvcInterfaceGuid=column_ifexists('DEVICE_ID_s', ''),\n DvcModelName=column_ifexists('DEVICE_MODEL_s', ''),\n DvcModelNumber=column_ifexists('OS_VERSION_s', ''),\n DvcType=column_ifexists('DEVICE_TYPE_s', ''),\n Etag=column_ifexists('etag_s', ''),\n EventCategoryType=column_ifexists('kind_s', ''),\n EventEndTime=column_ifexists('end_time_s', ''),\n EventGuest=column_ifexists('event_guest_s', ''),\n EventId=column_ifexists('id_uniqueQualifier_s', ''),\n EventMessage=column_ifexists('event_name_s', ''),\n EventOriginalMessage=column_ifexists('events_s', ''),\n EventProduct=\"Google Workspace Activity Reports\",\n EventResponseStatus=column_ifexists('event_response_status_s', ''),\n EventStartTime=column_ifexists('start_time_s', ''),\n EventTitle=column_ifexists('event_title_s', ''),\n EventType=column_ifexists('event_type_s', ''),\n EventUid=column_ifexists('event_id_s', ''),\n EventVendor=\"Google\",\n GroupDomain=column_ifexists('ORG_UNIT_NAME_s', ''),\n IdApplicationName=column_ifexists('id_applicationName_s', ''),\n IosVendorId=column_ifexists('IOS_VENDOR_ID_s', ''),\n IosVendorUID=column_ifexists('IOS_VENDOR_ID_g', ''),\n IsSecondFactor=column_ifexists('is_second_factor_b', ''),\n IsSuspicious=column_ifexists('is_suspicious_b', ''),\n Kind=column_ifexists('kind_s', ''),\n LastSyncAuditDate=column_ifexists('LAST_SYNC_AUDIT_DATE_s', ''),\n LoginChallengeMethod=column_ifexists('login_challenge_method_s', ''),\n LoginChallengeStatus=column_ifexists('login_challenge_status_s', ''),\n LoginType=column_ifexists('login_type_s', ''),\n ModuleName=column_ifexists('PRODUCT_NAME_s', ''),\n NeqValue=column_ifexists('NEW_VALUE_s', ''),\n Newvalue=column_ifexists('new_value_s', ''),\n NotificationMessageId=column_ifexists('notification_message_id_s', ''),\n NotificationMethod=column_ifexists('notification_method_s', ''),\n NotificationType=column_ifexists('notification_type_s', ''),\n OldEventTitle=column_ifexists('old_event_title_s', ''),\n OldValue=column_ifexists('OLD_VALUE_s', ''),\n Oldvalue=column_ifexists('old_value_s', ''),\n OldVisibility=column_ifexists('old_visibility_s', ''),\n OrganizerCalendarId=column_ifexists('organizer_calendar_id_s', ''),\n OriginatingAppId=column_ifexists('originating_app_id_s', ''),\n OsProperty=column_ifexists('OS_PROPERTY_s', ''),\n Owner=column_ifexists('owner_s', ''),\n OwnerDomain=column_ifexists('ownerDomain_s', ''),\n OwnerIsSharedDrive=column_ifexists('owner_is_shared_drive_b', ''),\n OwnerIsTeamDrive=column_ifexists('owner_is_team_drive_b', ''),\n PrimaryEvent=column_ifexists('primary_event_b', ''),\n ProcessName=column_ifexists('SETTING_NAME_s', ''),\n RegisterPrivelege=column_ifexists('REGISTER_PRIVILEGE_s', ''),\n ResourceId=column_ifexists('RESOURCE_ID_s', ''),\n RoleName=column_ifexists('ROLE_NAME_s', ''),\n Scope=column_ifexists('scope_s', ''),\n ScopeData=column_ifexists('scope_data_s', ''),\n SerialNumber=column_ifexists('SERIAL_NUMBER_s', ''),\n SharedDriveId=column_ifexists('shared_drive_id_s', ''),\n SourceFolderId=column_ifexists('source_folder_id_s', ''),\n SourceFolderTitle=column_ifexists('source_folder_title_s', ''),\n SrcIpAddr=column_ifexists('IPAddress', ''),\n TargetCalendarId=column_ifexists('target_calendar_id_s', ''),\n TargetUserDomain=column_ifexists('target_domain_s', ''),\n TargetUserName=column_ifexists('target_user_s', ''),\n TeamDriveId=column_ifexists('team_drive_id_s', ''),\n UserAadid=column_ifexists('id_customerId_s', ''),\n UserAgentOriginal=column_ifexists('user_agent_s', ''),\n UserEmail=column_ifexists('USER_EMAIL_s', ''),\n Visibility=column_ifexists('visibility_s', ''),\n VisibilityChange=column_ifexists('visibility_change_s', '')\n| project \n TimeGenerated,\n AccountState,\n ActorCallerType,\n ActorEmail,\n ActorIsCollaboratorAccount,\n ActorKey,\n ActorProfileId,\n ApiKind,\n AppName,\n ApplicationEdition,\n ApplicationName,\n Billable,\n CalendarId,\n ClientId,\n ClientType,\n DestinationFolderId,\n DestinationFolderTitle,\n DocId,\n DocTitle,\n DocType,\n DstUserUpn,\n DestUserUpn,\n DvcGuid,\n DvcInterfaceGuid,\n DvcModelName,\n DvcModelNumber,\n DvcType,\n Etag,\n EventCategoryType,\n EventEndTime,\n EventGuest,\n EventId,\n EventMessage,\n EventOriginalMessage,\n EventProduct,\n EventResponseStatus,\n EventStartTime,\n EventTitle,\n EventType,\n EventUid,\n EventVendor,\n GroupDomain,\n IdApplicationName,\n IosVendorId,\n IosVendorUID,\n IsSecondFactor,\n IsSuspicious,\n Kind,\n LastSyncAuditDate,\n LoginChallengeMethod,\n LoginChallengeStatus,\n LoginType,\n ModuleName,\n NeqValue,\n Newvalue,\n NotificationMessageId,\n NotificationMethod,\n NotificationType,\n OldEventTitle,\n OldValue,\n Oldvalue,\n OldVisibility,\n OrganizerCalendarId,\n OriginatingAppId,\n OsProperty,\n Owner,\n OwnerDomain,\n OwnerIsSharedDrive,\n OwnerIsTeamDrive,\n PrimaryEvent,\n ProcessName,\n RegisterPrivelege,\n ResourceId,\n RoleName,\n Scope,\n ScopeData,\n SerialNumber,\n SharedDriveId,\n SourceFolderId,\n SourceFolderTitle,\n SrcIpAddr,\n TargetCalendarId,\n TargetUserDomain,\n TargetUserName,\n TeamDriveId,\n UserAadid,\n UserAgentOriginal,\n UserEmail,\n Visibility,\n VisibilityChange\n};\nGWorkspace_ReportsAPI_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'GWorkspaceActivityReports')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "GoogleWorkspaceReports", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "Parser for GWorkspaceActivityReports", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for GWorkspaceActivityReports", + "category": "Microsoft Sentinel Parser", + "functionAlias": "GWorkspaceActivityReports", + "query": "let GWorkspace_ReportsAPI_view = view () { \nunion isfuzzy=true GWorkspace_ReportsAPI_access_transparency_CL, GWorkspace_ReportsAPI_admin_CL,\n GWorkspace_ReportsAPI_calendar_CL, GWorkspace_ReportsAPI_chat_CL,\n GWorkspace_ReportsAPI_drive_CL, GWorkspace_ReportsAPI_gcp_CL,\n GWorkspace_ReportsAPI_gplus_CL, GWorkspace_ReportsAPI_groups_CL,\n GWorkspace_ReportsAPI_groups_enterprise_CL, GWorkspace_ReportsAPI_jamboard_CL,\n GWorkspace_ReportsAPI_login_CL, GWorkspace_ReportsAPI_meet_CL,\n GWorkspace_ReportsAPI_mobile_CL, GWorkspace_ReportsAPI_rules_CL,\n GWorkspace_ReportsAPI_saml_CL, GWorkspace_ReportsAPI_token_CL,\n GWorkspace_ReportsAPI_user_accounts_CL, GWorkspace_ReportsAPI_context_aware_access_CL,\n GWorkspace_ReportsAPI_chrome_CL, GWorkspace_ReportsAPI_data_studio_CL,\n GWorkspace_ReportsAPI_keep_CL\n| extend \n AccountState=column_ifexists('ACCOUNT_STATE_s', ''),\n ActorCallerType=column_ifexists('actor_callerType_s', ''),\n ActorEmail=column_ifexists('actor_email_s', ''),\n ActorIsCollaboratorAccount=column_ifexists('actor_is_collaborator_account_b', ''),\n ActorKey=column_ifexists('actor_key_s', ''),\n ActorProfileId=column_ifexists('actor_profileId_s', ''),\n ApiKind=column_ifexists('api_kind_s', ''),\n AppName=column_ifexists('app_name_s', ''),\n ApplicationEdition=column_ifexists('APPLICATION_EDITION_s', ''),\n ApplicationName=column_ifexists('APPLICATION_NAME_s', ''),\n Billable=column_ifexists('billable_b', ''),\n CalendarId=column_ifexists('calendar_id_s', ''),\n ClientId=column_ifexists('client_id_s', ''),\n ClientType=column_ifexists('client_type_s', ''),\n DestinationFolderId=column_ifexists('destination_folder_id_s', ''),\n DestinationFolderTitle=column_ifexists('destination_folder_title_s', ''),\n DocId=column_ifexists('doc_id_s', ''),\n DocTitle=column_ifexists('doc_title_s', ''),\n DocType=column_ifexists('doc_type_s', ''),\n DstUserUpn=column_ifexists('USER_EMAIL_s', ''),\n DestUserUpn=column_ifexists('recipient_email_s', ''),\n DvcGuid=column_ifexists('DEVICE_ID_g', ''),\n DvcInterfaceGuid=column_ifexists('DEVICE_ID_s', ''),\n DvcModelName=column_ifexists('DEVICE_MODEL_s', ''),\n DvcModelNumber=column_ifexists('OS_VERSION_s', ''),\n DvcType=column_ifexists('DEVICE_TYPE_s', ''),\n Etag=column_ifexists('etag_s', ''),\n EventCategoryType=column_ifexists('kind_s', ''),\n EventEndTime=column_ifexists('end_time_s', ''),\n EventGuest=column_ifexists('event_guest_s', ''),\n EventId=column_ifexists('id_uniqueQualifier_s', ''),\n EventMessage=column_ifexists('event_name_s', ''),\n EventOriginalMessage=column_ifexists('events_s', ''),\n EventProduct=\"Google Workspace Activity Reports\",\n EventResponseStatus=column_ifexists('event_response_status_s', ''),\n EventStartTime=column_ifexists('start_time_s', ''),\n EventTitle=column_ifexists('event_title_s', ''),\n EventType=column_ifexists('event_type_s', ''),\n EventUid=column_ifexists('event_id_s', ''),\n EventVendor=\"Google\",\n GroupDomain=column_ifexists('ORG_UNIT_NAME_s', ''),\n IdApplicationName=column_ifexists('id_applicationName_s', ''),\n IosVendorId=column_ifexists('IOS_VENDOR_ID_s', ''),\n IosVendorUID=column_ifexists('IOS_VENDOR_ID_g', ''),\n IsSecondFactor=column_ifexists('is_second_factor_b', ''),\n IsSuspicious=column_ifexists('is_suspicious_b', ''),\n Kind=column_ifexists('kind_s', ''),\n LastSyncAuditDate=column_ifexists('LAST_SYNC_AUDIT_DATE_s', ''),\n LoginChallengeMethod=column_ifexists('login_challenge_method_s', ''),\n LoginChallengeStatus=column_ifexists('login_challenge_status_s', ''),\n LoginType=column_ifexists('login_type_s', ''),\n ModuleName=column_ifexists('PRODUCT_NAME_s', ''),\n NeqValue=column_ifexists('NEW_VALUE_s', ''),\n Newvalue=column_ifexists('new_value_s', ''),\n NotificationMessageId=column_ifexists('notification_message_id_s', ''),\n NotificationMethod=column_ifexists('notification_method_s', ''),\n NotificationType=column_ifexists('notification_type_s', ''),\n OldEventTitle=column_ifexists('old_event_title_s', ''),\n OldValue=column_ifexists('OLD_VALUE_s', ''),\n Oldvalue=column_ifexists('old_value_s', ''),\n OldVisibility=column_ifexists('old_visibility_s', ''),\n OrganizerCalendarId=column_ifexists('organizer_calendar_id_s', ''),\n OriginatingAppId=column_ifexists('originating_app_id_s', ''),\n OsProperty=column_ifexists('OS_PROPERTY_s', ''),\n Owner=column_ifexists('owner_s', ''),\n OwnerDomain=column_ifexists('ownerDomain_s', ''),\n OwnerIsSharedDrive=column_ifexists('owner_is_shared_drive_b', ''),\n OwnerIsTeamDrive=column_ifexists('owner_is_team_drive_b', ''),\n PrimaryEvent=column_ifexists('primary_event_b', ''),\n ProcessName=column_ifexists('SETTING_NAME_s', ''),\n RegisterPrivelege=column_ifexists('REGISTER_PRIVILEGE_s', ''),\n ResourceId=column_ifexists('RESOURCE_ID_s', ''),\n RoleName=column_ifexists('ROLE_NAME_s', ''),\n Scope=column_ifexists('scope_s', ''),\n ScopeData=column_ifexists('scope_data_s', ''),\n SerialNumber=column_ifexists('SERIAL_NUMBER_s', ''),\n SharedDriveId=column_ifexists('shared_drive_id_s', ''),\n SourceFolderId=column_ifexists('source_folder_id_s', ''),\n SourceFolderTitle=column_ifexists('source_folder_title_s', ''),\n SrcIpAddr=column_ifexists('IPAddress', ''),\n TargetCalendarId=column_ifexists('target_calendar_id_s', ''),\n TargetUserDomain=column_ifexists('target_domain_s', ''),\n TargetUserName=column_ifexists('target_user_s', ''),\n TeamDriveId=column_ifexists('team_drive_id_s', ''),\n UserAadid=column_ifexists('id_customerId_s', ''),\n UserAgentOriginal=column_ifexists('user_agent_s', ''),\n UserEmail=column_ifexists('USER_EMAIL_s', ''),\n Visibility=column_ifexists('visibility_s', ''),\n VisibilityChange=column_ifexists('visibility_change_s', '')\n| project \n TimeGenerated,\n AccountState,\n ActorCallerType,\n ActorEmail,\n ActorIsCollaboratorAccount,\n ActorKey,\n ActorProfileId,\n ApiKind,\n AppName,\n ApplicationEdition,\n ApplicationName,\n Billable,\n CalendarId,\n ClientId,\n ClientType,\n DestinationFolderId,\n DestinationFolderTitle,\n DocId,\n DocTitle,\n DocType,\n DstUserUpn,\n DestUserUpn,\n DvcGuid,\n DvcInterfaceGuid,\n DvcModelName,\n DvcModelNumber,\n DvcType,\n Etag,\n EventCategoryType,\n EventEndTime,\n EventGuest,\n EventId,\n EventMessage,\n EventOriginalMessage,\n EventProduct,\n EventResponseStatus,\n EventStartTime,\n EventTitle,\n EventType,\n EventUid,\n EventVendor,\n GroupDomain,\n IdApplicationName,\n IosVendorId,\n IosVendorUID,\n IsSecondFactor,\n IsSuspicious,\n Kind,\n LastSyncAuditDate,\n LoginChallengeMethod,\n LoginChallengeStatus,\n LoginType,\n ModuleName,\n NeqValue,\n Newvalue,\n NotificationMessageId,\n NotificationMethod,\n NotificationType,\n OldEventTitle,\n OldValue,\n Oldvalue,\n OldVisibility,\n OrganizerCalendarId,\n OriginatingAppId,\n OsProperty,\n Owner,\n OwnerDomain,\n OwnerIsSharedDrive,\n OwnerIsTeamDrive,\n PrimaryEvent,\n ProcessName,\n RegisterPrivelege,\n ResourceId,\n RoleName,\n Scope,\n ScopeData,\n SerialNumber,\n SharedDriveId,\n SourceFolderId,\n SourceFolderTitle,\n SrcIpAddr,\n TargetCalendarId,\n TargetUserDomain,\n TargetUserName,\n TeamDriveId,\n UserAadid,\n UserAgentOriginal,\n UserEmail,\n Visibility,\n VisibilityChange\n};\nGWorkspace_ReportsAPI_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'GWorkspaceActivityReports')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "GoogleWorkspaceReports", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com/" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -338,10 +477,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -352,13 +491,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -442,10 +581,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -457,13 +596,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -547,10 +686,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -562,13 +701,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -652,10 +791,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -666,13 +805,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -756,10 +895,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -772,13 +911,13 @@ ], "entityMappings": [ { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -862,10 +1001,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -876,13 +1015,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -966,10 +1105,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -980,13 +1119,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1070,10 +1209,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -1084,22 +1223,22 @@ ], "entityMappings": [ { + "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileCustomEntity" + "columnName": "FileCustomEntity", + "identifier": "Name" } - ], - "entityType": "File" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1183,10 +1322,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -1197,13 +1336,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1287,10 +1426,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "GoogleWorkspaceReportsAPI", "dataTypes": [ "GWorkspaceActivityReports" - ] + ], + "connectorId": "GoogleWorkspaceReportsAPI" } ], "tactics": [ @@ -1303,13 +1442,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -2925,7 +3064,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "GoogleWorkspaceReports", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Google Workspace solution for Microsoft Sentinel enables you to ingest Google Workspace Activity events into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 12

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Google Workspace solution for Microsoft Sentinel enables you to ingest Google Workspace Activity events into Microsoft Sentinel.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 12

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2955,6 +3094,11 @@ "contentId": "[variables('_workbookContentId1')]", "version": "[variables('workbookVersion1')]" }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/HolmSecurity/Data Connectors/AzureFunctionHolmSecurityAssets.zip b/Solutions/HolmSecurity/Data Connectors/AzureFunctionHolmSecurityAssets.zip index 5ce1b84d7ed..11637d1eda8 100644 Binary files a/Solutions/HolmSecurity/Data Connectors/AzureFunctionHolmSecurityAssets.zip and b/Solutions/HolmSecurity/Data Connectors/AzureFunctionHolmSecurityAssets.zip differ diff --git a/Solutions/HolmSecurity/Data Connectors/azuredeploy_Connector_HolmSecurityAssets_AzureFunction.json b/Solutions/HolmSecurity/Data Connectors/azuredeploy_Connector_HolmSecurityAssets_AzureFunction.json index 9f308ad3bec..f1546c594e7 100644 --- a/Solutions/HolmSecurity/Data Connectors/azuredeploy_Connector_HolmSecurityAssets_AzureFunction.json +++ b/Solutions/HolmSecurity/Data Connectors/azuredeploy_Connector_HolmSecurityAssets_AzureFunction.json @@ -139,7 +139,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, "resources": [ diff --git a/Solutions/Infoblox/Analytic Rules/Infoblox-SOCInsight-Detected-APISource.yaml b/Solutions/Infoblox/Analytic Rules/Infoblox-SOCInsight-Detected-APISource.yaml new file mode 100644 index 00000000000..afb0c741d70 --- /dev/null +++ b/Solutions/Infoblox/Analytic Rules/Infoblox-SOCInsight-Detected-APISource.yaml @@ -0,0 +1,55 @@ +id: a5e2df87-f0c9-4540-8715-96e71b608986 +name: Infoblox - SOC Insight Detected - API Source +description: | + 'Infoblox SOC Insight detected in logs sourced via REST API. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Parsers/InfobloxInsight.yaml).' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: InfobloxSOCInsightsDataConnector_API + dataTypes: + - InfobloxInsight +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1498 + - T1565 +query: | + InfobloxInsight + | summarize arg_max(TimeGenerated, *) by InfobloxInsightID +entityMappings: + - entityType: SecurityGroup + fieldMappings: + - identifier: ObjectGuid + columnName: InfobloxInsightID + - entityType: Malware + fieldMappings: + - identifier: Name + columnName: ThreatClass + - identifier: Category + columnName: ThreatProperty +customDetails: + InfobloxInsightID: InfobloxInsightID + Severity: Priority + LastSeen: LastSeen + FirstSeen: FirstSeen + FeedSource: FeedSource + Status: Status + PersistentDate: PersistentDate + SpreadingDate: SpreadingDate + BlockedHits: BlockedCount + UnblockedHits: NotBlockedCount + TotalHits: EventsCount +eventGroupingSettings: + aggregationKind: AlertPerResult +alertDetailsOverride: + alertDisplayNameFormat: 'Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}' + alertDescriptionFormat: 'Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}' + alertSeverityColumnName: IncidentSeverity +incidentConfiguration: + createIncident: true +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Infoblox/Analytic Rules/Infoblox-SOCInsight-Detected-CDCSource.yaml b/Solutions/Infoblox/Analytic Rules/Infoblox-SOCInsight-Detected-CDCSource.yaml new file mode 100644 index 00000000000..4969366e863 --- /dev/null +++ b/Solutions/Infoblox/Analytic Rules/Infoblox-SOCInsight-Detected-CDCSource.yaml @@ -0,0 +1,53 @@ +id: d04f1963-df27-4127-b1ec-3d37148d65be +name: Infoblox - SOC Insight Detected - CDC Source +description: | + 'Infoblox SOC Insight detected in logs sourced via Infoblox CDC. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Parsers/InfobloxCDC_SOCInsights.yaml).' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: InfobloxSOCInsightsDataConnector_Legacy + dataTypes: + - CommonSecurityLog (InfobloxCDC_SOCInsights) + - connectorId: InfobloxSOCInsightsDataConnector_AMA + dataTypes: + - CommonSecurityLog (InfobloxCDC_SOCInsights) +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1498 + - T1565 +query: | + InfobloxCDC_SOCInsights + | summarize arg_max(TimeGenerated, *) by InfobloxInsightID +entityMappings: + - entityType: SecurityGroup + fieldMappings: + - identifier: ObjectGuid + columnName: InfobloxInsightID + - entityType: Malware + fieldMappings: + - identifier: Name + columnName: ThreatClass + - identifier: Category + columnName: ThreatProperty +customDetails: + InfobloxInsightID: InfobloxInsightID + FeedSource: FeedSource + Status: Status + BlockedHits: BlockedCount + UnblockedHits: NotBlockedCount + TotalHits: EventsCount +eventGroupingSettings: + aggregationKind: AlertPerResult +alertDetailsOverride: + alertDisplayNameFormat: 'Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}' + alertDescriptionFormat: 'Observed via CDC. {{ThreatFamily}}. {{Message}}' + alertSeverityColumnName: IncidentSeverity +incidentConfiguration: + createIncident: true +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCEFDataConnector/template_InfobloxCloudDataConnectorAma.JSON b/Solutions/Infoblox/Data Connectors/InfobloxCEFDataConnector/template_InfobloxCloudDataConnectorAma.JSON new file mode 100644 index 00000000000..d4a762e2b51 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCEFDataConnector/template_InfobloxCloudDataConnectorAma.JSON @@ -0,0 +1,154 @@ +{ + "id": "InfobloxCloudDataConnectorAma", + "title": "[Recommended] Infoblox Cloud Data Connector via AMA", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CommonSecurityLog", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Return all Block DNS Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"" + }, + { + "description": "Return all DNS Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"DNS\"" + }, + { + "description": "Return all DHCP Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"DHCP\"" + }, + { + "description": "Return all Service Logs Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"Service\"" + }, + { + "description": "Return all Audit Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"Audit\"" + }, + { + "description": "Return all Category Filters security events logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\"" + }, + { + "description": "Return all Application Filters security events logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\"" + }, + { + "description": "Return Top 10 TD Domains Hit Count", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc" + }, + { + "description": "Return Top 10 TD Source IPs Hit Count", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc" + }, + { + "description": "Return Recently Created DHCP Leases", + "query": "CommonSecurityLog\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\"" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of Threat Defense, access to an appropriate Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.", + "instructions": [] + }, + { + "title": "1. Linux Syslog agent configuration", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + { + "title": "2. Configure Infoblox to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent", + "description": "Follow the steps below to configure the Infoblox CDC to send data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate." + }, + { + "title": "3. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "4. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators.zip b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators.zip new file mode 100644 index 00000000000..c80ec7f30bd Binary files /dev/null and b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators.zip differ diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/__init__.py new file mode 100644 index 00000000000..7ee7e39ee4c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/__init__.py @@ -0,0 +1,24 @@ +"""Init file for AzureStorageToIndicators function app.""" + +import datetime +import time +import logging +import azure.functions as func +from .create_indicator import CreateThreatIndicator +from ..SharedCode.logger import applogger +from ..SharedCode import consts + + +def main(mytimer: func.TimerRequest) -> None: + """Driver method for Infoblox to sentinel.""" + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + start = time.time() + applogger.info( + "{} : {} : Start Creating Indicators Execution".format(consts.LOGS_STARTS_WITH, consts.INDICATOR_FUNCTION_NAME) + ) + indicator_obj = CreateThreatIndicator(int(start)) + indicator_obj.parse_file_list() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/create_indicator.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/create_indicator.py new file mode 100644 index 00000000000..80723e2569f --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/create_indicator.py @@ -0,0 +1,198 @@ +"""Create indicators .""" + +import inspect +import time +from ..SharedCode import consts +from ..SharedCode.infoblox_exception import InfobloxException, InfobloxTimeoutException +from ..SharedCode.logger import applogger +from .indicator_mapping import Mapping +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils + + +class CreateThreatIndicator(Utils): + """Class to create indicators.""" + + def __init__(self, start): + """Initialize the CreateThreatIndicator object. + + Args: + start(int): The starting time for the indicator creation process. + """ + super().__init__(consts.INDICATOR_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"AzureTenantId": consts.AZURE_TENANT_ID}, + {"AzureClientId": consts.AZURE_CLIENT_ID}, + {"AzureClientSecret": consts.AZURE_CLIENT_SECRET}, + {"AzureAuthURL": consts.AZURE_AUTHENTICATION_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"ConnectionString": consts.CONN_STRING}, + {"FILE_SHARE_NAME_DATA": consts.FILE_SHARE_NAME_DATA}, + ] + ) + self.mapping_obj = Mapping() + self.start = start + self.auth_sentinel() + + def parse_file_list(self): + """Get list of file names and upload indicators to Sentinel. + + Raises: + InfobloxException: Raised if any error occurs while fetching data from file and uploading indicators. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + file_list = self.filter_file_list(consts.FILE_NAME_PREFIX_COMPLETED) + count_state_obj = StateManager( + connection_string=consts.CONN_STRING, + file_path="indicator_count", + share_name=consts.FILE_SHARE_NAME_DATA, + ) + for file_item in file_list: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise InfobloxTimeoutException() + + state_file_obj = StateManager(consts.CONN_STRING, file_item, consts.FILE_SHARE_NAME_DATA) + request_body = self.get_checkpoint_data(state_file_obj, load_flag=True) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No. of records in storage file = {} File = {}".format(len(request_body), file_item), + ) + ) + checkpoint_file_count = self.get_checkpoint_data(count_state_obj) + stored_indicator_count = 0 if not checkpoint_file_count else int(checkpoint_file_count) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Indicator Count from Checkpoint : {}".format(stored_indicator_count), + ) + ) + + chunked_data = self.mapping_obj.create_chunks(request_body, stored_indicator_count) + self.iterate_chunks_and_upload_indicators( + chunked_data, + file_item, + stored_indicator_count, + state_file_obj, + count_state_obj, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Indicators created for all available files", + ) + ) + except InfobloxTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Infoblox: 9:30 mins executed hence breaking.", + ) + ) + return + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() + + def iterate_chunks_and_upload_indicators( + self, + chunked_data, + file_item, + stored_indicator_count, + state_file_obj, + count_state_obj, + ): + """Iterate through chunked data and uploads indicators to a storage location. + + Args: + chunked_data: A list of data chunks to process. + file_item: The file item to work on. + stored_indicator_count: The count of stored indicators. + state_file_obj: The state file object. + count_state_obj: The count state object. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + index = 0 + filtered_indicators = 0 + for chunk in chunked_data: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise InfobloxTimeoutException() + + mapped_data = self.mapping_obj.map_threat_data(chunk) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "File name = {}, Uploading {} Indicators, index = {}".format( + file_item, len(mapped_data), index + ), + ) + ) + if len(mapped_data) != 0: + filtered_indicators += len(mapped_data) + self.upload_indicator(mapped_data) + stored_indicator_count += len(chunk) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Indicator Count to post to Checkpoint file : {}".format( + stored_indicator_count, + ), + ) + ) + self.post_checkpoint_data( + count_state_obj, + str(stored_indicator_count), + ) + index += 1 + + self.post_checkpoint_data(count_state_obj, "") + state_file_obj.delete() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "File deleted = {}, Total indicators = {}, Filtered indicators = {}".format( + file_item, stored_indicator_count, filtered_indicators + ), + ) + ) + except InfobloxTimeoutException: + raise InfobloxTimeoutException() + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/indicator_mapping.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/indicator_mapping.py new file mode 100644 index 00000000000..e55996b5615 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/indicator_mapping.py @@ -0,0 +1,175 @@ +"""Mapping threat data to the required format for processing.""" + +import inspect +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.infoblox_exception import InfobloxException + + +class Mapping: + """Mapping class to map threat data to the required format for processing.""" + + def __init__(self): + """Initialize instance variable for class.""" + self.confidence = consts.CONFIDENCE_THRESHOLD + self.threat_level = consts.THREAT_LEVEL + + def map_threat_data(self, item_list): + """Map threat data to the required format for processing. + + Args: + item_list (list): A list of threat data items to be processed. + + Returns: + list: A list of mapped threat data items in the required format. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.INDICATOR_FUNCTION_NAME, + "Mapping threat data, No. of records to map = {}".format(len(item_list)), + ) + ) + mapped = [] + hash_map = { + "SHA1": "SHA-1", + "SHA256": "SHA-256", + "MD5": "MD5", + "SHA512": "SHA-512", + "SHA384": "SHA-384", + "SSDEEP": "SSDEEP", + "MD6": "MD6", + "RIPEMD160": "RIPEMD-160", + "SHA224": "SHA-224", + "SHA3224": "SHA3-224", + "SHA3256": "SHA3-256", + "SHA3384": "SHA3-384", + "SHA3512": "SHA3-512", + "SSDEEPWHIRLPOOL": "SSDEEPWHIRLPOOL", + } + temp = { + "HOST": "[domain-name:value = '{}']", + "IP": "[ipv4-addr:value = '{}']", + "URL": "[url:value = '{}']", + "HASH": "[file:hashes.'{}' = '{}']", + "EMAIL": "{}", + } + for item in item_list: + pattern = temp.get(item.get("type")) + if item.get("type").upper() == "HASH": + hash_type = hash_map.get(item.get("hash_type"), "SHA256") + pattern = pattern.format(hash_type, item.get(item.get("type").lower())) + else: + pattern = pattern.format(item.get(item.get("type").lower())) + confidence_val = item.get("confidence", 0) + threat_level_val = item.get("threat_level", 0) + if threat_level_val >= self.threat_level and confidence_val >= self.confidence: + body = { + "name": "Infoblox - {} - {}".format(item.get("type"), item.get("id")), + "type": "indicator", + "spec_version": "2.1", + "id": "indicator--{}".format(item.get("id")), + "created": item.get("detected"), + "modified": item.get("detected"), + "revoked": item.get("up", False), + "labels": [ + item.get("type"), + "Domain : {}".format(item.get("domain", "-")), + "TLD : {}".format(item.get("tld", "-")), + "Imported : {}".format(item.get("imported")), + "Profile : {}".format(item.get("profile")), + "Property : {}".format(item.get("property")), + "Dga: {}".format(item.get("dga", "-")), + "Threat Level : {}".format(item.get("threat_level")), + "Threat Score : {}".format(item.get("threat_score", "-")), + "Threat Score Rating : {}".format(item.get("threat_score_rating", "-")), + "Confidence Score : {}".format(item.get("confidence_score", "-")), + "Confidence Score Rating : {}".format(item.get("confidence_score_rating", "-")), + "Risk Score : {}".format(item.get("risk_score", "-")), + "Risk Score Rating : {}".format(item.get("risk_score_rating", "-")), + "Notes : {}".format(item.get("extended", {}).get("notes", "-")), + ], + "confidence": (item.get("confidence", 0)), + "description": "Infoblox - {} - {}".format(item.get("type"), item.get("class")), + "indicator_types": [item.get("class")], + "pattern": pattern, + "pattern_type": "stix", + "pattern_version": "2.1", + "valid_from": item.get("received"), + "valid_until": item.get("expiration"), + } + mapped.append(body) + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.INDICATOR_FUNCTION_NAME, + "No. of records after mapping = {}".format(len(mapped)), + ) + ) + return mapped + except KeyError as keyerror: + applogger.error( + "{} : {} (method={}), KeyError while mapping threat data :{}".format( + consts.LOGS_STARTS_WITH, + consts.INDICATOR_FUNCTION_NAME, + __method_name, + keyerror, + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + "{} : {} (method={}), Error while mapping threat data :{}".format( + consts.LOGS_STARTS_WITH, + consts.INDICATOR_FUNCTION_NAME, + __method_name, + error, + ) + ) + raise InfobloxException() + + def create_chunks(self, text, start_index): + """Create chunk from text starting at a specific index. + + Args: + text (str): The input text from which chunks will be created. + start_index (int): The starting index to begin creating chunks from. + + Returns: + list: A list of chunked data items. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.INDICATOR_FUNCTION_NAME, + "Creating Chunks", + ) + ) + chunk_size = consts.CHUNK_SIZE_INDICATOR + chunked_data = [text[index: index + chunk_size] for index in range(start_index, len(text), chunk_size)] + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.INDICATOR_FUNCTION_NAME, + "Number of chunks : {}".format(len(chunked_data)), + ) + ) + return chunked_data + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.INDICATOR_FUNCTION_NAME, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/readme.md b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/readme.md new file mode 100644 index 00000000000..3ca09e8b42b --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/AzureStorageToIndicators/readme.md @@ -0,0 +1,10 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more +This function will fetch IOCs from azure file and upload as an indicator in azure sentinel diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage.zip b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage.zip new file mode 100644 index 00000000000..85362497f04 Binary files /dev/null and b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage.zip differ diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/__init__.py new file mode 100644 index 00000000000..6c353f0d92f --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/__init__.py @@ -0,0 +1,41 @@ +"""Init file for Infoblox Current Function App.""" +import datetime +import logging +import azure.functions as func +from .infoblox_to_azure_storage import InfobloxToAzureStorage +from ..SharedCode.logger import applogger +from ..SharedCode import consts +import time + + +def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + start = time.time() + applogger.info( + "{} : {}, Function App started at {}".format( + consts.LOGS_STARTS_WITH, + consts.CURRENT_I_TO_S_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + infoblox_to_azure_storage_obj = InfobloxToAzureStorage(str(int(start))) + infoblox_to_azure_storage_obj.get_infoblox_data_into_azure_storage() + end = time.time() + + applogger.info( + "{} : {}, Function App ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.CURRENT_I_TO_S_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.CURRENT_I_TO_S_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/infoblox_to_azure_storage.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/infoblox_to_azure_storage.py new file mode 100644 index 00000000000..96e5d841074 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/infoblox_to_azure_storage.py @@ -0,0 +1,620 @@ +"""Get infoblox data and store it in azure storage with max of 20 MB file.""" + +import inspect +import datetime +import requests +import json +from azure.storage.fileshare import ShareDirectoryClient +from ..SharedCode import consts +from ..SharedCode.infoblox_exception import InfobloxException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +from ..SharedCode.sentinel import post_data + + +class InfobloxToAzureStorage(Utils): + """Class for storing the data from infoblox to azure storage.""" + + def __init__(self, start_time) -> None: + """Initialize InfobloxToAzureStorage object.""" + super().__init__(consts.CURRENT_I_TO_S_FUNCTION_NAME) + self.start_time = start_time + self.ioc_type = consts.TYPE + self.check_environment_var_exist( + [ + {"Api_Token": consts.API_TOKEN}, + {"File_Share_Name": consts.FILE_SHARE_NAME}, + {"File_Name": consts.FILE_NAME}, + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY} + ] + ) + self.authenticate_infoblox_api() + self.parent_file = ShareDirectoryClient.from_connection_string( + conn_str=consts.CONN_STRING, + share_name=consts.FILE_SHARE_NAME_DATA, + directory_path="", + ) + + def get_infoblox_data_into_azure_storage(self) -> None: + """Get infoblox data and send the data to azure storage, initialization method.""" + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_file_name = consts.FILE_NAME + "-" + self.ioc_type + date_state_manager_obj = StateManager(consts.CONN_STRING, checkpoint_file_name, consts.FILE_SHARE_NAME) + self.initiate_and_iterate_through_response_obj(date_state_manager_obj) + + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def initiate_and_iterate_through_response_obj(self, date_state_manager_obj): + """Initiate and iterate through the response object. + + Fetches checkpoint data, processes dates, and query parameters. + Handles response object iteration and posts data to Azure storage. + + Args: + date_state_manager_obj: State management object. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching checkpoint data", + ) + ) + checkpoint_data = self.get_checkpoint_data(date_state_manager_obj, load_flag=True) + from_date = None + if checkpoint_data: + from_date = checkpoint_data.get("to_date", None) + + if not from_date: + # !This means function app is running first time + to_date = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S.%f")[:-3] + from_date = self.add_xh_to_iso_time_string(to_date, -abs(consts.CURRENT_TIME_INTERVAL)) + data_to_post = {"to_date": from_date} + self.post_checkpoint_data(date_state_manager_obj, data_to_post, dump_flag=True) + else: + to_date = self.add_xh_to_iso_time_string(from_date, consts.CURRENT_TIME_INTERVAL) + + base_checkpoint_file_name_for_from_and_to_dates = self.create_checkpoint_file_name_using_dates( + from_date, to_date, self.ioc_type + ) + + self.checkpoint_for_from_and_to_dates = StateManager( + consts.CONN_STRING, + base_checkpoint_file_name_for_from_and_to_dates, + consts.FILE_SHARE_NAME_DATA, + ) + status_of_last_from_date = self.get_checkpoint_data(self.checkpoint_for_from_and_to_dates) + + if status_of_last_from_date: + status_of_last_from_date = int(status_of_last_from_date) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Retry count from last iteration = {}".format(status_of_last_from_date), + ) + ) + list_of_file_with_prefix = self.list_file_names_in_file_share( + self.parent_file, + base_checkpoint_file_name_for_from_and_to_dates, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No. of file = {} with prefix = {}".format( + len(list_of_file_with_prefix), + base_checkpoint_file_name_for_from_and_to_dates, + ), + ) + ) + # ! delete all checkpoints file starting with prefix base_checkpoint_file_name_for_from_and_to_dates + if list_of_file_with_prefix: + self.delete_files_from_azure_storage(list_of_file_with_prefix, self.parent_file) + if status_of_last_from_date > 2: + self.store_failed_range(from_date, to_date) + + data_to_post = {"to_date": to_date} + self.post_checkpoint_data(date_state_manager_obj, data_to_post, dump_flag=True) + + from_date = to_date + to_date = self.add_xh_to_iso_time_string(from_date, consts.CURRENT_TIME_INTERVAL) + base_checkpoint_file_name_for_from_and_to_dates = self.create_checkpoint_file_name_using_dates( + from_date, to_date, self.ioc_type + ) + self.checkpoint_for_from_and_to_dates = StateManager( + consts.CONN_STRING, + base_checkpoint_file_name_for_from_and_to_dates, + consts.FILE_SHARE_NAME_DATA, + ) + status_of_last_from_date = 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "This to_date occur for the first time. Storing retry count = 1", + ) + ) + self.post_checkpoint_data( + self.checkpoint_for_from_and_to_dates, + str(status_of_last_from_date), + ) + else: + status_of_last_from_date += 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Storing retry count = {}".format(status_of_last_from_date), + ) + ) + self.post_checkpoint_data( + self.checkpoint_for_from_and_to_dates, + str(status_of_last_from_date), + ) + else: + status_of_last_from_date = 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "This to_date occur for the first time. Storing retry count = 1", + ) + ) + self.post_checkpoint_data(self.checkpoint_for_from_and_to_dates, str(status_of_last_from_date)) + + query_params = {"from_date": from_date, "to_date": to_date} + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Query params = {}".format(query_params), + ) + ) + + response_obj = self.initiate_response_obj(query_params, self.ioc_type) + + base_checkpoint_file_name_for_from_and_to_dates += "_" + self.start_time + + self.iterate_through_response_obj(response_obj, base_checkpoint_file_name_for_from_and_to_dates) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "IOCs posted to azure storage from_date = {}, to_date = {}".format(from_date, to_date), + ) + ) + data_to_post = {"to_date": to_date} + self.post_checkpoint_data(date_state_manager_obj, data_to_post, dump_flag=True) + + self.checkpoint_for_from_and_to_dates.delete() + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def initiate_response_obj(self, query_params, ioc_type): + """Initiate the response object. + + Create URL based on the endpoint and IOC type, + then sends a request to get the Infoblox stream response object using the given query parameters. + + Args: + query_params: A dictionary containing query parameters. + ioc_type: The type of IOC (Indicator of Compromise). + + Returns: + The response object obtained from Infoblox. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + endpoint = consts.ENDPOINTS["active_threats_by_type"] + url = self.url_builder(endpoint, ioc_type) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Url = {}".format(url), + ) + ) + response_obj = self.get_infoblox_stream_response_obj(url, query_parameters=query_params) + + return response_obj + except InfobloxException: + raise InfobloxException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Key error : Error-{}".format(key_error), + ) + ) + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def create_checkpoint_file_name_using_dates(self, from_date, to_date, ioc_type): + """Create a checkpoint file name using the specified from_date, to_date, and IOC type. + + Args: + from_date: The starting date for the checkpoint. + to_date: The ending date for the checkpoint. + ioc_type: The type of IOC (Indicator of Compromise). + + Returns: + The generated checkpoint file name. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + from_epoch = self.iso_to_epoch_str(from_date) + to_epoch = self.iso_to_epoch_str(to_date) + + checkpoint_file_name = "infoblox_raw_{}_{}_{}".format(ioc_type, from_epoch, to_epoch) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint file name = {}".format(checkpoint_file_name), + ) + ) + return checkpoint_file_name + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def iterate_through_response_obj(self, response_obj, base_checkpoint_file_name_for_from_and_to_dates): + """Iterate through the response object, processes the data in chunks, and sends it to Azure storage. + + Args: + response_obj: The response object to iterate through. + base_checkpoint_file_name_for_from_and_to_dates: The base name for the checkpoint data file. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_data = None + max_file_size = consts.MAX_FILE_SIZE + max_chunk_size = consts.MAX_CHUNK_SIZE + index = 1 + for chunk in response_obj.iter_content(max_chunk_size): + if chunk is None: + break + chunk_len = len(chunk) + if response_data is None: + response_data = chunk + elif (len(response_data) + chunk_len) > max_file_size: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Index = {}, Len = {}, Max File Size = {}".format(index, len(response_data), max_file_size), + ) + ) + self.send_to_azure_storage( + response_data, + base_checkpoint_file_name_for_from_and_to_dates, + index, + ) + index += 1 + response_data = chunk + else: + response_data += chunk + if response_data: + self.send_to_azure_storage( + response_data, + base_checkpoint_file_name_for_from_and_to_dates, + index, + ) + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def send_to_azure_storage(self, response_data, base_checkpoint_file_name_for_from_and_to_dates, index): + """Send response data to Azure storage. + + Args: + response_data: The data to be sent to Azure storage. + base_checkpoint_file_name_for_from_and_to_dates: The base file name for the checkpoint data. + index: The index of the data being sent. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Index = {}, Checkpoint File Name = {}, Sending data...".format( + index, + base_checkpoint_file_name_for_from_and_to_dates + "_" + str(index), + ), + ) + ) + checkpoint_obj = StateManager( + consts.CONN_STRING, + base_checkpoint_file_name_for_from_and_to_dates + "_" + str(index), + consts.FILE_SHARE_NAME_DATA, + ) + self.post_checkpoint_data(checkpoint_obj, response_data) + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def get_infoblox_stream_response_obj(self, url, query_parameters=None): + """Return the response object obtained from Infoblox. + + Args: + url: The URL to send the request to + query_parameters: Optional query parameters (default is None) + + Returns: + The response object from the URL request + """ + __method_name = inspect.currentframe().f_code.co_name + try: + max_retries = consts.MAX_RETRIES + for _ in range(max_retries): + response = requests.get(url=url, headers=self.headers, params=query_parameters, stream=True) + if response.status_code == 200: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Got response object, Status Code = {}".format(response.status_code), + ) + ) + return response + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Retrying..., Status Code = {}".format(response.status_code), + ) + ) + continue + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rate Limit Exceeded, Retrying..., Status Code = {}".format(response.status_code), + ) + ) + continue + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Provide valid API TOKEN, Status Code = {}".format(response.status_code), + ) + ) + raise InfobloxException() + elif response.status_code == 403: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Forbidden, user does not have access to this API, Status Code = {}".format( + response.status_code + ), + ) + ) + raise InfobloxException() + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error, Status Code = {}, Error-{}".format( + response.status_code, response.content + ), + ) + ) + raise InfobloxException() + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retries reached", + ) + ) + raise InfobloxException() + except requests.ConnectionError as conn_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Connection error : Error-{}".format(conn_err), + ) + ) + raise InfobloxException() + except requests.HTTPError as http_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "HTTP error : Error-{}".format(http_err), + ) + ) + raise InfobloxException() + except requests.Timeout as timeout_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Timeout error : Error-{}".format(timeout_err), + ) + ) + raise InfobloxException() + except requests.RequestException as request_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request error : Error-{}".format(request_err), + ) + ) + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def url_builder(self, endpoint, path_variable=None): + """Build a URL based on the provided endpoint and optional path variable. + + Args: + endpoint: The base endpoint to build the URL. + path_variable: Optional path variable to append to the endpoint. + + Returns: + The constructed URL. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if path_variable: + url = consts.BASE_URL.format(endpoint.format(path_variable)) + else: + url = consts.BASE_URL.format(endpoint) + url += "?fields={}".format(consts.FIELDS) + if consts.CONFIDENCE_THRESHOLD: + url += "&confidence={}".format(consts.CONFIDENCE_THRESHOLD) + return url + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def store_failed_range(self, from_date, to_date): + """Store range of date which are failed to fetch in table. + + Args: + from_date (str): from date of range + to_date (str): to date of range + """ + __method_name = inspect.currentframe().f_code.co_name + try: + range_to_append = [ + { + "From Date": from_date, + "To Date": to_date, + "Threat Type": self.ioc_type, + } + ] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Ingesting failed range = {}".format(range_to_append), + ) + ) + post_data(json.dumps(range_to_append), "Failed_Range_To_Ingest") + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/readme.md b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/readme.md new file mode 100644 index 00000000000..058278531c9 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxCurrentToAzureStorage/readme.md @@ -0,0 +1,10 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more +This function will fetch current data from infoblox platform to azure storage diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/__init__.py new file mode 100644 index 00000000000..f71a2c3fd1c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/__init__.py @@ -0,0 +1,88 @@ +"""Init file for http stater function.""" + +import logging +import inspect +from azure.functions import HttpRequest, HttpResponse +from azure.durable_functions import DurableOrchestrationClient +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.infoblox_exception import InfobloxException + + +def get_data_from_request_body(req: HttpRequest): + """Extract type_of_data and target in a function. + + Args: + req (HttpRequest): The HTTP request object. + + Returns: + tuple: A tuple containing the extracted type_of_data and target. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + type_of_data = req.params.get("type").strip() + target = req.params.get("target").strip() + return type_of_data, target + except TypeError as type_error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_HTTP_STARTER_FUNCTION_NAME, + "Type error : Error-{}".format(type_error), + ) + ) + raise InfobloxException() + + +async def main(req: HttpRequest, starter: str) -> HttpResponse: + """Async function that serves as the main entry point for handling HTTP requests. + + Args: + req (HttpRequest): The incoming HTTP request object. + starter (str): The identifier for the DurableOrchestrationClient. + + Returns: + HttpResponse: The response generated based on the request processing. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + type_of_data, target = get_data_from_request_body(req) + if not type_of_data or not target: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_HTTP_STARTER_FUNCTION_NAME, + "No Type or Target found in request", + ) + ) + else: + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_HTTP_STARTER_FUNCTION_NAME, + "Got params from request. Type = {}, Target = {}".format(type_of_data, target), + ) + ) + client = DurableOrchestrationClient(starter) + instance_id = await client.start_new( + req.route_params["functionName"], + None, + {"type": type_of_data, "target": target}, + ) + logging.info(f"Started orchestration with ID = '{instance_id}'.") + return client.create_check_status_response(req, instance_id) + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_HTTP_STARTER_FUNCTION_NAME, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/function.json new file mode 100644 index 00000000000..2b93a896b6a --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierHttpStarter/function.json @@ -0,0 +1,26 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "authLevel": "anonymous", + "name": "req", + "type": "httpTrigger", + "direction": "in", + "route": "orchestrators/{functionName}", + "methods": [ + "post", + "get" + ] + }, + { + "name": "$return", + "type": "http", + "direction": "out" + }, + { + "name": "starter", + "type": "durableClient", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/__init__.py new file mode 100644 index 00000000000..4cfcee65bea --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/__init__.py @@ -0,0 +1,31 @@ +"""Init for Dossier Job Result function.""" + +import inspect +from .get_dossier_result import DossierGetResult +from ..SharedCode.logger import applogger +from ..SharedCode import consts + + +def main(name: str) -> str: + """Dossier job result main function. + + Args: + name (str): The name used to retrieve dossier data. + + Returns: + str: The result of the dossier data retrieval. + """ + __method_name = inspect.currentframe().f_code.co_name + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_GET_RESULT_FUNCTION_NAME, + "Dossier Job Result function started with job_id = {}".format(name), + ) + ) + job_id = name + result = "" + dossier_get_result = DossierGetResult() + result = dossier_get_result.get_job_result_and_ingest_in_sentinel(job_id) + return result diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/function.json new file mode 100644 index 00000000000..97685a81bbc --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/function.json @@ -0,0 +1,10 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "name", + "type": "activityTrigger", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/get_dossier_result.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/get_dossier_result.py new file mode 100644 index 00000000000..15428451782 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierJobResult/get_dossier_result.py @@ -0,0 +1,234 @@ +"""Get Dossier Result using job id provided from another activity function.""" + +import inspect +import json +import sys +from math import ceil +from ..SharedCode.infoblox_exception import InfobloxException +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.utils import Utils +from ..SharedCode.sentinel import post_data + + +class DossierGetResult(Utils): + """Class for get dossier result.""" + + def __init__(self): + """Init method for get dossier result.""" + super().__init__(consts.DOSSIER_GET_RESULT_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"API_Token": consts.API_TOKEN}, + ] + ) + self.authenticate_infoblox_api() + + def get_size_of_json(self, json_response): + """Calculate the size of a JSON object after converting it to a string. + + Args: + json_response: The JSON object to calculate the size for. + + Returns: + int: The size of the JSON object after conversion to a string. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + return sys.getsizeof(json.dumps(json_response)) + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def separate_data_into_chunks(self, raw_data, size_of_data): + """Return data by separating it into 20 mb chunks. + + Args: + raw_data (list): list of json objects. + + Yields: + list: separated chunks in list. + """ + original_index = consts.SIZE_OF_CHUNK_TO_INGEST + count_of_data_for_original_index = int((len(raw_data) * original_index) / size_of_data) + number_of_iterations = ceil(len(raw_data) / count_of_data_for_original_index) + start_count = 0 + for _ in range(number_of_iterations): + end_index = start_count + count_of_data_for_original_index + if end_index > len(raw_data): + yield raw_data[start_count:] + break + yield raw_data[start_count:end_index] + start_count = end_index + + def send_to_sentinel(self, suffix, data, source): + """Send data to Sentinel after processing it in chunks. + + Args: + suffix (str): A suffix to be used in the data processing. + data (dict): The data to be processed and sent to Sentinel. + source (str): The source of the data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + size_of_list = self.get_size_of_json(data) + for chunk in self.separate_data_into_chunks(data, size_of_list): + post_data( + json.dumps(chunk, ensure_ascii=False), + "{}_{}_{}".format(consts.DOSSIER, source, suffix), + ) + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def store_data_in_separate_table(self, key, data, source): + """Store data in a separate table based on the key, data, and source. + + Args: + key (str): The key to identify the data to be stored. + data (dict): The data containing information to be stored. + source (str): The source of the data. + + Returns: + dict: The modified data after storing the information. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + inner_data = data.get("data").get(key) + for temp in inner_data: + temp["task_id"] = data.get("task_id") + if len(inner_data) > 0: + self.send_to_sentinel(key, inner_data, source) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Ingested data = {}, For source = {}".format(key, source), + ) + ) + del data["data"][key] + return data + except KeyError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Key error : Error-{} source = {}".format(error, source), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{} source = {}".format(error, source), + ) + ) + raise InfobloxException() + + def parse_response_and_ingest_to_sentinel(self, json_response): + """Parse the JSON response and ingest the data to Sentinel based on the source. + + Args: + self: The object instance. + json_response: The JSON response containing the results data. + + Raises: + InfobloxException: If an InfobloxException occurs during the process. + Exception: If an unexpected error occurs. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + results_data = json_response["results"] + for result_data in results_data: + source = result_data["params"]["source"] + if (source == "atp") and ("threat" in result_data["data"]): + result_data = self.store_data_in_separate_table("threat", result_data, source) + elif (source == "rpz_feeds") and ("records" in result_data["data"]): + result_data = self.store_data_in_separate_table("records", result_data, source) + elif (source == "nameserver") and ("matches" in result_data["data"]): + result_data = self.store_data_in_separate_table("matches", result_data, source) + elif source == "threat_actor": + del result_data["data"]["related_indicators"] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Ingesting data for source = {}".format(source), + ) + ) + result_data["status_message_for_dossier"] = consts.DOSSIER_STATUS_MESSAGE + post_data(json.dumps(result_data, ensure_ascii=False), "{}_{}".format(consts.DOSSIER, source)) + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{} source = {}".format(error, source), + ) + ) + raise InfobloxException() + + def get_job_result_and_ingest_in_sentinel(self, job_id): + """Retrieve the job result and ingest it in Sentinel. + + Args: + job_id (str): The ID of the job for which the result is to be retrieved. + + Returns: + str: A message indicating the success of fetching and ingesting the dossier data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + url = consts.BASE_URL.format(consts.DOSSIER_ENDPOINTS["Result"]).format(job_id) + response_json = self.make_dossier_call(url, method="GET", headers=self.headers) + status = response_json.get("status") + if status == "success": + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Dossier result fetched successfully", + ) + ) + self.parse_response_and_ingest_to_sentinel(response_json) + return "Fetched and Ingested the dossier data successfully" + else: + return "Dossier result failed" + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierLookup.zip b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierLookup.zip new file mode 100644 index 00000000000..18fa2b42a19 Binary files /dev/null and b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierLookup.zip differ diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/__init__.py new file mode 100644 index 00000000000..0a9427c7a82 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/__init__.py @@ -0,0 +1,104 @@ +"""Init file for Dossier Orchestrator Function.""" + +import json +import inspect +from azure.durable_functions import DurableOrchestrationContext, Orchestrator +from .create_dossier_job import DossierCreateJob +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.infoblox_exception import InfobloxException + + +def orchestrator_function(context: DurableOrchestrationContext): + """Entry point of orchestrator function. + + Args: + context: DurableOrchestrationContext object containing the orchestration context. + + Returns: + A list of results from different functions. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + json_data = context.get_input() + target_type = json_data.get("type") + target = json_data.get("target") + + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME, + "Type = {}, Target = {}".format(target_type, target), + ) + ) + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME, + "Calling Activity Function = InfobloxDossierRequiredSource", + ) + ) + lookup_source_list = yield context.call_activity("InfobloxDossierRequiredSource", json.dumps(json_data)) + + lookup_source_list = list(json.loads(lookup_source_list)) + result_source_list = ( + "Lookup source list = {}, Type = {}, Target = {}".format(str(lookup_source_list), target_type, target), + ) + result1 = "No need dossier api call, data already available in the system" + if len(lookup_source_list) != 0: + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME, + "Creating Job and Checking Job Status", + ) + ) + dossier_job_obj = DossierCreateJob(target_type, target) + dossier_job_id = dossier_job_obj.get_dossier_job_id(lookup_source_list) + status = dossier_job_obj.check_job_status(dossier_job_id) + if status is True: + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME, + "Calling Activity Function = InfobloxDossierJobResult", + ) + ) + result1 = yield context.call_activity("InfobloxDossierJobResult", dossier_job_id) + result1 += ", job_id = {}".format(dossier_job_id) + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME, + "Orchestrator function completed successfully", + ) + ) + return [result_source_list, result1] + except TypeError as type_error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME, + "Type error : Error-{}".format(type_error), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() + + +main = Orchestrator.create(orchestrator_function) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/create_dossier_job.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/create_dossier_job.py new file mode 100644 index 00000000000..b6426257c05 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/create_dossier_job.py @@ -0,0 +1,130 @@ +"""Create dossier job and check job status.""" + +import inspect +import time +from random import randrange +from ..SharedCode.infoblox_exception import InfobloxException +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.utils import Utils + + +class DossierCreateJob(Utils): + """Class for creating dossier job and check job status.""" + + def __init__(self, type_of_data, target): + """Init class for create dossier job.""" + super().__init__(consts.DOSSIER_ORCHESTRATOR_FUNCTION_NAME) + self.authenticate_infoblox_api() + self.check_environment_var_exist( + [ + {"API_Token": consts.API_TOKEN}, + ] + ) + self.type_of_data = type_of_data + self.target = target + + def get_dossier_job_id(self, source_list): + """Retrieve the job ID for a dossier creation job. + + Args: + source_list (list): A list of data sources for the dossier creation. + + Returns: + str: The job ID retrieved from the response JSON. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + url = consts.BASE_URL.format(consts.DOSSIER_ENDPOINTS["Create_Post"]) + body = { + "target": { + "one": { + "type": self.type_of_data, + "target": self.target, + "sources": source_list, + } + } + } + response_json = self.make_dossier_call(url=url, method="POST", headers=self.headers, body=body) + job_id = response_json.get("job_id") + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Job ID: {}".format(job_id), + ) + ) + return job_id + except InfobloxException: + raise InfobloxException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Key error : Error-{}".format(key_error), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() + + def check_job_status(self, job_id): + """Check the status of a job by polling the Infoblox API. + + Args: + job_id (str): The ID of the job to check the status for. + + Returns: + bool: True if the job status is successfully retrieved. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + url = consts.BASE_URL.format(consts.DOSSIER_ENDPOINTS["Status"]).format(job_id) + status = "pending" + secs = 0 + while status == "pending": + response_json = self.make_dossier_call(url, method="GET", headers=self.headers) + status = response_json.get("status") + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Job is still pending, time = {} Secs".format(secs), + ) + ) + sleep_time = randrange(2, 10) + secs += sleep_time + time.sleep(sleep_time) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Job status success", + ) + ) + return True + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/function.json new file mode 100644 index 00000000000..82fabb9a853 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierOrchestrator/function.json @@ -0,0 +1,10 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "context", + "type": "orchestrationTrigger", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/__init__.py new file mode 100644 index 00000000000..9c63053810c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/__init__.py @@ -0,0 +1,50 @@ +"""Init file for Dossier Required Source Function.""" + +import inspect +import json +from .list_of_sources import DossierListSources +from ..SharedCode.infoblox_exception import InfobloxException +from ..SharedCode.logger import applogger +from ..SharedCode import consts + + +def main(name: str) -> str: + """Dossier fetch required source main function. + + Args: + name (str): The input name to be processed. + + Returns: + str: A JSON string representing the lookup source list. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + json_data = json.loads(name) + target_type = json_data.get("type") + target = json_data.get("target") + dossier_job_obj = DossierListSources(target_type, target) + lookup_source_list = dossier_job_obj.required_lookup_sources() + lookup_source_str = json.dumps(lookup_source_list) + return lookup_source_str + except KeyError as key_error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_REQUIRED_SOURCE_FUNCTION_NAME, + "Key error : Error-{}".format(key_error), + ) + ) + raise InfobloxException() + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.DOSSIER_REQUIRED_SOURCE_FUNCTION_NAME, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/function.json new file mode 100644 index 00000000000..97685a81bbc --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/function.json @@ -0,0 +1,10 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "name", + "type": "activityTrigger", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/list_of_sources.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/list_of_sources.py new file mode 100644 index 00000000000..0e8694b47ef --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxDossierRequiredSource/list_of_sources.py @@ -0,0 +1,174 @@ +"""Get required source list from log analytics workspace.""" + +import inspect +import datetime +from ..SharedCode.infoblox_exception import InfobloxException +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.utils import Utils +from azure.monitor.query import LogsQueryClient, LogsQueryStatus +from azure.identity import ClientSecretCredential + + +class DossierListSources(Utils): + """Class for Dossier List Sources.""" + + def __init__(self, type_of_data, target): + """Init for Dossier List Sources.""" + super().__init__(consts.DOSSIER_REQUIRED_SOURCE_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"AzureTenantId": consts.AZURE_TENANT_ID}, + {"AzureClientId": consts.AZURE_CLIENT_ID}, + {"AzureClientSecret": consts.AZURE_CLIENT_SECRET}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"API_Token": consts.API_TOKEN}, + ] + ) + self.type_of_data = type_of_data + self.target = target + + def get_logs_data(self, ioc_type, ioc_val): + """Get data from log analytics workspace. + + Returns: + list: List containing the table data. + """ + __method_name = inspect.currentframe().f_code.co_name + credential = ClientSecretCredential( + client_id=consts.AZURE_CLIENT_ID, + client_secret=consts.AZURE_CLIENT_SECRET, + tenant_id=consts.AZURE_TENANT_ID, + ) + client = LogsQueryClient(credential) + query = """let dummyschema = datatable""" + query += """(TimeGenerated:datetime, params_type_s:string, params_target_s:string, Count:int)[];""" + for val in consts.SOURCES.get(ioc_type): + query += f"""let {val}_count = + union isfuzzy=true + dummyschema, + dossier_{val}_CL + | where TimeGenerated >= ago(24h) + | where params_type_s =="{ioc_type}" and params_target_s =="{ioc_val}" + | count + | project {val}_count = Count + ;\n""" + query += "union " + for val in consts.SOURCES.get(ioc_type): + query += f"""{val}_count, """ + query = query[:-2] + + start_time = datetime.datetime.now(tz=datetime.timezone.utc) - datetime.timedelta(days=1) + end_time = datetime.datetime.now(tz=datetime.timezone.utc) + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Query to check data in sentinel table = {}".format(query), + ) + ) + try: + response = client.query_workspace( + workspace_id=consts.WORKSPACE_ID, + query=query, + timespan=(start_time, end_time), + ) + if response.status == LogsQueryStatus.SUCCESS: + data = response.tables + else: + data = response.partial_data + applogger.warning(response.partial_error) + column_names = [] + row_values = [] + + column_names = data[0].columns + row_values = data[0].rows + + result = [] + for row in row_values: + row_dict = {} + for i, value in enumerate(row): + if value is not None: + column_name = column_names[i] + row_dict[column_name.removesuffix("_count")] = value + result.append(row_dict) + combined_dict = {} + for d in result: + combined_dict.update(d) + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Sources with available data = {}".format(combined_dict), + ) + ) + return combined_dict + except IndexError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Index error : Error-{}".format(error), + ) + ) + raise InfobloxException() + except Exception as error: + if "Failed to resolve table or column expression" in str(error): + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "TableName provided is not Created or Data is not Ingested.", + ) + ) + raise InfobloxException() + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() + + def required_lookup_sources(self): + """Fetch required lookup source for dossier lookup. + + Returns: + list: A list of keys from the response table where the corresponding value is 0. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_from_table = self.get_logs_data(self.type_of_data, self.target) + required_lookup_sources = [key for key, val in response_from_table.items() if val == 0] + required_lookup_sources.sort(reverse=True) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Sources for lookup = {}, type = {}, target = {}".format( + required_lookup_sources, self.type_of_data, self.target + ), + ) + ) + return required_lookup_sources + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage.zip b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage.zip new file mode 100644 index 00000000000..411a06d9f92 Binary files /dev/null and b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage.zip differ diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/__init__.py new file mode 100644 index 00000000000..49d1c8664e7 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/__init__.py @@ -0,0 +1,41 @@ +"""Init file for Infoblox Historical Function App.""" +import datetime +import logging +import azure.functions as func +from .infoblox_to_azure_storage import InfobloxToAzureStorage +from ..SharedCode.logger import applogger +from ..SharedCode import consts +import time + + +def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + start = time.time() + applogger.info( + "{} : {}, Function App started at {}".format( + consts.LOGS_STARTS_WITH, + consts.HISTORICAL_I_TO_S_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + infoblox_to_azure_storage_obj = InfobloxToAzureStorage(str(int(start))) + infoblox_to_azure_storage_obj.get_infoblox_data_into_azure_storage() + end = time.time() + + applogger.info( + "{} : {}, Function App ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.HISTORICAL_I_TO_S_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.HISTORICAL_I_TO_S_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/infoblox_to_azure_storage.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/infoblox_to_azure_storage.py new file mode 100644 index 00000000000..63e5676ceee --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/infoblox_to_azure_storage.py @@ -0,0 +1,641 @@ +"""Get infoblox data and store it in azure storage with max of 20 MB file.""" + +import inspect +import datetime +import requests +import json +from azure.storage.fileshare import ShareDirectoryClient +from ..SharedCode import consts +from ..SharedCode.infoblox_exception import InfobloxException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +from ..SharedCode.sentinel import post_data + + +class InfobloxToAzureStorage(Utils): + """Class for storing the data from infoblox to azure storage.""" + + def __init__(self, start_time) -> None: + """Initialize InfobloxToAzureStorage object.""" + super().__init__(consts.HISTORICAL_I_TO_S_FUNCTION_NAME) + self.start_time = start_time + self.ioc_type = consts.TYPE + self.check_environment_var_exist( + [ + {"Api_Token": consts.API_TOKEN}, + {"File_Share_Name": consts.FILE_SHARE_NAME}, + {"File_Name": consts.FILE_NAME}, + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY} + ] + ) + self.authenticate_infoblox_api() + self.parent_file = ShareDirectoryClient.from_connection_string( + conn_str=consts.CONN_STRING, + share_name=consts.FILE_SHARE_NAME_DATA, + directory_path="", + ) + + def get_infoblox_data_into_azure_storage(self) -> None: + """Get infoblox data and send the data to azure storage, initialization method.""" + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_file_name = consts.FILE_NAME + "-" + self.ioc_type + date_state_manager_obj = StateManager(consts.CONN_STRING, checkpoint_file_name, consts.FILE_SHARE_NAME) + self.initiate_and_iterate_through_response_obj(date_state_manager_obj) + + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def initiate_and_iterate_through_response_obj(self, date_state_manager_obj): + """Initiate and iterate through the response object. + + Fetches checkpoint data, processes dates, and query parameters. + Handles response object iteration and posts data to Azure storage. + + Args: + date_state_manager_obj: State management object. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching checkpoint data", + ) + ) + checkpoint_data = self.get_checkpoint_data(date_state_manager_obj, load_flag=True) + to_date = None + if checkpoint_data: + to_date = checkpoint_data.get("from_date", None) + + if not to_date: + to_date = datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%d %H:%M:%S.%f")[:-3] + data_to_post = {"from_date": to_date} + self.post_checkpoint_data(date_state_manager_obj, data_to_post, dump_flag=True) + + # *Condition if historical data are fetched successfully till given start time + end_date = consts.HISTORICAL_START_DATE + " 00:00:00.000" + end_date_epoch = self.iso_to_epoch_str(end_date) + to_date_epoch = self.iso_to_epoch_str(to_date) + + if (int(to_date_epoch) - int(end_date_epoch)) < 0: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Complete Fetching Historical Data till = {}".format(end_date), + ) + ) + return + + from_date = self.add_xh_to_iso_time_string(to_date, consts.HISTORICAL_TIME_INTERVAL) + + base_checkpoint_file_name_for_from_and_to_dates = self.create_checkpoint_file_name_using_dates( + from_date, to_date, self.ioc_type + ) + + self.checkpoint_for_from_and_to_dates = StateManager( + consts.CONN_STRING, + base_checkpoint_file_name_for_from_and_to_dates, + consts.FILE_SHARE_NAME_DATA, + ) + status_of_last_from_date = self.get_checkpoint_data(self.checkpoint_for_from_and_to_dates) + + if status_of_last_from_date: + status_of_last_from_date = int(status_of_last_from_date) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Retry count from last iteration = {}".format(status_of_last_from_date), + ) + ) + list_of_file_with_prefix = self.list_file_names_in_file_share( + self.parent_file, + base_checkpoint_file_name_for_from_and_to_dates, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No. of file = {} with prefix = {}".format( + len(list_of_file_with_prefix), + base_checkpoint_file_name_for_from_and_to_dates, + ), + ) + ) + # ! delete all checkpoints file starting with prefix base_checkpoint_file_name_for_from_and_to_dates + if list_of_file_with_prefix: + self.delete_files_from_azure_storage(list_of_file_with_prefix, self.parent_file) + if status_of_last_from_date > 2: + self.store_failed_range(from_date, to_date) + + to_date = from_date + from_date = self.add_xh_to_iso_time_string(to_date, consts.HISTORICAL_TIME_INTERVAL) + base_checkpoint_file_name_for_from_and_to_dates = self.create_checkpoint_file_name_using_dates( + from_date, to_date, self.ioc_type + ) + data_to_post = {"from_date": to_date} + self.post_checkpoint_data(date_state_manager_obj, data_to_post, dump_flag=True) + self.checkpoint_for_from_and_to_dates = StateManager( + consts.CONN_STRING, + base_checkpoint_file_name_for_from_and_to_dates, + consts.FILE_SHARE_NAME_DATA, + ) + status_of_last_from_date = 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "This from_date occur for the first time. Storing retry count = 1", + ) + ) + self.post_checkpoint_data( + self.checkpoint_for_from_and_to_dates, + str(status_of_last_from_date), + ) + else: + status_of_last_from_date += 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Storing retry count = {}".format(status_of_last_from_date), + ) + ) + self.post_checkpoint_data( + self.checkpoint_for_from_and_to_dates, + str(status_of_last_from_date), + ) + else: + status_of_last_from_date = 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "This from_date occur for the first time. Storing retry count = 1", + ) + ) + self.post_checkpoint_data(self.checkpoint_for_from_and_to_dates, str(status_of_last_from_date)) + + query_params = {"from_date": from_date, "to_date": to_date} + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Query params = {}".format(query_params), + ) + ) + + response_obj = self.initiate_response_obj(query_params, self.ioc_type) + + base_checkpoint_file_name_for_from_and_to_dates += "_" + self.start_time + + self.iterate_through_response_obj(response_obj, base_checkpoint_file_name_for_from_and_to_dates) + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "IOCs posted to azure storage from_date = {}, to_date = {}".format(from_date, to_date), + ) + ) + data_to_post = {"from_date": from_date} + self.post_checkpoint_data(date_state_manager_obj, data_to_post, dump_flag=True) + + self.checkpoint_for_from_and_to_dates.delete() + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def initiate_response_obj(self, query_params, ioc_type): + """Initiate the response object. + + Create URL based on the endpoint and IOC type, + then sends a request to get the Infoblox stream response object using the given query parameters. + + Args: + query_params: A dictionary containing query parameters. + ioc_type: The type of IOC (Indicator of Compromise). + + Returns: + The response object obtained from Infoblox. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + endpoint = consts.ENDPOINTS["active_threats_by_type"] + url = self.url_builder(endpoint, ioc_type) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Url = {}".format(url), + ) + ) + response_obj = self.get_infoblox_stream_response_obj(url, query_parameters=query_params) + return response_obj + except InfobloxException: + raise InfobloxException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Key error : Error-{}".format(key_error), + ) + ) + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def create_checkpoint_file_name_using_dates(self, from_date, to_date, ioc_type): + """Create a checkpoint file name using the specified from_date, to_date, and IOC type. + + Args: + from_date: The starting date for the checkpoint. + to_date: The ending date for the checkpoint. + ioc_type: The type of IOC (Indicator of Compromise). + + Returns: + The generated checkpoint file name. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + from_epoch = self.iso_to_epoch_str(from_date) + to_epoch = self.iso_to_epoch_str(to_date) + + checkpoint_file_name = "infoblox_raw_{}_{}_{}".format(ioc_type, from_epoch, to_epoch) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint file name = {}".format(checkpoint_file_name), + ) + ) + return checkpoint_file_name + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def iterate_through_response_obj(self, response_obj, base_checkpoint_file_name_for_from_and_to_dates): + """Iterate through the response object, processes the data in chunks, and sends it to Azure storage. + + Args: + response_obj: The response object to iterate through. + base_checkpoint_file_name_for_from_and_to_dates: The base name for the checkpoint data file. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_data = None + max_file_size = consts.MAX_FILE_SIZE + max_chunk_size = consts.MAX_CHUNK_SIZE + index = 1 + for chunk in response_obj.iter_content(max_chunk_size): + if chunk is None: + break + chunk_len = len(chunk) + if response_data is None: + response_data = chunk + elif (len(response_data) + chunk_len) > max_file_size: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Index = {}, Len = {}, Max File Size = {}".format(index, len(response_data), max_file_size), + ) + ) + self.send_to_azure_storage( + response_data, + base_checkpoint_file_name_for_from_and_to_dates, + index, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Index = {}, Sent data, Fetching next chunk".format(index), + ) + ) + index += 1 + response_data = chunk + else: + response_data += chunk + if response_data: + self.send_to_azure_storage( + response_data, + base_checkpoint_file_name_for_from_and_to_dates, + index, + ) + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def send_to_azure_storage(self, response_data, base_checkpoint_file_name_for_from_and_to_dates, index): + """Send response data to Azure storage. + + Args: + response_data: The data to be sent to Azure storage. + base_checkpoint_file_name_for_from_and_to_dates: The base file name for the checkpoint data. + index: The index of the data being sent. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Index = {}, Checkpoint File Name = {}, Sending data...".format( + index, + base_checkpoint_file_name_for_from_and_to_dates + "_" + str(index), + ), + ) + ) + checkpoint_obj = StateManager( + consts.CONN_STRING, + base_checkpoint_file_name_for_from_and_to_dates + "_" + str(index), + consts.FILE_SHARE_NAME_DATA, + ) + self.post_checkpoint_data(checkpoint_obj, response_data) + except InfobloxException: + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def get_infoblox_stream_response_obj(self, url, query_parameters=None): + """Return response object to iterate. + + Args: + url: The URL to send the request to + query_parameters: Optional query parameters (default is None) + + Returns: + The response object from the URL request + """ + __method_name = inspect.currentframe().f_code.co_name + try: + max_retries = consts.MAX_RETRIES + for _ in range(max_retries): + response = requests.get(url=url, headers=self.headers, params=query_parameters, stream=True) + if response.status_code == 200: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Got response object, Status Code = {}".format(response.status_code), + ) + ) + return response + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Retrying..., Status Code = {}".format(response.status_code), + ) + ) + continue + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rate Limit Exceeded, Retrying..., Status Code = {}".format(response.status_code), + ) + ) + continue + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Provide valid API TOKEN, Status Code = {}".format(response.status_code), + ) + ) + raise InfobloxException() + elif response.status_code == 403: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Forbidden, user does not have access to this API, Status Code = {}".format( + response.status_code + ), + ) + ) + raise InfobloxException() + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error, Status Code = {}, Error-{}".format( + response.status_code, response.content + ), + ) + ) + raise InfobloxException() + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retries reached", + ) + ) + raise InfobloxException() + except requests.ConnectionError as conn_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Connection error : Error-{}".format(conn_err), + ) + ) + raise InfobloxException() + except requests.HTTPError as http_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "HTTP error : Error-{}".format(http_err), + ) + ) + raise InfobloxException() + except requests.Timeout as timeout_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Timeout error : Error-{}".format(timeout_err), + ) + ) + raise InfobloxException() + except requests.RequestException as request_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request error : Error-{}".format(request_err), + ) + ) + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def url_builder(self, endpoint, path_variable=None): + """Build a URL based on the provided endpoint and optional path variable. + + Args: + endpoint: The base endpoint to build the URL. + path_variable: Optional path variable to append to the endpoint. + + Returns: + The constructed URL. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if path_variable: + url = consts.BASE_URL.format(endpoint.format(path_variable)) + else: + url = consts.BASE_URL.format(endpoint) + url += "?fields={}".format(consts.FIELDS) + if consts.CONFIDENCE_THRESHOLD: + url += "&confidence={}".format(consts.CONFIDENCE_THRESHOLD) + return url + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def store_failed_range(self, from_date, to_date): + """Store range of date which are failed to fetch in table. + + Args: + from_date (str): from date of range + to_date (str): to date of range + """ + __method_name = inspect.currentframe().f_code.co_name + try: + range_to_append = [ + { + "From Date": from_date, + "To Date": to_date, + "Threat Type": self.ioc_type, + } + ] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Ingesting failed range = {}".format(range_to_append), + ) + ) + post_data(json.dumps(range_to_append, ensure_ascii=False), "Failed_Range_To_Ingest") + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/readme.md b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/readme.md new file mode 100644 index 00000000000..2170b3e743f --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxHistoricalToAzureStorage/readme.md @@ -0,0 +1,10 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more +This function will fetch historical data from infoblox platform to azure storage diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators.zip b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators.zip new file mode 100644 index 00000000000..4a3e0ec88b0 Binary files /dev/null and b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators.zip differ diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/__init__.py new file mode 100644 index 00000000000..f17f16baf21 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/__init__.py @@ -0,0 +1,28 @@ +"""Init File for InfoBloxParseRawIndicators.""" + +import datetime +import logging +import time +import azure.functions as func +from .parse_json_files import ParseJsonFiles +from ..SharedCode import consts +from ..SharedCode.logger import applogger + + +def main(mytimer: func.TimerRequest) -> None: + """Infoblox Parse Json Main Function.""" + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + start = time.time() + applogger.info( + "{} : Function App started at {}".format(consts.LOGS_STARTS_WITH, datetime.datetime.fromtimestamp(start)) + ) + parse_json_files_obj = ParseJsonFiles(int(start)) + parse_json_files_obj.list_file_names_and_parse_to_complete_json() + end = time.time() + applogger.info( + "{} : Function App ended at {}".format(consts.LOGS_STARTS_WITH, datetime.datetime.fromtimestamp(end)) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/parse_json_files.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/parse_json_files.py new file mode 100644 index 00000000000..b6e195433fe --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/InfobloxParseRawIndicators/parse_json_files.py @@ -0,0 +1,472 @@ +"""Parse the Json files and complete the raw json files.""" + +import datetime +import time +import inspect +import json +import re +from azure.storage.fileshare import ShareDirectoryClient +from ..SharedCode.logger import applogger +from ..SharedCode.infoblox_exception import InfobloxException, InfobloxTimeoutException +from ..SharedCode import consts +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils + + +class ParseJsonFiles: + """Parse JSON files class.""" + + def __init__(self, start_time) -> None: + """Init Function.""" + self.starttime = start_time + self.parent_dir = ShareDirectoryClient.from_connection_string( + conn_str=consts.CONN_STRING, + share_name=consts.FILE_SHARE_NAME_DATA, + directory_path="", + ) + self.utils_obj = Utils(consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME) + self.delete_file_count = 0 + + def return_file_names_to_parse(self, files_list: list): + """Return list of file names which are generated 15 mins ago to parse. + + Args: + files_list (list): List of file names in the azure file share. + + Returns: + list: List of file names to parse. + """ + __method_name = inspect.currentframe().f_code.co_name + # take each file name from the list and split the file name using '_' + # Then get the 2nd element from the right and + # if that epoch value is less than current_epoch (1 Hr) then add it to the list return it. + try: + current_epoch = int(datetime.datetime.now(datetime.timezone.utc).timestamp()) + list_of_prefix_file = [] + for file_name in files_list[:]: + file_name_split = file_name.split("_") + file_name_epoch = int(file_name_split[-2]) + if len(file_name_split) < 7: + list_of_prefix_file.append(file_name) + files_list.remove(file_name) + elif (len(file_name_split) == 7) and ( + (file_name_epoch + consts.TIME_BUFFER_RAW_EPOCH_VALUE) >= current_epoch + ): + files_list.remove(file_name) + list_of_prefix_file = tuple(list_of_prefix_file) + for file_name in files_list[:]: + if file_name.startswith(list_of_prefix_file): + files_list.remove(file_name) + + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Files to be parsed = {}, Count = {}".format(files_list, len(files_list)), + ) + ) + return files_list + except (ValueError, TypeError) as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + error, + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Error while getting list of files to be parsed: {}".format(error), + ) + ) + raise InfobloxException() + + def get_checkpoint_data(self, file_name): + """Retrieve the checkpoint data from the state manager object. + + Returns: + Tuple: A tuple containing the file prefix and the index to start. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + state_manager_obj = StateManager(consts.CONN_STRING, file_name, consts.FILE_SHARE_NAME_DATA) + raw_data = state_manager_obj.get() + index_to_start = None + if raw_data: + index_to_start = int(raw_data.split(",")[-1]) + return index_to_start + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Error while getting checkpoint file: {}".format(error), + ) + ) + raise InfobloxException() + + def replace_raw_file_with_completed(self, file_name, data): + """Delete raw file and write data in new checkpoint file. + + Args: + file_name (str): The name of the file. + data (any): The data to be written to the checkpoint file. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + new_file_name = file_name.replace("raw", "completed") + applogger.info( + "{}: (method = {}) : {} : {} has been successfully parsed data storing in new file name = {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + file_name, + new_file_name, + ) + ) + state_manager_obj = StateManager(consts.CONN_STRING, new_file_name, consts.FILE_SHARE_NAME_DATA) + state_manager_obj.post(data) + self.utils_obj.delete_files_from_azure_storage([file_name], self.parent_dir) + self.delete_file_count += 1 + applogger.info( + "{}: (method = {}) : {} : Deleting {} file as data parsing is completed.".format( + consts.LOGS_STARTS_WITH, __method_name, consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, file_name + ) + ) + applogger.info( + "{}: (method = {}) : {} : Total files deleted till now = {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + self.delete_file_count, + ) + ) + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Error while writing to checkpoint file : {}".format(error), + ) + ) + raise InfobloxException() + + def write_to_checkpoint_file(self, file_name, data_file_name, index): + """Write file_name and index of file to a checkpoint file. + + Args: + file_name (str): The name of the file. + data_file_name (str): The name of the data file. + index (int): The index to start. + + Returns: + None + """ + __method_name = inspect.currentframe().f_code.co_name + try: + state_manager_obj = StateManager(consts.CONN_STRING, file_name, consts.FILE_SHARE_NAME_DATA) + state_manager_obj.post(data_file_name + "," + str(index)) + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Error while writing to checkpoint file : {}".format(error), + ) + ) + raise InfobloxException() + + def create_list_of_file_name_list(self, file_name_list): + """Return a nested list of file name list grouped by prefix. + + Args: + file_name_list (list): List of file names + + Returns: + list: nested list of file names grouped by prefix + """ + __method_name = inspect.currentframe().f_code.co_name + try: + grouped_files = {} + for file_name in file_name_list: + prefix = file_name.rsplit("_", 1)[0] + if prefix in grouped_files: + grouped_files[prefix].append(file_name) + else: + grouped_files[prefix] = [file_name] + grouped_files_list = list(grouped_files.values()) + applogger.debug( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "No. of nested file name lists grouped by prefix = {}".format(grouped_files_list), + ) + ) + return grouped_files_list + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Error while getting list of nested file names: {}".format(error), + ) + ) + raise InfobloxException() + + def make_complete_json_file(self, file_data1, file_data2, is_first_chunk): + """Combine and returns a single complete JSON data from 2 partial JSON data. + + Args: + file_data1 (str): Partial JSON data. + file_data2 (str): Partial JSON data. + is_first_chunk (bool): Indicates if the file_data1 contains start of JSON data. + + Returns: + tuple: A tuple containing complete JSON data and the remaining data that is not part of the complete JSON. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + start_index = 0 + original_index = len(file_data1) + end_index = original_index + + chunk = file_data1[start_index:end_index] + if not is_first_chunk: + chunk = "[" + chunk + index = 0 + open_brac_counter = 0 + read_counter = 0 + while True: + try: + char = file_data2[index] + except IndexError: + break + + if char == "{": + if read_counter == 0: + open_brac_counter = -1 + read_counter += 1 + open_brac_counter += 1 + if char == "}": + if read_counter == 0: + read_counter += 1 + open_brac_counter -= 1 + chunk = chunk + file_data2[index] + index += 1 + if open_brac_counter < 0: + try: + chunk = chunk + "]" + json.loads(chunk) + break + except json.JSONDecodeError: + open_brac_counter = 0 + chunk = chunk[:-1] + + index += 1 + return chunk, index + except Exception as err: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "while processing data in split data: Error-{}".format(err), + ) + ) + raise InfobloxException() + + def fetch_first_data(self, json_file, fail_index=None): + """Fetch First Data from Azure Storage. + + Args: + json_file (str): Name of the json file + fail_index (int, optional): Index for the file to start. Defaults to None. + + Returns: + dict,bool: The json data from the file and bool for if it is first chunk or not + """ + state_manager_obj_file1 = StateManager( + consts.CONN_STRING, + json_file, + consts.FILE_SHARE_NAME_DATA, + ) + if fail_index: + data1 = state_manager_obj_file1.get() + data1 = data1[fail_index:] + return data1, False + data1 = state_manager_obj_file1.get() + is_first_chunk = True + data1 = data1[consts.JSON_START_INDEX:] + return data1, is_first_chunk + + def timeout_check(self): + """Check if the execution time has passed 9 minutes 30 seconds and raise timeout exception. + + Raises: + InfobloxTimeoutException: Timeout Exception + """ + __method_name = inspect.currentframe().f_code.co_name + if int(time.time()) > self.starttime + consts.FUNCTION_APP_TIMEOUT_SECONDS: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Runtime exceeded to 9 minutes 30 seconds, Stopping Execution.", + ) + ) + raise InfobloxTimeoutException() + + def combine_and_make_complete_json(self, threat_iocs_file, fail_index=None): + """ + Combine and make a complete JSON data from a list of JSON files. + + Args: + threat_iocs_file (list): A list of JSON files to be combined. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + file_prefix = "_".join(threat_iocs_file[0].split("_")[:-1]) + file_prefix = file_prefix.replace("raw", "parse") + if len(threat_iocs_file) > 1: + data1, is_first_chunk = self.fetch_first_data(threat_iocs_file[0], fail_index) + for index, json_file in enumerate(threat_iocs_file): + self.timeout_check() + if index < len(threat_iocs_file) - 1: + state_manager_obj_file2 = StateManager( + consts.CONN_STRING, + threat_iocs_file[index + 1], + consts.FILE_SHARE_NAME_DATA, + ) + data2 = state_manager_obj_file2.get() + json_complete_data, data1_index = self.make_complete_json_file(data1, data2, is_first_chunk) + data1 = data2[data1_index:] + is_first_chunk = False + self.replace_raw_file_with_completed(json_file, json_complete_data) + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Parsed {} file successfully".format(json_file), + ) + ) + self.write_to_checkpoint_file(file_prefix, threat_iocs_file[index + 1], data1_index) + continue + data1 = "[" + data1 + index_of_last = -1 + while data1[index_of_last] != "]": + index_of_last -= 1 + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Parsed {} file successfully".format(json_file), + ) + ) + json_complete_data = data1[: index_of_last + 1] + self.replace_raw_file_with_completed(json_file, json_complete_data) + self.utils_obj.delete_files_from_azure_storage([file_prefix], self.parent_dir) + return None + state_manager_obj = StateManager(consts.CONN_STRING, threat_iocs_file[0], consts.FILE_SHARE_NAME_DATA) + data = state_manager_obj.get() + if fail_index: + data = data[fail_index:] + else: + data = data[consts.JSON_START_INDEX:] + index_of_last = -1 + while data[index_of_last] != "]": + print(data[index_of_last]) + index_of_last -= 1 + data = data[: index_of_last + 1] + self.replace_raw_file_with_completed(threat_iocs_file[0], data) + if fail_index: + self.utils_obj.delete_files_from_azure_storage([file_prefix], self.parent_dir) + return None + except InfobloxTimeoutException: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Timeout occurred 9 minutes 30 seconds passed.", + ) + ) + return None + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "While combining and making complete json: Error-{}".format(error), + ) + ) + raise InfobloxException() + + def list_file_names_and_parse_to_complete_json(self): + """Prepare the file names and make complete json.""" + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.debug( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Started", + ) + ) + + list_of_files = self.utils_obj.list_file_names_in_file_share(self.parent_dir, consts.FILE_NAME_PREFIX) + if not list_of_files: + applogger.info( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "No files found in file share.", + ) + ) + return + + def extract_number(s): + match = re.search(r"(\d+)$", s) + return int(match.group(1)) if match else None + + list_of_files = sorted(list_of_files, key=extract_number) + + list_of_files_to_parse = self.return_file_names_to_parse(list_of_files) + + nested_combined_files_list = self.create_list_of_file_name_list(list_of_files_to_parse) + + # Iterate over each sublist and send it to the combine_and_make_complete_json function. + for threat_iocs_file_list in nested_combined_files_list: + if len(threat_iocs_file_list) > 0: + file_prefix = "_".join(threat_iocs_file_list[0].split("_")[:-1]) + file_prefix = file_prefix.replace("raw", "parse") + index = self.get_checkpoint_data(file_prefix) + self.combine_and_make_complete_json(threat_iocs_file_list, index) + + except Exception as error: + applogger.error( + consts.LOG_FORMAT.format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.PARSE_RAW_JSON_DATA_FUNCTION_NAME, + "Unknow error while parsing files: Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/Infoblox_API_FunctionApp.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/Infoblox_API_FunctionApp.json new file mode 100644 index 00000000000..273d2373cd5 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/Infoblox_API_FunctionApp.json @@ -0,0 +1,452 @@ +{ + "id": "InfobloxDataConnector", + "title": "Infoblox Data Connector via REST API", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox Data Connector allows you to easily connect your Infoblox TIDE data and Dossier data with Microsoft Sentinel. By connecting your data to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "graphQueries": [ + { + "metricName": "Failed Indicator time range received", + "legend": "Failed_Range_To_Ingest", + "baseQuery": "Failed_Range_To_Ingest_CL" + }, + { + "metricName": "Failed Indicators Range data received", + "legend": "Infoblox_Failed_Indicators", + "baseQuery": "Infoblox_Failed_Indicators_CL" + }, + { + "metricName": "Dossier whois source data received", + "legend": "dossier_whois", + "baseQuery": "dossier_whois_CL" + }, + { + "metricName": "Dossier whitelist source data received", + "legend": "dossier_whitelist", + "baseQuery": "dossier_whitelist_CL" + }, + { + "metricName": "Dossier tld risk source data received", + "legend": "dossier_tld_risk", + "baseQuery": "dossier_tld_risk_CL" + }, + { + "metricName": "Dossier threat actor source data received", + "legend": "dossier_threat_actor", + "baseQuery": "dossier_threat_actor_CL" + }, + { + "metricName": "Dossier rpz feeds records source data received", + "legend": "dossier_rpz_feeds_records", + "baseQuery": "dossier_rpz_feeds_records_CL" + }, + { + "metricName": "Dossier rpz feeds source data received", + "legend": "dossier_rpz_feeds", + "baseQuery": "dossier_rpz_feeds_CL" + }, + { + "metricName": "Dossier nameserver matches source data received", + "legend": "dossier_nameserver_matches", + "baseQuery": "dossier_nameserver_matches_CL" + }, + { + "metricName": "Dossier nameserver source data received", + "legend": "dossier_nameserver", + "baseQuery": "dossier_nameserver_CL" + }, + { + "metricName": "Dossier malware analysis v3 source data received", + "legend": "dossier_malware_analysis_v3", + "baseQuery": "dossier_malware_analysis_v3_CL" + }, + { + "metricName": "Dossier inforank source data received", + "legend": "dossier_inforank", + "baseQuery": "dossier_inforank_CL" + }, + { + "metricName": "Dossier infoblox web cat source data received", + "legend": "dossier_infoblox_web_cat", + "baseQuery": "dossier_infoblox_web_cat_CL" + }, + { + "metricName": "Dossier geo source data received", + "legend": "dossier_geo", + "baseQuery": "dossier_geo_CL" + }, + { + "metricName": "Dossier dns source data received", + "legend": "dossier_dns", + "baseQuery": "dossier_dns_CL" + }, + { + "metricName": "Dossier atp threat source data received", + "legend": "dossier_atp_threat", + "baseQuery": "dossier_atp_threat_CL" + }, + { + "metricName": "Dossier atp source data received", + "legend": "dossier_atp", + "baseQuery": "dossier_atp_CL" + }, + { + "metricName": "Dossier ptr source data received", + "legend": "dossier_ptr", + "baseQuery": "dossier_ptr_CL" + } + ], + "sampleQueries": [ + { + "description": "Failed Indicator time range received", + "query": "Failed_Range_To_Ingest_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Failed Indicators Range Data", + "query": "Infoblox_Failed_Indicators_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier whois data source", + "query": "dossier_whois_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier whitelist data source", + "query": "dossier_whitelist_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier tld risk data source", + "query": "dossier_tld_risk_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier threat actor data source", + "query": "dossier_threat_actor_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier rpz feeds records data source", + "query": "dossier_rpz_feeds_records_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier rpz feeds data source", + "query": "dossier_rpz_feeds_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier nameserver matches data source", + "query": "dossier_nameserver_matches_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier nameserver data source", + "query": "dossier_nameserver_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier malware analysis v3 data source", + "query": "dossier_malware_analysis_v3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier inforank data source", + "query": "dossier_inforank_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier infoblox web cat data source", + "query": "dossier_infoblox_web_cat_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier geo data source", + "query": "dossier_geo_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier dns data source", + "query": "dossier_dns_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier atp threat data source", + "query": "dossier_atp_threat_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier atp data source", + "query": "dossier_atp_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier ptr data source", + "query": "dossier_ptr_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Failed_Range_To_Ingest_CL", + "lastDataReceivedQuery": "Failed_Range_To_Ingest_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "Infoblox_Failed_Indicators_CL", + "lastDataReceivedQuery": "Infoblox_Failed_Indicators_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_whois_CL", + "lastDataReceivedQuery": "dossier_whois_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_whitelist_CL", + "lastDataReceivedQuery": "dossier_whitelist_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_tld_risk_CL", + "lastDataReceivedQuery": "dossier_tld_risk_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_threat_actor_CL", + "lastDataReceivedQuery": "dossier_threat_actor_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_rpz_feeds_records_CL", + "lastDataReceivedQuery": "dossier_rpz_feeds_records_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_rpz_feeds_CL", + "lastDataReceivedQuery": "dossier_rpz_feeds_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_nameserver_matches_CL", + "lastDataReceivedQuery": "dossier_nameserver_matches_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_nameserver_CL", + "lastDataReceivedQuery": "dossier_nameserver_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_malware_analysis_v3_CL", + "lastDataReceivedQuery": "dossier_malware_analysis_v3_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_inforank_CL", + "lastDataReceivedQuery": "dossier_inforank_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_infoblox_web_cat_CL", + "lastDataReceivedQuery": "dossier_infoblox_web_cat_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_geo_CL", + "lastDataReceivedQuery": "dossier_geo_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_dns_CL", + "lastDataReceivedQuery": "dossier_dns_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_atp_threat_CL", + "lastDataReceivedQuery": "dossier_atp_threat_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_atp_CL", + "lastDataReceivedQuery": "dossier_atp_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_ptr_CL", + "lastDataReceivedQuery": "dossier_ptr_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Failed_Range_To_Ingest_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Infoblox_Failed_Indicators_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_whois_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_whitelist_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_tld_risk_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_threat_actor_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_rpz_feeds_records_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_rpz_feeds_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_nameserver_matches_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_nameserver_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_malware_analysis_v3_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_inforank_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_infoblox_web_cat_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_geo_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_dns_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_atp_threat_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_atp_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_ptr_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Infoblox API Key** is required. See the documentation to learn more about API on the [Rest API reference](https://csp.infoblox.com/apidoc?url=https://csp.infoblox.com/apidoc/docs/Infrastructure#/Services/ServicesRead)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Infoblox API to create Threat Indicators for TIDE and pull Dossier data into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "", + "description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "title": "", + "description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "title": "", + "description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "title": "", + "description": "**STEP 4 - Steps to generate the Infoblox API Credentials**\n\n Follow these instructions to generate Infoblox API Key.\n In the [Infoblox Cloud Services Portal](https://csp.infoblox.com/atlas/app/welcome), generate an API Key and copy it somewhere safe to use in the next step. You can find instructions on how to create API keys [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187/How+Do+I+Create+an+API+Key%3F)." + }, + { + "title": "", + "description": "**STEP 5 - Steps to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Infoblox data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Infoblox API Authorization Credentials", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Infoblox Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-infoblox-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tAzure Tenant Id \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tInfoblox API Token \n\t\tInfoblox Base URL \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tLog Level (Default: INFO) \n\t\tConfidence \n\t\tThreat Level \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/__init__.py new file mode 100644 index 00000000000..a16dedab0cc --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/__init__.py @@ -0,0 +1,20 @@ +"""Init file for RetryFailedIndicators function app.""" +import datetime +import time +from ..SharedCode.logger import applogger +import azure.functions as func +from .retry_failed_indicators import InfobloxRetryFailedIndicators + + +def main(mytimer: func.TimerRequest) -> None: + """Driver method for RetryFailedIndicators.""" + utc_timestamp = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + + start = time.time() + retry_obj = InfobloxRetryFailedIndicators(int(start)) + retry_obj.get_failed_indicators_and_retry() + + if mytimer.past_due: + applogger.info("The timer is past due!") + + applogger.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/function.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/readme.md b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/readme.md new file mode 100644 index 00000000000..36391e9f17e --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/readme.md @@ -0,0 +1,10 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more +This function will retry failed indicator creation and if it still fails than it will store indicators in log analytics workspace diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/retry_failed_indicators.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/retry_failed_indicators.py new file mode 100644 index 00000000000..d10123b4350 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/RetryFailedIndicators/retry_failed_indicators.py @@ -0,0 +1,103 @@ +"""Handle retry failed indicators.""" + +import time +from ..SharedCode.utils import Utils +from ..SharedCode import consts +from ..SharedCode.logger import applogger +from ..SharedCode.infoblox_exception import InfobloxException +from ..SharedCode.state_manager import StateManager +import inspect + + +class InfobloxRetryFailedIndicators(Utils): + """Class for retrying failed indicators.""" + + def __init__(self, start): + """Initialize the CreateThreatIndicator object. + + Args: + start(int): The starting time for the retrying failed indicator process. + """ + super().__init__(consts.FAILED_INDICATOR_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"AzureTenantId": consts.AZURE_TENANT_ID}, + {"AzureClientId": consts.AZURE_CLIENT_ID}, + {"AzureClientSecret": consts.AZURE_CLIENT_SECRET}, + {"AzureAuthURL": consts.AZURE_AUTHENTICATION_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"ConnectionString": consts.CONN_STRING}, + {"FILE_SHARE_NAME_DATA": consts.FILE_SHARE_NAME_DATA}, + ] + ) + self.start = start + self.auth_sentinel() + + def get_failed_indicators_and_retry(self): + """Get failed indicators data from checkpoint and try creating them again.""" + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Starting Retrial for Failed Indicators", + ) + ) + failed_file_list = self.filter_file_list(consts.FAILED_INDICATOR_FILE_PREFIX) + if len(failed_file_list) != 0: + for file_item in failed_file_list: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Infoblox: 9:00 mins executed hence breaking.", + ) + ) + break + state_file_obj = StateManager(consts.CONN_STRING, file_item, consts.FILE_SHARE_NAME_DATA) + request_body = self.get_checkpoint_data(state_file_obj, load_flag=True) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No. of records in storage file = {}".format(len(request_body)), + ) + ) + self.upload_indicator(request_body) + state_file_obj.delete() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "File name : {} deleted".format(file_item), + ) + ) + return + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No Failed Indicators found", + ) + ) + + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected error : Error-{}".format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/__init__.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/__init__.py new file mode 100644 index 00000000000..91361ed4c8b --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/__init__.py @@ -0,0 +1 @@ +"""This is init file to consider SharedCode as package.""" diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/consts.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/consts.py new file mode 100644 index 00000000000..b5eecad5daf --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/consts.py @@ -0,0 +1,132 @@ +"""Module with constants and configurations for the Infoblox integration.""" + +import os + +# * Dossier consts +DOSSIER_GET_RESULT_FUNCTION_NAME = "DossierGetResult" +DOSSIER_REQUIRED_SOURCE_FUNCTION_NAME = "DossierRequiredSource" +DOSSIER_HTTP_STARTER_FUNCTION_NAME = "HTTPStarterFunction" +DOSSIER_ORCHESTRATOR_FUNCTION_NAME = "DossierOrchestrator" +NUMBER_OF_IOCS = int(os.environ.get("Number_Of_Indicators", "100")) +DOSSIER = "dossier" +DOSSIER_STATUS_MESSAGE = "Click here to view the data" +DOSSIER_ENDPOINTS = { + "Create_Get": "/tide/api/services/intel/lookup/indicator/{}", + "Create_Post": "/tide/api/services/intel/lookup/jobs", + "Status": "/tide/api/services/intel/lookup/jobs/{}/pending", + "Result": "/tide/api/services/intel/lookup/jobs/{}/results", +} +SOURCES = { + "ip": [ + "atp", + "geo", + "malware_analysis_v3", + "ptr", + "rpz_feeds", + "whitelist", + "whois", + ], + "host": [ + "atp", + "dns", + "geo", + "infoblox_web_cat", + "inforank", + "malware_analysis_v3", + "nameserver", + "rpz_feeds", + "threat_actor", + "tld_risk", + "whitelist", + "whois", + ], + "url": [ + "atp", + "infoblox_web_cat", + "malware_analysis_v3", + "tld_risk", + "whitelist", + ], + "hash": [ + "atp", + "malware_analysis_v3", + ], + "email": [ + "atp", + ], +} + +# *Sentinel related constants +AZURE_CLIENT_ID = os.environ.get("Azure_Client_Id", "") +AZURE_CLIENT_SECRET = os.environ.get("Azure_Client_Secret", "") +AZURE_TENANT_ID = os.environ.get("Azure_Tenant_Id", "") +WORKSPACE_KEY = os.environ.get("Workspace_Key", "") +WORKSPACE_ID = os.environ.get("Workspace_Id", "") + +LOG_LEVEL = os.environ.get("LogLevel", "INFO") + +# *Sentinel Apis +AZURE_AUTHENTICATION_URL = "https://login.microsoftonline.com/{}/oauth2/v2.0/token" +UPLOAD_SENTINEL_INDICATORS_URL = ( + "https://sentinelus.azure-api.net/{}/threatintelligence:upload-indicators" + "?api-version=2022-07-01" +) + + +# *Infoblox related constants +API_TOKEN = os.environ.get("API_token", "") +BASE_URL = os.environ.get("BaseUrl", "") + "{}" +ENDPOINTS = { + "active_threats_by_type": "/tide/api/data/threats/state/{}", +} +MAX_FILE_SIZE = 20 * 1024 * 1024 +MAX_CHUNK_SIZE = 1024 * 1024 + +HISTORICAL_TIME_INTERVAL = int(os.environ.get("HISTORICAL_TIME_INTERVAL", "-3")) +CURRENT_TIME_INTERVAL = int(os.environ.get("CURRENT_TIME_INTERVAL", "1")) +HISTORICAL_START_DATE = os.environ.get("Historical_Start_Date", "") + +TYPE = os.environ.get("ThreatType", "") +FIELDS = ( + "id,type,ip,url,tld,email,hash,hash_type,host,domain,profile,property,class," + "threat_level,confidence,detected,received,imported,expiration,dga,up," + "threat_score,threat_score_rating,confidence_score,confidence_score_rating," + "risk_score,risk_score_rating,extended" +) +CONFIDENCE_THRESHOLD = int(os.environ.get("Confidence_Threshold", "80")) +THREAT_LEVEL = int(os.environ.get("Threat_Level", "80")) +FILE_NAME_PREFIX_COMPLETED = "infoblox_completed" +FAILED_INDICATOR_FILE_PREFIX = "infoblox_failed" +FAILED_INDICATORS_TABLE_NAME = "Infoblox_Failed_Indicators" +UNEXPECTED_ERROR_MSG = "Unexpected error : Error-{}" +HTTP_ERROR_MSG = "HTTP error : Error-{}" +DATE_TIME_FORMAT = "%Y-%m-%d %H:%M:%S.%f" + +# *checkpoint related constants +CONN_STRING = os.environ.get("Connection_String", "") +FILE_SHARE_NAME = os.environ.get("File_Share_Name") +FILE_NAME = os.environ.get("Checkpoint_File_Name", "") +FILE_SHARE_NAME_DATA = os.environ.get("File_Share_Name_For_Data", "") +CHUNK_SIZE_INDICATOR = 100 +MAX_RETRIES = 3 +SIZE_OF_CHUNK_TO_INGEST = 20 * 1024 * 1024 + +# *Extra constants, use for code readability +LOGS_STARTS_WITH = "Infoblox" +HISTORICAL_I_TO_S_FUNCTION_NAME = "InfobloxHistoricalToAzureStorage" +CURRENT_I_TO_S_FUNCTION_NAME = "InfobloxCurrentToAzureStorage" +INDICATOR_FUNCTION_NAME = "ThreatIndicators" +FAILED_INDICATOR_FUNCTION_NAME = "FailedThreatIndicators" + +# *ParseRawIndicatorsData consts +PARSE_RAW_JSON_DATA_FUNCTION_NAME = "InfoBloxParseRawJsonData" +FILE_NAME_PREFIX = "infoblox_raw" +TIME_BUFFER_RAW_EPOCH_VALUE = 600 +MAX_FILE_AGE_FOR_INDICATORS = 900 +TIMEOUT = 540 +FUNCTION_APP_TIMEOUT_SECONDS = 570 +JSON_START_INDEX = 10 +SLEEP_TIME = 10 + +# *Log related constants +LOG_FORMAT = "{}(method = {}) : {} : {}" diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/infoblox_exception.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/infoblox_exception.py new file mode 100644 index 00000000000..4fd6dc9adef --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/infoblox_exception.py @@ -0,0 +1,25 @@ +"""This File contains custom Exception class for Infoblox.""" + + +class InfobloxException(Exception): + """Exception class to handle Infoblox exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Infoblox exception with custom message.""" + super().__init__(message) + + +class InfobloxTimeoutException(Exception): + """Exception class to handle Infoblox exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Infoblox exception with custom message.""" + super().__init__(message) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/logger.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/logger.py new file mode 100644 index 00000000000..3bcac77b9e4 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/logger.py @@ -0,0 +1,23 @@ +"""Handle the logger.""" + +import logging +import sys +from . import consts + +log_level = consts.LOG_LEVEL + +LOG_LEVELS = { + "DEBUG": logging.DEBUG, + "INFO": logging.INFO, + "WARNING": logging.WARNING, + "ERROR": logging.ERROR, +} + +try: + applogger = logging.getLogger("azure") + applogger.setLevel(LOG_LEVELS.get(log_level.upper(), logging.INFO)) +except Exception: + applogger.setLevel(logging.INFO) +finally: + handler = logging.StreamHandler(stream=sys.stdout) + applogger.addHandler(handler) diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/sentinel.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/sentinel.py new file mode 100644 index 00000000000..2adabbc0205 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/sentinel.py @@ -0,0 +1,103 @@ +"""This file contains methods for creating microsoft indicator and custom log table.""" + +import base64 +import requests +import hashlib +import hmac +import inspect +import datetime +from .logger import applogger +from .infoblox_exception import InfobloxException +from ..SharedCode import consts + + +def build_signature( + date, + content_length, + method, + content_type, + resource, +): + """To build signature which is required in header.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(consts.WORKSPACE_KEY) + encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() + authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash) + + return authorization + + +def post_data(body, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + err, + ) + ) + raise InfobloxException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + try: + response = requests.post(uri, data=body, headers=headers) + if response.status_code >= 200 and response.status_code <= 299: + applogger.debug( + "{}(method={}) : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + response.status_code, + ) + ) + return response.status_code + else: + raise InfobloxException() + except requests.RequestException as error: + applogger.error( + "{}(method={}) : Request error : Error-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + error, + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + "{}(method={}) : Error-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + error, + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/state_manager.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/state_manager.py new file mode 100644 index 00000000000..548bb757261 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/state_manager.py @@ -0,0 +1,67 @@ +"""This module will help to save file to state manager.""" + +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError + + +class StateManager: + """State manager class for specific operation. + + This class will help to manage the state of the operation + by saving and getting data from Azure Storage. + + Args: + connection_string (str): Azure Storage connection string. + file_path (str): File path on the share. + share_name (str): Name of the share. + """ + + def __init__(self, connection_string, file_path, share_name): + """Initialize the share_cli and file_cli.""" + self.share_cli = ShareClient.from_connection_string(conn_str=connection_string, share_name=share_name) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + + def post(self, marker_text: str): + """Post method for posting the data to Azure Storage. + + This method will upload the given text to the + Azure Storage as a file. + + Args: + marker_text (str): String to be saved in the file. + """ + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + try: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + except ResourceExistsError: + self.file_cli.upload_file(marker_text) + + def get(self): + """Get method for getting the data from Azure Storage. + + This method will download the file from Azure Storage + and return the contents as a string. + + Returns: + str: The contents of the file. + """ + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/utils.py b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/utils.py new file mode 100644 index 00000000000..9cf4eafc1dd --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/SharedCode/utils.py @@ -0,0 +1,1111 @@ +"""Utils File.""" + +import inspect +import requests +import time +import json +import datetime +import re +from .state_manager import StateManager +from azure.storage.fileshare import ShareDirectoryClient +from azure.core.exceptions import ResourceNotFoundError +from .infoblox_exception import InfobloxException +from .logger import applogger +from . import consts +from .sentinel import post_data +from random import randrange + + +class Utils: + """Utils Class.""" + + def __init__(self, azure_function_name) -> None: + """Init Function.""" + self.azure_function_name = azure_function_name + self.log_format = consts.LOG_FORMAT + self.headers = {} + + def check_environment_var_exist(self, environment_var): + """Check the existence of required environment variables. + + Logs the validation process and completion. Raises InfobloxException if any required field is missing. + + Args: + environment_var(list) : variables to check for existence + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validating Environment Variables", + ) + ) + missing_required_field = False + for i in environment_var: + key, val = next(iter(i.items())) + if (val is None) or (val == ""): + missing_required_field = True + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Environment variable {} is not set".format(key), + ) + ) + if missing_required_field: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation failed", + ) + ) + raise InfobloxException() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation Complete", + ) + ) + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def get_checkpoint_data(self, checkpoint_obj: StateManager, load_flag=False): + """Get checkpoint data from a StateManager object. + + It retrieves the checkpoint data and logs it if the load flag is set to True. + + Args: + checkpoint_obj (StateManager): The StateManager object to retrieve checkpoint data from. + load_flag (bool): A flag indicating whether to load the data as JSON (default is False). + + Returns: + The retrieved checkpoint data. + + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_data = checkpoint_obj.get() + if load_flag and checkpoint_data: + checkpoint_data = json.loads(checkpoint_data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint fetch with json.loads", + ) + ) + return checkpoint_data + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint fetch without json.loads", + ) + ) + return checkpoint_data + except json.decoder.JSONDecodeError as json_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "JSONDecodeError error : Error-{}".format(json_error), + ) + ) + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def post_checkpoint_data(self, checkpoint_obj: StateManager, data, dump_flag=False): + """Post checkpoint data. + + It posts the data to a checkpoint object based on the dump_flag parameter. + + Args: + checkpoint_obj (StateManager): The StateManager object to post data to. + data: The data to be posted. + dump_flag (bool): A flag indicating whether to dump the data as JSON before posting (default is False). + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if dump_flag: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting data = {}".format(data), + ) + ) + checkpoint_obj.post(json.dumps(data)) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting data", + ) + ) + checkpoint_obj.post(data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data posted to azure storage", + ) + ) + except TypeError as type_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Type error : Error-{}".format(type_error), + ) + ) + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def list_file_names_in_file_share(self, parent_dir: ShareDirectoryClient, file_name_prefix): + """Get list of file names from directory. + + Args: + parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations + on file share. + + Returns: + list: list of files + """ + __method_name = inspect.currentframe().f_code.co_name + try: + files_list = list(parent_dir.list_directories_and_files(file_name_prefix)) + file_names = [] + if (len(files_list)) > 0: + for file in files_list: + file_names.append(file["name"]) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Retrieved files for prefix = {}, Total files = {}".format( + file_name_prefix, + len(file_names), + ), + ) + ) + return file_names + except ResourceNotFoundError: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No storage directory found", + ) + ) + return None + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def delete_files_from_azure_storage(self, files_list, parent_dir: ShareDirectoryClient): + """Delete list of files. + + Args: + files_list (list) : list of files to be deleted + parent_dir (ShareDirectory.from_connection_string): Object of ShareDirectory to perform operations + on file share. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + for file_path in files_list: + parent_dir.delete_file(file_path) + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Deleted files = {}".format(len(files_list)), + ) + ) + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def filter_file_list(self, file_prefix): + """ + Filter a list of filenames based on a given file prefix. + + Args: + file_prefix(str): A string representing the prefix of the filenames to filter. + + Returns: + list: A list of filenames that are created before 15 minutes ago. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + parent_file = ShareDirectoryClient.from_connection_string( + conn_str=consts.CONN_STRING, + share_name=consts.FILE_SHARE_NAME_DATA, + directory_path="", + ) + + filenames = self.list_file_names_in_file_share(parent_file, file_prefix) + if filenames is None: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No files found", + ) + ) + return [] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Sort Files by current timestamp", + ) + ) + sorted_filenames = sorted(filenames, key=self.get_timestamp) + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Filter files created before 15 mins.", + ) + ) + current_time = int(time.time()) + + filtered_filenames = [ + filename + for filename in sorted_filenames + if ((current_time - self.get_timestamp(filename)) > consts.MAX_FILE_AGE_FOR_INDICATORS) + ] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Filtered File count = {}".format(len(filtered_filenames)), + ) + ) + return filtered_filenames + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def get_timestamp(self, filename): + """Get the timestamp from filename. + + Args: + filename (str): The name of the file. + + Returns: + int: The timestamp of the file. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + return int(filename.split("_")[5]) + except IndexError as index_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Index error : Error-{}".format(index_error), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def handle_failed_indicators(self, indicator_list, response_json): + """Handle failed indicators by writing them to a new file or ingesting them into a log table. + + Args: + indicator_list (list): List of indicators. + response_json (dict): JSON response including errors. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + record_indexes = [error.get("recordIndex") for error in response_json["errors"]] + failed_indicators = [indicator_list[index] for index in record_indexes] + + # LOGIC TO WRITE FAILED INDICATORS IN NEW FILE + if self.azure_function_name == consts.INDICATOR_FUNCTION_NAME: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Writing Failed Indicators to new file.", + ) + ) + file_timestamp = time.time() + failed_file_name = "infoblox_failed_tide_indicators_file_{}".format(str(int(file_timestamp))) + failed_indicator_file_obj = StateManager( + consts.CONN_STRING, failed_file_name, consts.FILE_SHARE_NAME_DATA + ) + self.post_checkpoint_data(failed_indicator_file_obj, failed_indicators, dump_flag=True) + elif self.azure_function_name == consts.FAILED_INDICATOR_FUNCTION_NAME: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Ingesting Failed Indicators to Log Table.", + ) + ) + post_data( + body=json.dumps(failed_indicators, ensure_ascii=False), + log_type=consts.FAILED_INDICATORS_TABLE_NAME, + ) + except KeyError as keyerror: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Key error : Error-{}".format(keyerror), + ) + ) + raise InfobloxException() + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def auth_sentinel(self): + """Authenticate with microsoft sentinel and update header.""" + __method_name = inspect.currentframe().f_code.co_name + try: + for i in range(consts.MAX_RETRIES): + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating microsoft sentinel access token.", + ) + ) + azure_auth_url = consts.AZURE_AUTHENTICATION_URL.format(consts.AZURE_TENANT_ID) + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Calling auth url = {}".format(azure_auth_url), + ) + ) + body = { + "client_id": consts.AZURE_CLIENT_ID, + "client_secret": consts.AZURE_CLIENT_SECRET, + "grant_type": "client_credentials", + "scope": "https://management.azure.com/.default", + } + try: + response = requests.post(url=azure_auth_url, data=body) + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request error : Error-{} Index = {}".format(error, i), + ) + ) + continue + if response.status_code >= 200 and response.status_code <= 299: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Got response with Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + bearer_token = self.get_bearer_token_from_response(response_json) + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Bearer Token Generated: {}".format(bearer_token), + ) + ) + self.headers = { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(bearer_token), + } + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "MS authentication complete", + ) + ) + return + elif response.status_code == 400: + response_json = response.json() + error = response_json.get("error", "Bad request") + error_description = response_json.get("error_description", "") + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Status Code = {}, Error-{}, Error Description = {}".format( + response.status_code, + error, + error_description, + ), + ) + ) + raise InfobloxException() + elif response.status_code == 401: + response_json = response.json() + error = response_json.get("error", "Unauthorized") + error_description = response_json.get("error_description", "") + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Status Code = {}, Error-{}, Error Description = {}".format( + response.status_code, + error, + error_description, + ), + ) + ) + raise InfobloxException() + elif response.status_code == 500: + log_message = "Internal Server Error" + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Status Code = {}, Error-{}".format(response.status_code, log_message), + ) + ) + raise InfobloxException() + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Status Code = {}, Error-{}".format(response.status_code, response.content), + ) + ) + raise InfobloxException() + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retries reached for authentication of sentinel API", + ) + ) + raise InfobloxException() + except InfobloxException: + raise InfobloxException() + except requests.HTTPError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.HTTP_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def get_bearer_token_from_response( + self, + json_response, + ): + """Retrieve the bearer token from the JSON response. + + Args: + self: The object instance. + json_response: The JSON response containing the access token. + + Returns: + string: The bearer token extracted from the JSON response. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if "access_token" not in json_response: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Access token not found in sentinel api call", + ) + ) + raise InfobloxException() + else: + bearer_token = json_response.get("access_token") + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Microsoft sentinel access token generated successfully.", + ) + ) + return bearer_token + except KeyError as keyerror: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Key error : Error-{}".format(keyerror), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def send_indicators_to_threat_intelligence(self, indicator_list): + """Create indicators in sentinel workspace thereat intelligence section. + + Return response in json formate if status code is in between [200, 299] + + Args: + url (String): URL of the rest call. + method (String): HTTP method of rest call. Eg. "GET", etc. + headers (Dict, optional): headers. Defaults to None. + params (Dict, optional): parameters. Defaults to None. + payload (Type : As required by the rest call, optional): body. Defaults to None. + + Returns: + response : response of the rest call. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + for i in range(consts.MAX_RETRIES): + upload_indicator_url = consts.UPLOAD_SENTINEL_INDICATORS_URL.format(consts.WORKSPACE_ID) + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Calling url: {}".format(upload_indicator_url), + ) + ) + body = { + "sourcesystem": "Infoblox-TIDE-Threats-Custom", + "value": indicator_list, + } + try: + response = requests.post( + url=upload_indicator_url, + headers=self.headers, + data=json.dumps(body, ensure_ascii=False), + ) + except requests.ConnectionError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "ConnectionError error : Retry = {} : Error-{}".format(i, error), + ) + ) + time.sleep(randrange(1, 10)) + continue + + if response.status_code >= 200 and response.status_code <= 299: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rest Call Completed, Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + return response_json + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Status code : {}, Generating new access token, Retry = {}".format( + response.status_code, i + ), + ) + ) + self.auth_sentinel() + continue + elif response.status_code == 429: + message = response.json().get("message", "") + match = re.search(r"Try again in (\d+) seconds", message) + seconds = (int(match.group(1)) + 2) if match else consts.SLEEP_TIME + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too many requests, Status code : {}, Retry {}, After {} seconds".format( + response.status_code, i, seconds + ), + ) + ) + time.sleep(seconds) + continue + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error while creating indicators, Status code: {}, Error-{}".format( + response.status_code, response.content + ), + ) + ) + raise InfobloxException() + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retries exceeded.", + ) + ) + raise InfobloxException() + except requests.HTTPError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.HTTP_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request error : Error-{}".format(error), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def upload_indicator( + self, + indicator_list, + ): + """ + Upload indicators to microsoft sentinel. + + Args: + azure_function_name (str): Name of the azure function + indicator_list (list): List of indicators to be uploaded + + Raises: + InfobloxException: If an error occurs while uploading indicators. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Uploading Indicators, Length of records : {}".format(len(indicator_list)), + ) + ) + response_json = self.send_indicators_to_threat_intelligence(indicator_list) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checking for error in response", + ) + ) + if len(response_json.get("errors")) != 0: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Some indicators are failed to create, No. of failed indicators = {}".format( + len(response_json.get("errors")) + ), + ) + ) + self.handle_failed_indicators(indicator_list, response_json) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No error in Response", + ) + ) + except InfobloxException: + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + + def authenticate_infoblox_api(self): + """Authenticate the Infoblox API.""" + __method_name = inspect.currentframe().f_code.co_name + self.headers.update({"Authorization": "Token {}".format(consts.API_TOKEN)}) + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Headers = {}".format(self.headers), + ) + ) + + def add_xh_to_iso_time_string(self, date_time, x): + """Add x hours to a given ISO formatted date and time string. + + Args: + date_time (str): The input date and time string in the format "%Y-%m-%d %H:%M:%S.%f" + x (int): The number of hours to add to the input date and time. + + Returns: + str: The new date and time string after adding x hours in the format "%Y-%m-%d %H:%M:%S.%f". + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Before = {}".format(date_time), + ) + ) + date_time_obj = datetime.datetime.strptime(date_time, consts.DATE_TIME_FORMAT) + date_time_obj = date_time_obj + datetime.timedelta(hours=x) + new_date_time = date_time_obj.strftime(consts.DATE_TIME_FORMAT)[:-3] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "After = {}".format(new_date_time), + ) + ) + return new_date_time + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def iso_to_epoch_str(self, date_time): + """Convert an ISO formatted date and time string to epoch time. + + Args: + date_time (str): The input date and time string in the format "%Y-%m-%d %H:%M:%S.%f" + + Returns: + str: The epoch time as a string. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + date_time_obj = datetime.datetime.strptime(date_time, consts.DATE_TIME_FORMAT) + epoch_time = int(date_time_obj.timestamp()) + return str(epoch_time) + + except (TypeError, ValueError) as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Type/Value error : Error-{}".format(error), + ) + ) + raise InfobloxException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise InfobloxException() + + def make_dossier_call(self, url, method, headers, params=None, body=None): + """Make a dossier call. + + Args: + url (str): The URL to make the call to. + method (str): The HTTP method to use for the call. + headers (dict): The headers to include in the request. + params (dict, optional): The parameters to pass in the call (default is None). + body (dict, optional): The body of the request (default is None). + + Returns: + dict: The JSON response if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + for i in range(consts.MAX_RETRIES): + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Calling url: {}".format(url), + ) + ) + response = requests.request( + method, + url, + headers=headers, + params=params, + json=body, + ) + + if response.status_code >= 200 and response.status_code <= 299: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rest Call Completed, Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + return response_json + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Status code : {}".format(response.status_code), + ) + ) + raise InfobloxException() + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too many requests, Status code : {}, Retrying... {}".format(response.status_code, i), + ) + ) + time.sleep(randrange(1, 10)) + continue + elif response.status_code == 404: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Not found, Status code : {}".format(response.status_code), + ) + ) + raise InfobloxException() + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error while creating job, Status code: {}, Error-{}".format( + response.status_code, response.content + ), + ) + ) + raise InfobloxException() + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retries exceeded.", + ) + ) + raise InfobloxException() + except requests.ConnectionError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Connection error : Error-{}".format(error), + ) + ) + raise InfobloxException() + except requests.HTTPError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.HTTP_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request error : Error-{}".format(error), + ) + ) + raise InfobloxException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise InfobloxException() diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/azuredeploy_Connector_InfoBloxCloud_AzureFunction.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/azuredeploy_Connector_InfoBloxCloud_AzureFunction.json new file mode 100644 index 00000000000..3e7a0a0d649 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/azuredeploy_Connector_InfoBloxCloud_AzureFunction.json @@ -0,0 +1,1124 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "InfobloxBaseURL": { + "defaultValue": "https://csp.infoblox.com", + "type": "string", + "metadata": { + "description": "Enter Base URL of Infoblox API. (e.g. https://csp.infoblox.com)" + } + }, + "InfobloxAPIToken": { + "minLength": 1, + "type": "SecureString", + "metadata": { + "description": "Enter Infoblox API Token for authentication" + } + }, + "Confidence": { + "type": "int", + "defaultValue": 80, + "minValue": 0, + "maxValue": 100, + "metadata": { + "description": "Specify the confidence for creating indicators (Indicators will be generated with a confidence greater than or equal to the specified value), By default it is set to 80" + } + }, + "ThreatLevel": { + "type": "int", + "defaultValue": 80, + "minValue": 0, + "maxValue": 100, + "metadata": { + "description": "Specify the threat level for creating indicators (Indicators will be generated with a threat level greater than or equal to the specified value), By default it is set to 80" + } + }, + "HistoricalDataCutoffDate": { + "type": "String", + "defaultValue" : "2024-01-01", + "metadata": { + "description": "Enter the cutoff date until which you want to retrieve historical data, starting from the current date and moving backwards. The date format should be YYYY-MM-DD. This marks the furthest point in the past from which data will be collected" + } + }, + "AzureTenantId": { + "minLength": 1, + "type": "String", + "metadata": { + "description": "Enter Azure Tenant ID of your Azure Active Directory" + } + }, + "AzureClientId": { + "minLength": 1, + "type": "String", + "metadata": { + "description": "Enter Azure Client ID that you have created during app registration" + } + }, + "AzureClientSecret": { + "minLength": 1, + "type": "SecureString", + "metadata": { + "description": "Enter Azure Client Secret that you have created during creating the client secret" + } + }, + "WorkspaceID": { + "minLength": 1, + "type": "String", + "metadata": { + "description": "Enter Workspace ID of Log Analytics workspace" + } + }, + "WorkspaceKey": { + "minLength": 1, + "type": "SecureString", + "metadata": { + "description": "Enter Workspace Key of Log Analytics workspace" + } + }, + "LogLevel": { + "defaultValue": "Info", + "allowedValues": [ + "Debug", + "Info", + "Error", + "Warning" + ], + "type": "String", + "metadata": { + "description": "Add log level or log severity value, By default it is set to INFO" + } + }, + "AppInsightsWorkspaceResourceID": { + "type": "string", + "metadata": { + "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" + } + } + }, + "variables": { + "FunctionNameDurable" : "[concat('dossierlook',uniqueString(resourceGroup().id))]", + "function_names_Historical": [ "host", "ip", "url", "hash", "email" ], + "function_names_Current": [ "host", "ip", "url", "hash", "email" ], + "function_names_Json_parse": [ "hist", "curr" ], + "function_names_Indicator": [ "hist", "curr" ], + "HistCommon_storage": "[concat('Histhost',uniqueString(resourceGroup().id))]", + "CurrCommon_storage": "[concat('Currhost',uniqueString(resourceGroup().id))]", + "Storage_Strings": [ "[concat('Histhost',uniqueString(resourceGroup().id))]", "[concat('Currhost',uniqueString(resourceGroup().id))]" ], + "copy": [ + { + "name": "HistoricalNameArray", + "count": "[length(variables('function_names_Historical'))]", + "input": { + "Historical": "[concat('Hist',variables('function_names_Historical')[copyIndex('HistoricalNameArray', 0)],uniqueString(resourceGroup().id))]" + } + }, + { + "name": "CurrentNameArray", + "count": "[length(variables('function_names_Current'))]", + "input": { + "Current": "[concat('Curr',variables('function_names_Current')[copyIndex('CurrentNameArray', 0)],uniqueString(resourceGroup().id))]" + } + }, + { + "name": "JsonParseNameArray", + "count": "[length(variables('function_names_Json_parse'))]", + "input": { + "Json_parse": "[concat('Jparse',variables('function_names_Json_parse')[copyIndex('JsonParseNameArray', 0)],uniqueString(resourceGroup().id))]" + } + }, + { + "name": "IndicatorNameArray", + "count": "[length(variables('function_names_Indicator'))]", + "input": { + "Indicators": "[concat('ind',variables('function_names_Indicator')[copyIndex('IndicatorNameArray', 0)],uniqueString(resourceGroup().id))]" + } + } + ], + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(parameters('WorkspaceID')), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('HistoricalNameArray')[copyIndex()].Historical]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('HistoricalNameArray')[copyIndex()].Historical]", + "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" + }, + "copy": { + "name": "componentcopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('HistoricalNameArray')[copyIndex()].Historical)]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + }, + "copy": { + "name": "storageaccountcopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('HistoricalNameArray')[copyIndex()].Historical, '/default')]", + "dependsOn": [ + "storageaccountcopy" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + }, + "copy": { + "name": "blobServicescopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('HistoricalNameArray')[copyIndex()].Historical, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('HistoricalNameArray')[copyIndex()].Historical))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + }, + "copy": { + "name": "fileServicescopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('HistoricalNameArray')[copyIndex()].Historical]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('HistoricalNameArray')[copyIndex()].Historical))]", + "[resourceId('Microsoft.Insights/components', variables('HistoricalNameArray')[copyIndex()].Historical)]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('HistoricalNameArray')[copyIndex()].Historical]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "type": "config", + "apiVersion": "2018-11-01", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('HistoricalNameArray')[copyIndex()].Historical)]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('HistoricalNameArray')[copyIndex()].Historical), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('HistoricalNameArray')[copyIndex()].Historical), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('HistoricalNameArray')[copyIndex()].Historical),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('HistoricalNameArray')[copyIndex()].Historical)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "Connection_String": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('HistCommon_storage')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('HistCommon_storage'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "API_token": "[parameters('InfobloxAPIToken')]", + "BaseUrl": "[parameters('InfobloxBaseURL')]", + "Schedule": "0 */15 * * * *", + "ThreatType": "[variables('function_names_Historical')[copyIndex('sitescopy')]]", + "HISTORICAL_TIME_INTERVAL": "-3", + "Historical_Start_Date": "[parameters('HistoricalDataCutoffDate')]", + "Workspace_Key": "[parameters('WorkspaceKey')]", + "Workspace_Id": "[parameters('WorkspaceID')]", + "LogLevel": "[parameters('LogLevel')]", + "File_Share_Name": "infoblox-checkpoints", + "File_Share_Name_For_Data": "infoblox-data-files", + "Checkpoint_File_Name": "infoblox", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-InfobloxHistoricalToAzureStorage-functionapp" + } + } + ], + "copy": { + "name": "sitescopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('HistoricalNameArray')[copyIndex()].Historical, '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('HistoricalNameArray')[copyIndex()].Historical, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('HistoricalNameArray')[copyIndex()].Historical)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('HistoricalNameArray')[copyIndex()].Historical, '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('HistoricalNameArray')[copyIndex()].Historical, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('HistoricalNameArray')[copyIndex()].Historical)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('HistoricalNameArray')[copyIndex()].Historical, '/default/', tolower(variables('HistoricalNameArray')[copyIndex()].Historical))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('HistoricalNameArray')[copyIndex()].Historical, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('HistoricalNameArray')[copyIndex()].Historical)]" + ], + "properties": { + "shareQuota": 5120 + }, + "copy": { + "name": "sharescopy", + "count": "[length(variables('function_names_Historical'))]" + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('CurrentNameArray')[copyIndex()].Current]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('CurrentNameArray')[copyIndex()].Current]", + "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" + }, + "copy": { + "name": "componentcopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('CurrentNameArray')[copyIndex()].Current)]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + }, + "copy": { + "name": "storageaccountcopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('CurrentNameArray')[copyIndex()].Current, '/default')]", + "dependsOn": [ + "storageaccountcopy" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + }, + "copy": { + "name": "blobServicescopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('CurrentNameArray')[copyIndex()].Current, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('CurrentNameArray')[copyIndex()].Current))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + }, + "copy": { + "name": "fileServicescopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('CurrentNameArray')[copyIndex()].Current]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('CurrentNameArray')[copyIndex()].Current))]", + "[resourceId('Microsoft.Insights/components', variables('CurrentNameArray')[copyIndex()].Current)]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('CurrentNameArray')[copyIndex()].Current]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "type": "config", + "apiVersion": "2018-11-01", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('CurrentNameArray')[copyIndex()].Current)]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('CurrentNameArray')[copyIndex()].Current), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('CurrentNameArray')[copyIndex()].Current), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('CurrentNameArray')[copyIndex()].Current),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('CurrentNameArray')[copyIndex()].Current)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Connection_String": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('CurrCommon_storage')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('CurrCommon_storage'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "ThreatType": "[variables('function_names_Current')[copyIndex('sitescopy')]]", + "API_token": "[parameters('InfobloxAPIToken')]", + "BaseUrl": "[parameters('InfobloxBaseURL')]", + "Schedule": "0 0 */1 * * *", + "CURRENT_TIME_INTERVAL": "1", + "Workspace_Key": "[parameters('WorkspaceKey')]", + "Workspace_Id": "[parameters('WorkspaceID')]", + "LogLevel": "[parameters('LogLevel')]", + "File_Share_Name": "infoblox-checkpoint", + "File_Share_Name_For_Data": "infoblox-data-files", + "Checkpoint_File_Name": "infoblox", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-InfobloxCurrentToAzureStorage-functionapp" + } + } + ], + "copy": { + "name": "sitescopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('CurrentNameArray')[copyIndex()].Current, '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('CurrentNameArray')[copyIndex()].Current, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('CurrentNameArray')[copyIndex()].Current)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('CurrentNameArray')[copyIndex()].Current, '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('CurrentNameArray')[copyIndex()].Current, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('CurrentNameArray')[copyIndex()].Current)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('CurrentNameArray')[copyIndex()].Current, '/default/', tolower(variables('CurrentNameArray')[copyIndex()].Current))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('CurrentNameArray')[copyIndex()].Current, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('CurrentNameArray')[copyIndex()].Current)]" + ], + "properties": { + "shareQuota": 5120 + }, + "copy": { + "name": "sharescopy", + "count": "[length(variables('function_names_Current'))]" + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('JsonParseNameArray')[copyIndex()].Json_parse]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('JsonParseNameArray')[copyIndex()].Json_parse]", + "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" + }, + "copy": { + "name": "componentcopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('JsonParseNameArray')[copyIndex()].Json_parse)]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + }, + "copy": { + "name": "storageaccountcopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('JsonParseNameArray')[copyIndex()].Json_parse, '/default')]", + "dependsOn": [ + "storageaccountcopy" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + }, + "copy": { + "name": "blobServicescopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('JsonParseNameArray')[copyIndex()].Json_parse, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('JsonParseNameArray')[copyIndex()].Json_parse))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + }, + "copy": { + "name": "fileServicescopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('JsonParseNameArray')[copyIndex()].Json_parse]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('JsonParseNameArray')[copyIndex()].Json_parse))]", + "[resourceId('Microsoft.Insights/components', variables('JsonParseNameArray')[copyIndex()].Json_parse)]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('JsonParseNameArray')[copyIndex()].Json_parse]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "type": "config", + "apiVersion": "2018-11-01", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('JsonParseNameArray')[copyIndex()].Json_parse)]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('JsonParseNameArray')[copyIndex()].Json_parse), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('JsonParseNameArray')[copyIndex()].Json_parse), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('JsonParseNameArray')[copyIndex()].Json_parse),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('JsonParseNameArray')[copyIndex()].Json_parse)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "Connection_String": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('Storage_Strings')[copyIndex('sitescopy')]),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('Storage_Strings')[copyIndex('sitescopy')])), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Schedule": "0 */15 * * * *", + "LogLevel": "[parameters('LogLevel')]", + "File_Share_Name_For_Data": "infoblox-data-files", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-InfoBloxParseRawIndicators-functionapp" + } + } + ], + "copy": { + "name": "sitescopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('JsonParseNameArray')[copyIndex()].Json_parse, '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('JsonParseNameArray')[copyIndex()].Json_parse, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('JsonParseNameArray')[copyIndex()].Json_parse)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('JsonParseNameArray')[copyIndex()].Json_parse, '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('JsonParseNameArray')[copyIndex()].Json_parse, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('JsonParseNameArray')[copyIndex()].Json_parse)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('JsonParseNameArray')[copyIndex()].Json_parse, '/default/', tolower(variables('JsonParseNameArray')[copyIndex()].Json_parse))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('JsonParseNameArray')[copyIndex()].Json_parse, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('JsonParseNameArray')[copyIndex()].Json_parse)]" + ], + "properties": { + "shareQuota": 5120 + }, + "copy": { + "name": "sharescopy", + "count": "[length(variables('function_names_Json_parse'))]" + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('IndicatorNameArray')[copyIndex()].Indicators]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('IndicatorNameArray')[copyIndex()].Indicators]", + "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" + }, + "copy": { + "name": "componentcopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('IndicatorNameArray')[copyIndex()].Indicators)]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + }, + "copy": { + "name": "storageaccountcopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('IndicatorNameArray')[copyIndex()].Indicators, '/default')]", + "dependsOn": [ + "storageaccountcopy" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + }, + "copy": { + "name": "blobServicescopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('IndicatorNameArray')[copyIndex()].Indicators, '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('IndicatorNameArray')[copyIndex()].Indicators))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + }, + "copy": { + "name": "fileServicescopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('IndicatorNameArray')[copyIndex()].Indicators]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('IndicatorNameArray')[copyIndex()].Indicators))]", + "[resourceId('Microsoft.Insights/components', variables('IndicatorNameArray')[copyIndex()].Indicators)]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('IndicatorNameArray')[copyIndex()].Indicators]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "type": "config", + "apiVersion": "2018-11-01", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('IndicatorNameArray')[copyIndex()].Indicators)]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('IndicatorNameArray')[copyIndex()].Indicators), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('IndicatorNameArray')[copyIndex()].Indicators), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('IndicatorNameArray')[copyIndex()].Indicators),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('IndicatorNameArray')[copyIndex()].Indicators)), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Connection_String": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('Storage_Strings')[copyIndex('sitescopy')]),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('Storage_Strings')[copyIndex('sitescopy')])), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "Azure_Client_Id": "[parameters('AzureClientId')]", + "Azure_Client_Secret": "[parameters('AzureClientSecret')]", + "Azure_Tenant_Id": "[parameters('AzureTenantId')]", + "File_Share_Name_For_Data": "infoblox-data-files", + "Workspace_Key": "[parameters('WorkspaceKey')]", + "Workspace_Id": "[parameters('WorkspaceID')]", + "Schedule": "0 */15 * * * *", + "LogLevel": "[parameters('LogLevel')]", + "Confidence_Threshold": "[parameters('Confidence')]", + "Threat_Level": "[parameters('ThreatLevel')]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-AzureStorageToIndicators-functionapp" + } + } + ], + "copy": { + "name": "sitescopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('IndicatorNameArray')[copyIndex()].Indicators, '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('IndicatorNameArray')[copyIndex()].Indicators, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('IndicatorNameArray')[copyIndex()].Indicators)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('IndicatorNameArray')[copyIndex()].Indicators, '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('IndicatorNameArray')[copyIndex()].Indicators, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('IndicatorNameArray')[copyIndex()].Indicators)]" + ], + "properties": { + "publicAccess": "None" + }, + "copy": { + "name": "containerscopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('IndicatorNameArray')[copyIndex()].Indicators, '/default/', tolower(variables('IndicatorNameArray')[copyIndex()].Indicators))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('IndicatorNameArray')[copyIndex()].Indicators, 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('IndicatorNameArray')[copyIndex()].Indicators)]" + ], + "properties": { + "shareQuota": 5120 + }, + "copy": { + "name": "sharescopy", + "count": "[length(variables('function_names_Indicator'))]" + } + }, + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('FunctionNameDurable')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionNameDurable')]", + "WorkspaceResourceId": "[parameters('AppInsightsWorkspaceResourceID')]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionNameDurable'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionNameDurable'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionNameDurable')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionNameDurable'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionNameDurable')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionNameDurable')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionNameDurable')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionNameDurable'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionNameDurable')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionNameDurable'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionNameDurable')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionNameDurable')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionNameDurable')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionNameDurable'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "API_token": "[parameters('InfobloxAPIToken')]", + "BaseUrl": "[parameters('InfobloxBaseURL')]", + "Workspace_Key": "[parameters('WorkspaceKey')]", + "Workspace_Id": "[parameters('WorkspaceID')]", + "Azure_Client_Id": "[parameters('AzureClientId')]", + "Azure_Client_Secret": "[parameters('AzureClientSecret')]", + "Azure_Tenant_Id": "[parameters('AzureTenantId')]", + "LogLevel": "[parameters('LogLevel')]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-InfobloxDossierLookup-functionapp" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionNameDurable'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionNameDurable'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionNameDurable'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionNameDurable'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionNameDurable'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionNameDurable'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionNameDurable'), '/default/', tolower(variables('FunctionNameDurable')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionNameDurable'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionNameDurable'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/host.json b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/host.json new file mode 100644 index 00000000000..d5c71c7938a --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/host.json @@ -0,0 +1,29 @@ +{ + "version": "2.0", + "functionTimeout": "00:10:00", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + }, + "logLevel": { + "default": "Trace", + "Host.Results": "Trace", + "Function": "Trace", + "Host.Aggregator": "Trace" + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + }, + "extensions": { + "durableTask": { + "storageProvider": { + "type": "AzureStorage" + } + } + } +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/requirements.txt b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/requirements.txt new file mode 100644 index 00000000000..b985699f42b --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxCloudDataConnector/requirements.txt @@ -0,0 +1,6 @@ +azure-functions +azure-storage-file-share==12.15.0 +azure-identity +azure-monitor-query +requests +azure-functions-durable \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_AMA.json b/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_AMA.json new file mode 100644 index 00000000000..d41278c09a4 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_AMA.json @@ -0,0 +1,163 @@ +{ + "id": "InfobloxSOCInsightsDataConnector_AMA", + "title": "[Recommended] Infoblox SOC Insight Data Connector via AMA", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. \n\nThis data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector.**", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxCDC_SOCInsights", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxCDC_SOCInsights\n| where ThreatType == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxCDC_SOCInsights\n| where ThreatClass == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return all high threat level logs", + "query": "InfobloxCDC_SOCInsights\n| where ThreatLevel == \"High\"" + }, + { + "description": "Return raised status logs", + "query": "InfobloxCDC_SOCInsights\n| where Status == \"RAISED\"" + }, + { + "description": "Return logs involving a high amount of unblocked DNS hits", + "query": "InfobloxCDC_SOCInsights\n| where NotBlockedCount >= 100" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxCDC_SOCInsights\n| summarize dcount(InfobloxInsightID) by ThreatFamily" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (InfobloxCDC_SOCInsights)", + "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed. [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "title": "Workspace Keys", + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Parsers", + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution." + }, + { + "title": "SOC Insights", + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights)." + }, + { + "title": "Infoblox Cloud Data Connector", + "description": ">This data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.", + "instructions": [ + { + "parameters": { + "title": "Follow the steps below to configure this data connector", + "instructionSteps": [ + { + "title": "A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note: CEF logs are collected only from Linux Agents_\n\n1. Navigate to your **Microsoft Sentinel workspace > Data connectors** blade.\n\n2. Search for the **Common Event Format (CEF) via AMA** data connector and open it.\n\n3. Ensure there is no existing DCR configured to collect required facility of logs as it may cause log duplication. Create a new **DCR (Data Collection Rule)**.\n\n\t_Note: It is recommended to install the AMA agent v1.27 at minimum. [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplication._\n\n4. Run the command provided in the **Common Event Format (CEF) via AMA** data connector page to configure the CEF collector on the machine." + }, + { + "title": "B. Within the Infoblox Cloud Services Portal, configure Infoblox BloxOne to send CEF Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent", + "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select the **Internal Notifications** Log Type.\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate." + }, + { + "title": "C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "2. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_API.json b/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_API.json new file mode 100644 index 00000000000..0fb69f19964 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_API.json @@ -0,0 +1,133 @@ +{ + "id": "InfobloxSOCInsightsDataConnector_API", + "title": "Infoblox SOC Insight Data Connector via REST API", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxInsight.yaml) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxInsight", + "baseQuery": "InfobloxInsight_CL" + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxInsight_CL\n| where threatType_s == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxInsight_CL\n| where tClass_s == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return count of critical priority insights", + "query": "InfobloxInsight_CL\n| where priorityText_s == \"CRITICAL\"\n | summarize dcount(insightId_g) by priorityText_s" + }, + { + "description": "Return each spreading insight by ThreatClass", + "query": "InfobloxInsight_CL\n| where isnotempty(spreadingDate_t)\n | summarize dcount(insightId_g) by tClass_s" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxInsight_CL\n| | summarize dcount(insightId_g) by tFamily_s" + } + ], + "dataTypes": [ + { + "name": "InfobloxInsight_CL", + "lastDataReceivedQuery": "InfobloxInsight_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "InfobloxInsight_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "Workspace Keys", + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Parsers", + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxInsight.yaml) which is deployed with the Microsoft Sentinel Solution." + }, + { + "title": "SOC Insights", + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights)." + }, + { + "title": "Follow the steps below to configure this data connector", + "description": "", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Generate an Infoblox API Key and copy it somewhere safe", + "description": "In the [Infoblox Cloud Services Portal](https://csp.infoblox.com/atlas/app/welcome), generate an API Key and copy it somewhere safe to use in the next step. You can find instructions on how to create API keys [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187/How+Do+I+Create+an+API+Key%3F)." + }, + { + "title": "2. Configure the Infoblox-SOC-Get-Open-Insights-API playbook", + "description": "Create and configure the **Infoblox-SOC-Get-Open-Insights-API** playbook which is deployed with this solution. Enter your Infoblox API key in the appropriate parameter when prompted." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_Legacy.json b/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_Legacy.json new file mode 100644 index 00000000000..46a7009a0c6 --- /dev/null +++ b/Solutions/Infoblox/Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_Legacy.json @@ -0,0 +1,174 @@ +{ + "id": "InfobloxSOCInsightsDataConnector_Legacy", + "title": "[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. \n\nThis data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**Microsoft recommends installation of Infoblox SOC Insight Data Connector via AMA Connector.** The legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and should only be installed where AMA is not supported.\n\n Using MMA and AMA on the same machine can cause log duplication and extra ingestion cost. [More details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxCDC_SOCInsights", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID == \"BloxOne-InsightsNotification-Log\"" + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxCDC_SOCInsights\n| where ThreatType == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxCDC_SOCInsights\n| where ThreatClass == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return all high threat level logs", + "query": "InfobloxCDC_SOCInsights\n| where ThreatLevel == \"High\"" + }, + { + "description": "Return raised status logs", + "query": "InfobloxCDC_SOCInsights\n| where Status == \"RAISED\"" + }, + { + "description": "Return logs involving a high amount of unblocked DNS hits", + "query": "InfobloxCDC_SOCInsights\n| where NotBlockedCount >= 100" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxCDC_SOCInsights\n| summarize dcount(InfobloxInsightID) by ThreatFamily" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (InfobloxCDC_SOCInsights)", + "lastDataReceivedQuery": "InfobloxCDC_SOCInsights\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "InfobloxCDC_SOCInsights\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "Workspace Keys", + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Parsers", + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "instructions": [] + }, + { + "title": "SOC Insights", + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights). ", + "instructions": [] + }, + { + "title": "Infoblox Cloud Data Connector", + "description": ">This data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.", + "instructions": [] + }, + { + "title": "1. Linux Syslog agent configuration", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + { + "title": "2. Within the Infoblox Cloud Services Portal, configure Infoblox BloxOne to send CEF Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent", + "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select the **Internal Notifications** Log Type.\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate." + }, + { + "title": "3. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "4. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Data/Solution_Infoblox.json b/Solutions/Infoblox/Data/Solution_Infoblox.json new file mode 100644 index 00000000000..b5ef2a5b47b --- /dev/null +++ b/Solutions/Infoblox/Data/Solution_Infoblox.json @@ -0,0 +1,53 @@ +{ + "Name": "Infoblox", + "Author": "Infoblox", + "Logo": "", + "Description": "The Infoblox Solution for Microsoft Sentinel is designed to enhance the capabilities of Security Operations Centers (SOC) by integrating actionable intelligence and contextual network data derived from DNS data into Microsoft Sentinel. This integration provides SOC analysts with the tools they need to quickly identify and respond to potential threats such as malware and data exfiltration, improving overall security posture. With seamless configuration and intuitive dashboards, the solution ensures that critical security events are monitored and correlated, offering actionable insights that streamline threat detection and response. \nSOC analysts will benefit from the app’s ability to provide contextual network data, including user and device attribution, through various lookups and visualizations. By leveraging unique DNS-based threat intelligence, audit logs and other data sources, analysts can conduct faster and more effective investigations. The solution’s functionalities, such as SOC Insights Overview and DNS Events, empower analysts to reduce alert fatigue by focusing on correlated events, ultimately leading to improved efficiency and protection against emerging threats.\n\n**Benefits**\n1. **Reduce alert fatigue with actionable insights through SOC Insights**: Focus on the most critical alerts and insights to streamline threat detection and response. \n2. **Faster investigations with contextual network data**: Quickly correlate network activities with potential threats using detailed lookups and visualizations. \n3. **Unique DNS-based Infoblox Threat Intel**: Access unparalleled DNS-based threat intelligence to enhance security decision-making and threat mitigation. ", + "Data Connectors": [ + "Data Connectors/InfobloxCloudDataConnector/Infoblox_API_FunctionApp.json", + "Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_AMA.json", + "Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_API.json", + "Data Connectors/InfobloxSOCInsights/InfobloxSOCInsightsDataConnector_Legacy.json", + "Data Connectors/InfobloxCEFDataConnector/template_InfobloxCloudDataConnectorAma.json" + ], + "Workbooks": [ + "Workbooks/Infoblox_Lookup_Workbook.json", + "Workbooks/Infoblox_Workbook.json" + ], + "Analytic Rules": [ + "Analytic Rules/Infoblox-SOCInsight-Detected-APISource.yaml", + "Analytic Rules/Infoblox-SOCInsight-Detected-CDCSource.yaml" + ], + "Parsers": [ + "Parsers/InfobloxCDC_SOCInsights.yaml", + "Parsers/InfobloxInsight.yaml", + "Parsers/InfobloxInsightAssets.yaml", + "Parsers/InfobloxInsightComments.yaml", + "Parsers/InfobloxInsightEvents.yaml", + "Parsers/InfobloxInsightIndicators.yaml" + ], + "Playbooks": [ + "Playbooks/Infoblox Block Allow IP Domain/azuredeploy.json", + "Playbooks/Infoblox Block Allow IP Domain Incident Based/azuredeploy.json", + "Playbooks/InfoBlox Config Insight Details/azuredeploy.json", + "Playbooks/Infoblox Config Insights/azuredeploy.json", + "Playbooks/Infoblox Data Connector Trigger Sync/azuredeploy.json", + "Playbooks/Infoblox DHCP Lookup/azuredeploy.json", + "Playbooks/Infoblox Get IP Space Data/azuredeploy.json", + "Playbooks/Infoblox Get Service Name/azuredeploy.json", + "Playbooks/Infoblox IPAM Lookup/azuredeploy.json", + "Playbooks/Infoblox SOC Get Insight Details/azuredeploy.json", + "Playbooks/Infoblox SOC Get Open Insights API/azuredeploy.json", + "Playbooks/Infoblox SOC Import Indicators TI/azuredeploy.json", + "Playbooks/Infoblox TIDE Lookup/azuredeploy.json", + "Playbooks/Infoblox TIDE Lookup Incident Based/azuredeploy.json", + "Playbooks/Infoblox TIDE Lookup Incident Comment Based/azuredeploy.json", + "Playbooks/Infoblox TimeRangeBased DHCP Lookup/azuredeploy.json", + "Playbooks/Infoblox Get Host Name/azuredeploy.json" + ], + "BasePath": "C:\\Azure-Sentinel\\Solutions\\Infoblox", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/Infoblox/Package/3.0.0.zip b/Solutions/Infoblox/Package/3.0.0.zip new file mode 100644 index 00000000000..70b9bcfd8fa Binary files /dev/null and b/Solutions/Infoblox/Package/3.0.0.zip differ diff --git a/Solutions/Infoblox/Package/createUiDefinition.json b/Solutions/Infoblox/Package/createUiDefinition.json new file mode 100644 index 00000000000..9bf1af7aeaf --- /dev/null +++ b/Solutions/Infoblox/Package/createUiDefinition.json @@ -0,0 +1,260 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Infoblox/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Infoblox Solution for Microsoft Sentinel is designed to enhance the capabilities of Security Operations Centers (SOC) by integrating actionable intelligence and contextual network data derived from DNS data into Microsoft Sentinel. This integration provides SOC analysts with the tools they need to quickly identify and respond to potential threats such as malware and data exfiltration, improving overall security posture. With seamless configuration and intuitive dashboards, the solution ensures that critical security events are monitored and correlated, offering actionable insights that streamline threat detection and response. \nSOC analysts will benefit from the app’s ability to provide contextual network data, including user and device attribution, through various lookups and visualizations. By leveraging unique DNS-based threat intelligence, audit logs and other data sources, analysts can conduct faster and more effective investigations. The solution’s functionalities, such as SOC Insights Overview and DNS Events, empower analysts to reduce alert fatigue by focusing on correlated events, ultimately leading to improved efficiency and protection against emerging threats.\n\n**Benefits**\n1. **Reduce alert fatigue with actionable insights through SOC Insights**: Focus on the most critical alerts and insights to streamline threat detection and response. \n2. **Faster investigations with contextual network data**: Quickly correlate network activities with potential threats using detailed lookups and visualizations. \n3. **Unique DNS-based Infoblox Threat Intel**: Access unparalleled DNS-based threat intelligence to enhance security decision-making and threat mitigation. \n\n**Data Connectors:** 5, **Parsers:** 6, **Workbooks:** 2, **Analytic Rules:** 2, **Playbooks:** 17\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Infoblox. You can get Infoblox custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Infoblox. You can get Infoblox CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Infoblox. You can get Infoblox custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Infoblox. You can get Infoblox CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Infoblox. You can get Infoblox CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Infoblox Lookup Workbook", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Infoblox Lookup Workbook provides comprehensive insights through lookups on various data types including IP, Host, URL, Hash, and Email.\nThe workbook features distinct tabs for targeted lookups. \nThe 'TIDE' tab delivers insights from Infoblox TIDE data, while the 'Dossier' tab aggregates information from a range of other third party sources. \nTo obtain detailed insights, enter the relevant data into the specified fields within each tab. \nThis allows users to efficiently gather and analyze critical information." + } + } + ] + }, + { + "name": "workbook2", + "type": "Microsoft.Common.Section", + "label": "Infoblox Workbook", + "elements": [ + { + "name": "workbook2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Infoblox Workbook is a detailed analytical tool comprising six tabs: SOC Insights, Config Insights, Blocked DNS, DNS, DHCP, Service Log, Audit and Threat Intelligence. \nIt fetches data from Common Event Format (CEF) logs to provide standardized and comprehensive insights into network security and operations. \nEach tab focuses on specific areas such as overall security metrics, blocked DNS requests, DNS activities, DHCP allocations, various service logs, and a combination of audit records with threat intelligence. \nThis workbook enables efficient monitoring and proactive management of network security and performance." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Infoblox - SOC Insight Detected - API Source", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Infoblox SOC Insight detected in logs sourced via REST API. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Parsers/InfobloxInsight.yaml)." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Infoblox - SOC Insight Detected - CDC Source", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Infoblox SOC Insight detected in logs sourced via Infoblox CDC. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Parsers/InfobloxCDC_SOCInsights.yaml)." + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Infoblox/Package/mainTemplate.json b/Solutions/Infoblox/Package/mainTemplate.json new file mode 100644 index 00000000000..de18fce2b04 --- /dev/null +++ b/Solutions/Infoblox/Package/mainTemplate.json @@ -0,0 +1,18640 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Infoblox", + "comments": "Solution template for Infoblox" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Infoblox Lookup Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Infoblox Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "_solutionName": "Infoblox", + "_solutionVersion": "3.0.0", + "solutionId": "infoblox.infoblox-sentinel", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "InfobloxDataConnector", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "InfobloxDataConnector", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "InfobloxSOCInsightsDataConnector_AMA", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "InfobloxSOCInsightsDataConnector_AMA", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "uiConfigId3": "InfobloxSOCInsightsDataConnector_API", + "_uiConfigId3": "[variables('uiConfigId3')]", + "dataConnectorContentId3": "InfobloxSOCInsightsDataConnector_API", + "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", + "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "_dataConnectorId3": "[variables('dataConnectorId3')]", + "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", + "dataConnectorVersion3": "1.0.0", + "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", + "uiConfigId4": "InfobloxSOCInsightsDataConnector_Legacy", + "_uiConfigId4": "[variables('uiConfigId4')]", + "dataConnectorContentId4": "InfobloxSOCInsightsDataConnector_Legacy", + "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]", + "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "_dataConnectorId4": "[variables('dataConnectorId4')]", + "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]", + "dataConnectorVersion4": "1.0.0", + "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]", + "uiConfigId5": "InfobloxCloudDataConnectorAma", + "_uiConfigId5": "[variables('uiConfigId5')]", + "dataConnectorContentId5": "InfobloxCloudDataConnectorAma", + "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]", + "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "_dataConnectorId5": "[variables('dataConnectorId5')]", + "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]", + "dataConnectorVersion5": "1.0.0", + "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]", + "workbookVersion1": "1.0", + "workbookContentId1": "InfobloxLookupWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "workbookVersion2": "1.0", + "workbookContentId2": "InfobloxWorkbook", + "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", + "_workbookContentId2": "[variables('workbookContentId2')]", + "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "a5e2df87-f0c9-4540-8715-96e71b608986", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a5e2df87-f0c9-4540-8715-96e71b608986')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a5e2df87-f0c9-4540-8715-96e71b608986')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a5e2df87-f0c9-4540-8715-96e71b608986','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "d04f1963-df27-4127-b1ec-3d37148d65be", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd04f1963-df27-4127-b1ec-3d37148d65be')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d04f1963-df27-4127-b1ec-3d37148d65be')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d04f1963-df27-4127-b1ec-3d37148d65be','-', '1.0.0')))]" + }, + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','InfobloxCDC_SOCInsights')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxCDC_SOCInsights')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('InfobloxCDC_SOCInsights-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "InfobloxCDC_SOCInsights-Parser" + }, + "parserObject2": { + "_parserName2": "[concat(parameters('workspace'),'/','InfobloxInsight')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsight')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('InfobloxInsight-Parser')))]", + "parserVersion2": "1.0.0", + "parserContentId2": "InfobloxInsight-Parser" + }, + "parserObject3": { + "_parserName3": "[concat(parameters('workspace'),'/','InfobloxInsightAssets')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightAssets')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('InfobloxInsightAssets-Parser')))]", + "parserVersion3": "1.0.0", + "parserContentId3": "InfobloxInsightAssets-Parser" + }, + "parserObject4": { + "_parserName4": "[concat(parameters('workspace'),'/','InfobloxInsightComments')]", + "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightComments')]", + "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('InfobloxInsightComments-Parser')))]", + "parserVersion4": "1.0.0", + "parserContentId4": "InfobloxInsightComments-Parser" + }, + "parserObject5": { + "_parserName5": "[concat(parameters('workspace'),'/','InfobloxInsightEvents')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightEvents')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('InfobloxInsightEvents-Parser')))]", + "parserVersion5": "1.0.0", + "parserContentId5": "InfobloxInsightEvents-Parser" + }, + "parserObject6": { + "_parserName6": "[concat(parameters('workspace'),'/','InfobloxInsightIndicators')]", + "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightIndicators')]", + "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('InfobloxInsightIndicators-Parser')))]", + "parserVersion6": "1.0.0", + "parserContentId6": "InfobloxInsightIndicators-Parser" + }, + "Infoblox Block Allow IP Domain": "Infoblox Block Allow IP Domain", + "_Infoblox Block Allow IP Domain": "[variables('Infoblox Block Allow IP Domain')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Infoblox Block Allow IP Domain", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "blanks": "[replace('b', 'b', '')]", + "Infoblox Block Allow IP Domain Incident Based": "Infoblox Block Allow IP Domain Incident Based", + "_Infoblox Block Allow IP Domain Incident Based": "[variables('Infoblox Block Allow IP Domain Incident Based')]", + "playbookVersion2": "1.0", + "playbookContentId2": "Infoblox Block Allow IP Domain Incident Based", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "InfoBlox Config Insight Details": "InfoBlox Config Insight Details", + "_InfoBlox Config Insight Details": "[variables('InfoBlox Config Insight Details')]", + "playbookVersion3": "1.0", + "playbookContentId3": "InfoBlox Config Insight Details", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "Infoblox Config Insights": "Infoblox Config Insights", + "_Infoblox Config Insights": "[variables('Infoblox Config Insights')]", + "playbookVersion4": "1.0", + "playbookContentId4": "Infoblox Config Insights", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "Infoblox Data Connector Trigger Sync": "Infoblox Data Connector Trigger Sync", + "_Infoblox Data Connector Trigger Sync": "[variables('Infoblox Data Connector Trigger Sync')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion5": "1.0", + "playbookContentId5": "Infoblox Data Connector Trigger Sync", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "Infoblox DHCP Lookup": "Infoblox DHCP Lookup", + "_Infoblox DHCP Lookup": "[variables('Infoblox DHCP Lookup')]", + "playbookVersion6": "1.0", + "playbookContentId6": "Infoblox DHCP Lookup", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", + "Infoblox Get IP Space Data": "Infoblox Get IP Space Data", + "_Infoblox Get IP Space Data": "[variables('Infoblox Get IP Space Data')]", + "playbookVersion7": "1.0", + "playbookContentId7": "Infoblox Get IP Space Data", + "_playbookContentId7": "[variables('playbookContentId7')]", + "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", + "Infoblox Get Service Name": "Infoblox Get Service Name", + "_Infoblox Get Service Name": "[variables('Infoblox Get Service Name')]", + "playbookVersion8": "1.0", + "playbookContentId8": "Infoblox Get Service Name", + "_playbookContentId8": "[variables('playbookContentId8')]", + "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", + "Infoblox IPAM Lookup": "Infoblox IPAM Lookup", + "_Infoblox IPAM Lookup": "[variables('Infoblox IPAM Lookup')]", + "playbookVersion9": "1.0", + "playbookContentId9": "Infoblox IPAM Lookup", + "_playbookContentId9": "[variables('playbookContentId9')]", + "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]", + "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]", + "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]", + "Infoblox SOC Get Insight Details": "Infoblox SOC Get Insight Details", + "_Infoblox SOC Get Insight Details": "[variables('Infoblox SOC Get Insight Details')]", + "playbookVersion10": "1.0", + "playbookContentId10": "Infoblox SOC Get Insight Details", + "_playbookContentId10": "[variables('playbookContentId10')]", + "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]", + "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]", + "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]", + "Infoblox SOC Get Open Insights API": "Infoblox SOC Get Open Insights API", + "_Infoblox SOC Get Open Insights API": "[variables('Infoblox SOC Get Open Insights API')]", + "playbookVersion11": "1.0", + "playbookContentId11": "Infoblox SOC Get Open Insights API", + "_playbookContentId11": "[variables('playbookContentId11')]", + "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]", + "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]", + "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]", + "Infoblox SOC Import Indicators TI": "Infoblox SOC Import Indicators TI", + "_Infoblox SOC Import Indicators TI": "[variables('Infoblox SOC Import Indicators TI')]", + "playbookVersion12": "1.0", + "playbookContentId12": "Infoblox SOC Import Indicators TI", + "_playbookContentId12": "[variables('playbookContentId12')]", + "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]", + "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]", + "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]", + "Infoblox TIDE Lookup": "Infoblox TIDE Lookup", + "_Infoblox TIDE Lookup": "[variables('Infoblox TIDE Lookup')]", + "playbookVersion13": "1.0", + "playbookContentId13": "Infoblox TIDE Lookup", + "_playbookContentId13": "[variables('playbookContentId13')]", + "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]", + "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]", + "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]", + "Infoblox TIDE Lookup Incident Based": "Infoblox TIDE Lookup Incident Based", + "_Infoblox TIDE Lookup Incident Based": "[variables('Infoblox TIDE Lookup Incident Based')]", + "playbookVersion14": "1.0", + "playbookContentId14": "Infoblox TIDE Lookup Incident Based", + "_playbookContentId14": "[variables('playbookContentId14')]", + "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]", + "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]", + "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]", + "Infoblox TIDE Lookup Incident Comment Based": "Infoblox TIDE Lookup Incident Comment Based", + "_Infoblox TIDE Lookup Incident Comment Based": "[variables('Infoblox TIDE Lookup Incident Comment Based')]", + "playbookVersion15": "1.0", + "playbookContentId15": "Infoblox TIDE Lookup Incident Comment Based", + "_playbookContentId15": "[variables('playbookContentId15')]", + "playbookId15": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId15'))]", + "playbookTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId15'))))]", + "_playbookcontentProductId15": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId15'),'-', variables('playbookVersion15'))))]", + "Infoblox TimeRangeBased DHCP Lookup": "Infoblox TimeRangeBased DHCP Lookup", + "_Infoblox TimeRangeBased DHCP Lookup": "[variables('Infoblox TimeRangeBased DHCP Lookup')]", + "playbookVersion16": "1.0", + "playbookContentId16": "Infoblox TimeRangeBased DHCP Lookup", + "_playbookContentId16": "[variables('playbookContentId16')]", + "playbookId16": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId16'))]", + "playbookTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId16'))))]", + "_playbookcontentProductId16": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId16'),'-', variables('playbookVersion16'))))]", + "Infoblox Get Host Name": "Infoblox Get Host Name", + "_Infoblox Get Host Name": "[variables('Infoblox Get Host Name')]", + "playbookVersion17": "1.0", + "playbookContentId17": "Infoblox Get Host Name", + "_playbookContentId17": "[variables('playbookContentId17')]", + "playbookId17": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId17'))]", + "playbookTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId17'))))]", + "_playbookcontentProductId17": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId17'),'-', variables('playbookVersion17'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Infoblox Data Connector via REST API (using Azure Functions)", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox Data Connector allows you to easily connect your Infoblox TIDE data and Dossier data with Microsoft Sentinel. By connecting your data to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "graphQueries": [ + { + "metricName": "Failed Indicator time range received", + "legend": "Failed_Range_To_Ingest", + "baseQuery": "Failed_Range_To_Ingest_CL" + }, + { + "metricName": "Failed Indicators Range data received", + "legend": "Infoblox_Failed_Indicators", + "baseQuery": "Infoblox_Failed_Indicators_CL" + }, + { + "metricName": "Dossier whois source data received", + "legend": "dossier_whois", + "baseQuery": "dossier_whois_CL" + }, + { + "metricName": "Dossier whitelist source data received", + "legend": "dossier_whitelist", + "baseQuery": "dossier_whitelist_CL" + }, + { + "metricName": "Dossier tld risk source data received", + "legend": "dossier_tld_risk", + "baseQuery": "dossier_tld_risk_CL" + }, + { + "metricName": "Dossier threat actor source data received", + "legend": "dossier_threat_actor", + "baseQuery": "dossier_threat_actor_CL" + }, + { + "metricName": "Dossier rpz feeds records source data received", + "legend": "dossier_rpz_feeds_records", + "baseQuery": "dossier_rpz_feeds_records_CL" + }, + { + "metricName": "Dossier rpz feeds source data received", + "legend": "dossier_rpz_feeds", + "baseQuery": "dossier_rpz_feeds_CL" + }, + { + "metricName": "Dossier nameserver matches source data received", + "legend": "dossier_nameserver_matches", + "baseQuery": "dossier_nameserver_matches_CL" + }, + { + "metricName": "Dossier nameserver source data received", + "legend": "dossier_nameserver", + "baseQuery": "dossier_nameserver_CL" + }, + { + "metricName": "Dossier malware analysis v3 source data received", + "legend": "dossier_malware_analysis_v3", + "baseQuery": "dossier_malware_analysis_v3_CL" + }, + { + "metricName": "Dossier inforank source data received", + "legend": "dossier_inforank", + "baseQuery": "dossier_inforank_CL" + }, + { + "metricName": "Dossier infoblox web cat source data received", + "legend": "dossier_infoblox_web_cat", + "baseQuery": "dossier_infoblox_web_cat_CL" + }, + { + "metricName": "Dossier geo source data received", + "legend": "dossier_geo", + "baseQuery": "dossier_geo_CL" + }, + { + "metricName": "Dossier dns source data received", + "legend": "dossier_dns", + "baseQuery": "dossier_dns_CL" + }, + { + "metricName": "Dossier atp threat source data received", + "legend": "dossier_atp_threat", + "baseQuery": "dossier_atp_threat_CL" + }, + { + "metricName": "Dossier atp source data received", + "legend": "dossier_atp", + "baseQuery": "dossier_atp_CL" + }, + { + "metricName": "Dossier ptr source data received", + "legend": "dossier_ptr", + "baseQuery": "dossier_ptr_CL" + } + ], + "sampleQueries": [ + { + "description": "Failed Indicator time range received", + "query": "Failed_Range_To_Ingest_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Failed Indicators Range Data", + "query": "Infoblox_Failed_Indicators_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier whois data source", + "query": "dossier_whois_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier whitelist data source", + "query": "dossier_whitelist_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier tld risk data source", + "query": "dossier_tld_risk_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier threat actor data source", + "query": "dossier_threat_actor_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier rpz feeds records data source", + "query": "dossier_rpz_feeds_records_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier rpz feeds data source", + "query": "dossier_rpz_feeds_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier nameserver matches data source", + "query": "dossier_nameserver_matches_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier nameserver data source", + "query": "dossier_nameserver_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier malware analysis v3 data source", + "query": "dossier_malware_analysis_v3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier inforank data source", + "query": "dossier_inforank_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier infoblox web cat data source", + "query": "dossier_infoblox_web_cat_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier geo data source", + "query": "dossier_geo_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier dns data source", + "query": "dossier_dns_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier atp threat data source", + "query": "dossier_atp_threat_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier atp data source", + "query": "dossier_atp_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier ptr data source", + "query": "dossier_ptr_CL\n | sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Failed_Range_To_Ingest_CL", + "lastDataReceivedQuery": "Failed_Range_To_Ingest_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "Infoblox_Failed_Indicators_CL", + "lastDataReceivedQuery": "Infoblox_Failed_Indicators_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_whois_CL", + "lastDataReceivedQuery": "dossier_whois_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_whitelist_CL", + "lastDataReceivedQuery": "dossier_whitelist_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_tld_risk_CL", + "lastDataReceivedQuery": "dossier_tld_risk_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_threat_actor_CL", + "lastDataReceivedQuery": "dossier_threat_actor_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_rpz_feeds_records_CL", + "lastDataReceivedQuery": "dossier_rpz_feeds_records_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_rpz_feeds_CL", + "lastDataReceivedQuery": "dossier_rpz_feeds_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_nameserver_matches_CL", + "lastDataReceivedQuery": "dossier_nameserver_matches_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_nameserver_CL", + "lastDataReceivedQuery": "dossier_nameserver_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_malware_analysis_v3_CL", + "lastDataReceivedQuery": "dossier_malware_analysis_v3_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_inforank_CL", + "lastDataReceivedQuery": "dossier_inforank_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_infoblox_web_cat_CL", + "lastDataReceivedQuery": "dossier_infoblox_web_cat_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_geo_CL", + "lastDataReceivedQuery": "dossier_geo_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_dns_CL", + "lastDataReceivedQuery": "dossier_dns_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_atp_threat_CL", + "lastDataReceivedQuery": "dossier_atp_threat_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_atp_CL", + "lastDataReceivedQuery": "dossier_atp_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_ptr_CL", + "lastDataReceivedQuery": "dossier_ptr_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Failed_Range_To_Ingest_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Infoblox_Failed_Indicators_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_whois_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_whitelist_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_tld_risk_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_threat_actor_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_rpz_feeds_records_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_rpz_feeds_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_nameserver_matches_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_nameserver_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_malware_analysis_v3_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_inforank_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_infoblox_web_cat_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_geo_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_dns_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_atp_threat_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_atp_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_ptr_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Infoblox API Key** is required. See the documentation to learn more about API on the [Rest API reference](https://csp.infoblox.com/apidoc?url=https://csp.infoblox.com/apidoc/docs/Infrastructure#/Services/ServicesRead)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Infoblox API to create Threat Indicators for TIDE and pull Dossier data into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 4 - Steps to generate the Infoblox API Credentials**\n\n Follow these instructions to generate Infoblox API Key.\n In the [Infoblox Cloud Services Portal](https://csp.infoblox.com/atlas/app/welcome), generate an API Key and copy it somewhere safe to use in the next step. You can find instructions on how to create API keys [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187/How+Do+I+Create+an+API+Key%3F)." + }, + { + "description": "**STEP 5 - Steps to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Infoblox data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Infoblox API Authorization Credentials", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Infoblox Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-infoblox-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tAzure Tenant Id \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tInfoblox API Token \n\t\tInfoblox Base URL \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tLog Level (Default: INFO) \n\t\tConfidence \n\t\tThreat Level \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Infoblox Data Connector via REST API (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Infoblox Data Connector via REST API (using Azure Functions)", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox Data Connector allows you to easily connect your Infoblox TIDE data and Dossier data with Microsoft Sentinel. By connecting your data to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "graphQueries": [ + { + "metricName": "Failed Indicator time range received", + "legend": "Failed_Range_To_Ingest", + "baseQuery": "Failed_Range_To_Ingest_CL" + }, + { + "metricName": "Failed Indicators Range data received", + "legend": "Infoblox_Failed_Indicators", + "baseQuery": "Infoblox_Failed_Indicators_CL" + }, + { + "metricName": "Dossier whois source data received", + "legend": "dossier_whois", + "baseQuery": "dossier_whois_CL" + }, + { + "metricName": "Dossier whitelist source data received", + "legend": "dossier_whitelist", + "baseQuery": "dossier_whitelist_CL" + }, + { + "metricName": "Dossier tld risk source data received", + "legend": "dossier_tld_risk", + "baseQuery": "dossier_tld_risk_CL" + }, + { + "metricName": "Dossier threat actor source data received", + "legend": "dossier_threat_actor", + "baseQuery": "dossier_threat_actor_CL" + }, + { + "metricName": "Dossier rpz feeds records source data received", + "legend": "dossier_rpz_feeds_records", + "baseQuery": "dossier_rpz_feeds_records_CL" + }, + { + "metricName": "Dossier rpz feeds source data received", + "legend": "dossier_rpz_feeds", + "baseQuery": "dossier_rpz_feeds_CL" + }, + { + "metricName": "Dossier nameserver matches source data received", + "legend": "dossier_nameserver_matches", + "baseQuery": "dossier_nameserver_matches_CL" + }, + { + "metricName": "Dossier nameserver source data received", + "legend": "dossier_nameserver", + "baseQuery": "dossier_nameserver_CL" + }, + { + "metricName": "Dossier malware analysis v3 source data received", + "legend": "dossier_malware_analysis_v3", + "baseQuery": "dossier_malware_analysis_v3_CL" + }, + { + "metricName": "Dossier inforank source data received", + "legend": "dossier_inforank", + "baseQuery": "dossier_inforank_CL" + }, + { + "metricName": "Dossier infoblox web cat source data received", + "legend": "dossier_infoblox_web_cat", + "baseQuery": "dossier_infoblox_web_cat_CL" + }, + { + "metricName": "Dossier geo source data received", + "legend": "dossier_geo", + "baseQuery": "dossier_geo_CL" + }, + { + "metricName": "Dossier dns source data received", + "legend": "dossier_dns", + "baseQuery": "dossier_dns_CL" + }, + { + "metricName": "Dossier atp threat source data received", + "legend": "dossier_atp_threat", + "baseQuery": "dossier_atp_threat_CL" + }, + { + "metricName": "Dossier atp source data received", + "legend": "dossier_atp", + "baseQuery": "dossier_atp_CL" + }, + { + "metricName": "Dossier ptr source data received", + "legend": "dossier_ptr", + "baseQuery": "dossier_ptr_CL" + } + ], + "dataTypes": [ + { + "name": "Failed_Range_To_Ingest_CL", + "lastDataReceivedQuery": "Failed_Range_To_Ingest_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "Infoblox_Failed_Indicators_CL", + "lastDataReceivedQuery": "Infoblox_Failed_Indicators_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_whois_CL", + "lastDataReceivedQuery": "dossier_whois_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_whitelist_CL", + "lastDataReceivedQuery": "dossier_whitelist_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_tld_risk_CL", + "lastDataReceivedQuery": "dossier_tld_risk_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_threat_actor_CL", + "lastDataReceivedQuery": "dossier_threat_actor_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_rpz_feeds_records_CL", + "lastDataReceivedQuery": "dossier_rpz_feeds_records_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_rpz_feeds_CL", + "lastDataReceivedQuery": "dossier_rpz_feeds_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_nameserver_matches_CL", + "lastDataReceivedQuery": "dossier_nameserver_matches_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_nameserver_CL", + "lastDataReceivedQuery": "dossier_nameserver_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_malware_analysis_v3_CL", + "lastDataReceivedQuery": "dossier_malware_analysis_v3_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_inforank_CL", + "lastDataReceivedQuery": "dossier_inforank_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_infoblox_web_cat_CL", + "lastDataReceivedQuery": "dossier_infoblox_web_cat_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_geo_CL", + "lastDataReceivedQuery": "dossier_geo_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_dns_CL", + "lastDataReceivedQuery": "dossier_dns_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_atp_threat_CL", + "lastDataReceivedQuery": "dossier_atp_threat_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_atp_CL", + "lastDataReceivedQuery": "dossier_atp_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + }, + { + "name": "dossier_ptr_CL", + "lastDataReceivedQuery": "dossier_ptr_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Failed_Range_To_Ingest_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Infoblox_Failed_Indicators_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_whois_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_whitelist_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_tld_risk_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_threat_actor_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_rpz_feeds_records_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_rpz_feeds_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_nameserver_matches_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_nameserver_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_malware_analysis_v3_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_inforank_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_infoblox_web_cat_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_geo_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_dns_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_atp_threat_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_atp_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "dossier_ptr_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Failed Indicator time range received", + "query": "Failed_Range_To_Ingest_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Failed Indicators Range Data", + "query": "Infoblox_Failed_Indicators_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier whois data source", + "query": "dossier_whois_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier whitelist data source", + "query": "dossier_whitelist_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier tld risk data source", + "query": "dossier_tld_risk_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier threat actor data source", + "query": "dossier_threat_actor_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier rpz feeds records data source", + "query": "dossier_rpz_feeds_records_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier rpz feeds data source", + "query": "dossier_rpz_feeds_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier nameserver matches data source", + "query": "dossier_nameserver_matches_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier nameserver data source", + "query": "dossier_nameserver_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier malware analysis v3 data source", + "query": "dossier_malware_analysis_v3_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier inforank data source", + "query": "dossier_inforank_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier infoblox web cat data source", + "query": "dossier_infoblox_web_cat_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier geo data source", + "query": "dossier_geo_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier dns data source", + "query": "dossier_dns_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier atp threat data source", + "query": "dossier_atp_threat_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier atp data source", + "query": "dossier_atp_CL\n | sort by TimeGenerated desc" + }, + { + "description": "Dossier ptr data source", + "query": "dossier_ptr_CL\n | sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "**Infoblox API Key** is required. See the documentation to learn more about API on the [Rest API reference](https://csp.infoblox.com/apidoc?url=https://csp.infoblox.com/apidoc/docs/Infrastructure#/Services/ServicesRead)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to the Infoblox API to create Threat Indicators for TIDE and pull Dossier data into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - App Registration steps for the Application in Microsoft Entra ID**\n\n This integration requires an App registration in the Azure portal. Follow the steps in this section to create a new application in Microsoft Entra ID:\n 1. Sign in to the [Azure portal](https://portal.azure.com/).\n 2. Search for and select **Microsoft Entra ID**.\n 3. Under **Manage**, select **App registrations > New registration**.\n 4. Enter a display **Name** for your application.\n 5. Select **Register** to complete the initial app registration.\n 6. When registration finishes, the Azure portal displays the app registration's Overview pane. You see the **Application (client) ID** and **Tenant ID**. The client ID and Tenant ID is required as configuration parameters for the execution of the TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app)" + }, + { + "description": "**STEP 2 - Add a client secret for application in Microsoft Entra ID**\n\n Sometimes called an application password, a client secret is a string value required for the execution of TriggersSync playbook. Follow the steps in this section to create a new Client Secret:\n 1. In the Azure portal, in **App registrations**, select your application.\n 2. Select **Certificates & secrets > Client secrets > New client secret**.\n 3. Add a description for your client secret.\n 4. Select an expiration for the secret or specify a custom lifetime. Limit is 24 months.\n 5. Select **Add**. \n 6. *Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page.* The secret value is required as configuration parameter for the execution of TriggersSync playbook. \n\n> **Reference link:** [https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret](https://learn.microsoft.com/azure/active-directory/develop/quickstart-register-app#add-a-client-secret)" + }, + { + "description": "**STEP 3 - Assign role of Contributor to application in Microsoft Entra ID**\n\n Follow the steps in this section to assign the role:\n 1. In the Azure portal, Go to **Resource Group** and select your resource group.\n 2. Go to **Access control (IAM)** from left panel.\n 3. Click on **Add**, and then select **Add role assignment**.\n 4. Select **Contributor** as role and click on next.\n 5. In **Assign access to**, select `User, group, or service principal`.\n 6. Click on **add members** and type **your app name** that you have created and select it.\n 7. Now click on **Review + assign** and then again click on **Review + assign**. \n\n> **Reference link:** [https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)" + }, + { + "description": "**STEP 4 - Steps to generate the Infoblox API Credentials**\n\n Follow these instructions to generate Infoblox API Key.\n In the [Infoblox Cloud Services Portal](https://csp.infoblox.com/atlas/app/welcome), generate an API Key and copy it somewhere safe to use in the next step. You can find instructions on how to create API keys [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187/How+Do+I+Create+an+API+Key%3F)." + }, + { + "description": "**STEP 5 - Steps to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Infoblox data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following) readily available.., as well as the Infoblox API Authorization Credentials", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Infoblox Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-infoblox-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the below information : \n\t\tAzure Tenant Id \n\t\tAzure Client Id \n\t\tAzure Client Secret \n\t\tInfoblox API Token \n\t\tInfoblox Base URL \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tLog Level (Default: INFO) \n\t\tConfidence \n\t\tThreat Level \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] Infoblox SOC Insight Data Connector via AMA", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. \n\nThis data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector.**", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxCDC_SOCInsights", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxCDC_SOCInsights\n| where ThreatType == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxCDC_SOCInsights\n| where ThreatClass == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return all high threat level logs", + "query": "InfobloxCDC_SOCInsights\n| where ThreatLevel == \"High\"" + }, + { + "description": "Return raised status logs", + "query": "InfobloxCDC_SOCInsights\n| where Status == \"RAISED\"" + }, + { + "description": "Return logs involving a high amount of unblocked DNS hits", + "query": "InfobloxCDC_SOCInsights\n| where NotBlockedCount >= 100" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxCDC_SOCInsights\n| summarize dcount(InfobloxInsightID) by ThreatFamily" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (InfobloxCDC_SOCInsights)", + "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed. [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ], + "title": "Workspace Keys" + }, + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "title": "Parsers" + }, + { + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights).", + "title": "SOC Insights" + }, + { + "description": ">This data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.", + "instructions": [ + { + "parameters": { + "title": "Follow the steps below to configure this data connector", + "instructionSteps": [ + { + "title": "A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note: CEF logs are collected only from Linux Agents_\n\n1. Navigate to your **Microsoft Sentinel workspace > Data connectors** blade.\n\n2. Search for the **Common Event Format (CEF) via AMA** data connector and open it.\n\n3. Ensure there is no existing DCR configured to collect required facility of logs as it may cause log duplication. Create a new **DCR (Data Collection Rule)**.\n\n\t_Note: It is recommended to install the AMA agent v1.27 at minimum. [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplication._\n\n4. Run the command provided in the **Common Event Format (CEF) via AMA** data connector page to configure the CEF collector on the machine." + }, + { + "title": "B. Within the Infoblox Cloud Services Portal, configure Infoblox BloxOne to send CEF Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent", + "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select the **Internal Notifications** Log Type.\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate." + }, + { + "title": "C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Infoblox Cloud Data Connector" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] Infoblox SOC Insight Data Connector via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Recommended] Infoblox SOC Insight Data Connector via AMA", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. \n\nThis data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector.**", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxCDC_SOCInsights", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (InfobloxCDC_SOCInsights)", + "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n| where DeviceVendor =~ \"Infoblox\" and DeviceProduct =~ \"Data Connector\" and DeviceEventClassID =~ \"BloxOne-InsightsNotification-Log\"\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxCDC_SOCInsights\n| where ThreatType == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxCDC_SOCInsights\n| where ThreatClass == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return all high threat level logs", + "query": "InfobloxCDC_SOCInsights\n| where ThreatLevel == \"High\"" + }, + { + "description": "Return raised status logs", + "query": "InfobloxCDC_SOCInsights\n| where Status == \"RAISED\"" + }, + { + "description": "Return logs involving a high amount of unblocked DNS hits", + "query": "InfobloxCDC_SOCInsights\n| where NotBlockedCount >= 100" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxCDC_SOCInsights\n| summarize dcount(InfobloxInsightID) by ThreatFamily" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed. [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ], + "title": "Workspace Keys" + }, + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "title": "Parsers" + }, + { + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights).", + "title": "SOC Insights" + }, + { + "description": ">This data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.", + "instructions": [ + { + "parameters": { + "title": "Follow the steps below to configure this data connector", + "instructionSteps": [ + { + "title": "A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note: CEF logs are collected only from Linux Agents_\n\n1. Navigate to your **Microsoft Sentinel workspace > Data connectors** blade.\n\n2. Search for the **Common Event Format (CEF) via AMA** data connector and open it.\n\n3. Ensure there is no existing DCR configured to collect required facility of logs as it may cause log duplication. Create a new **DCR (Data Collection Rule)**.\n\n\t_Note: It is recommended to install the AMA agent v1.27 at minimum. [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplication._\n\n4. Run the command provided in the **Common Event Format (CEF) via AMA** data connector page to configure the CEF collector on the machine." + }, + { + "title": "B. Within the Infoblox Cloud Services Portal, configure Infoblox BloxOne to send CEF Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent", + "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select the **Internal Notifications** Log Type.\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate." + }, + { + "title": "C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Infoblox Cloud Data Connector" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId3')]", + "title": "Infoblox SOC Insight Data Connector via REST API", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxInsight.yaml) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxInsight", + "baseQuery": "InfobloxInsight_CL" + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxInsight_CL\n| where threatType_s == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxInsight_CL\n| where tClass_s == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return count of critical priority insights", + "query": "InfobloxInsight_CL\n| where priorityText_s == \"CRITICAL\"\n | summarize dcount(insightId_g) by priorityText_s" + }, + { + "description": "Return each spreading insight by ThreatClass", + "query": "InfobloxInsight_CL\n| where isnotempty(spreadingDate_t)\n | summarize dcount(insightId_g) by tClass_s" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxInsight_CL\n| | summarize dcount(insightId_g) by tFamily_s" + } + ], + "dataTypes": [ + { + "name": "InfobloxInsight_CL", + "lastDataReceivedQuery": "InfobloxInsight_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "InfobloxInsight_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ], + "title": "Workspace Keys" + }, + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxInsight.yaml) which is deployed with the Microsoft Sentinel Solution.", + "title": "Parsers" + }, + { + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights).", + "title": "SOC Insights" + }, + { + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Generate an Infoblox API Key and copy it somewhere safe", + "description": "In the [Infoblox Cloud Services Portal](https://csp.infoblox.com/atlas/app/welcome), generate an API Key and copy it somewhere safe to use in the next step. You can find instructions on how to create API keys [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187/How+Do+I+Create+an+API+Key%3F)." + }, + { + "title": "2. Configure the Infoblox-SOC-Get-Open-Insights-API playbook", + "description": "Create and configure the **Infoblox-SOC-Get-Open-Insights-API** playbook which is deployed with this solution. Enter your Infoblox API key in the appropriate parameter when prompted." + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Follow the steps below to configure this data connector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId3')]", + "contentKind": "DataConnector", + "displayName": "Infoblox SOC Insight Data Connector via REST API", + "contentProductId": "[variables('_dataConnectorcontentProductId3')]", + "id": "[variables('_dataConnectorcontentProductId3')]", + "version": "[variables('dataConnectorVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId3')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Infoblox SOC Insight Data Connector via REST API", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxInsight", + "baseQuery": "InfobloxInsight_CL" + } + ], + "dataTypes": [ + { + "name": "InfobloxInsight_CL", + "lastDataReceivedQuery": "InfobloxInsight_CL\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "InfobloxInsight_CL\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxInsight_CL\n| where threatType_s == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxInsight_CL\n| where tClass_s == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return count of critical priority insights", + "query": "InfobloxInsight_CL\n| where priorityText_s == \"CRITICAL\"\n | summarize dcount(insightId_g) by priorityText_s" + }, + { + "description": "Return each spreading insight by ThreatClass", + "query": "InfobloxInsight_CL\n| where isnotempty(spreadingDate_t)\n | summarize dcount(insightId_g) by tClass_s" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxInsight_CL\n| | summarize dcount(insightId_g) by tFamily_s" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ], + "title": "Workspace Keys" + }, + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxInsight.yaml) which is deployed with the Microsoft Sentinel Solution.", + "title": "Parsers" + }, + { + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights).", + "title": "SOC Insights" + }, + { + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Generate an Infoblox API Key and copy it somewhere safe", + "description": "In the [Infoblox Cloud Services Portal](https://csp.infoblox.com/atlas/app/welcome), generate an API Key and copy it somewhere safe to use in the next step. You can find instructions on how to create API keys [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/230394187/How+Do+I+Create+an+API+Key%3F)." + }, + { + "title": "2. Configure the Infoblox-SOC-Get-Open-Insights-API playbook", + "description": "Create and configure the **Infoblox-SOC-Get-Open-Insights-API** playbook which is deployed with this solution. Enter your Infoblox API key in the appropriate parameter when prompted." + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Follow the steps below to configure this data connector" + } + ], + "id": "[variables('_uiConfigId3')]", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxInsight.yaml) which is deployed with the Microsoft Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId4')]", + "title": "[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. \n\nThis data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**Microsoft recommends installation of Infoblox SOC Insight Data Connector via AMA Connector.** The legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and should only be installed where AMA is not supported.\n\n Using MMA and AMA on the same machine can cause log duplication and extra ingestion cost. [More details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxCDC_SOCInsights", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID == \"BloxOne-InsightsNotification-Log\"" + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxCDC_SOCInsights\n| where ThreatType == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxCDC_SOCInsights\n| where ThreatClass == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return all high threat level logs", + "query": "InfobloxCDC_SOCInsights\n| where ThreatLevel == \"High\"" + }, + { + "description": "Return raised status logs", + "query": "InfobloxCDC_SOCInsights\n| where Status == \"RAISED\"" + }, + { + "description": "Return logs involving a high amount of unblocked DNS hits", + "query": "InfobloxCDC_SOCInsights\n| where NotBlockedCount >= 100" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxCDC_SOCInsights\n| summarize dcount(InfobloxInsightID) by ThreatFamily" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (InfobloxCDC_SOCInsights)", + "lastDataReceivedQuery": "InfobloxCDC_SOCInsights\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "InfobloxCDC_SOCInsights\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ], + "title": "Workspace Keys" + }, + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "title": "Parsers" + }, + { + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights). ", + "title": "SOC Insights" + }, + { + "description": ">This data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.", + "title": "Infoblox Cloud Data Connector" + }, + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select the **Internal Notifications** Log Type.\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.", + "title": "2. Within the Infoblox Cloud Services Portal, configure Infoblox BloxOne to send CEF Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId4')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId4')]", + "id": "[variables('_dataConnectorcontentProductId4')]", + "version": "[variables('dataConnectorVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId4')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Deprecated] Infoblox SOC Insight Data Connector via Legacy Agent", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox SOC Insight Data Connector allows you to easily connect your Infoblox BloxOne SOC Insight data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log. \n\nThis data connector ingests Infoblox SOC Insight CDC logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**Microsoft recommends installation of Infoblox SOC Insight Data Connector via AMA Connector.** The legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and should only be installed where AMA is not supported.\n\n Using MMA and AMA on the same machine can cause log duplication and extra ingestion cost. [More details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "InfobloxCDC_SOCInsights", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID == \"BloxOne-InsightsNotification-Log\"" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (InfobloxCDC_SOCInsights)", + "lastDataReceivedQuery": "InfobloxCDC_SOCInsights\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "InfobloxCDC_SOCInsights\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(3d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Return all logs involving DNS Tunneling", + "query": "InfobloxCDC_SOCInsights\n| where ThreatType == \"DNS Tunneling\"" + }, + { + "description": "Return all logs involving a configuration issue", + "query": "InfobloxCDC_SOCInsights\n| where ThreatClass == \"TI-CONFIGURATIONISSUE\"" + }, + { + "description": "Return all high threat level logs", + "query": "InfobloxCDC_SOCInsights\n| where ThreatLevel == \"High\"" + }, + { + "description": "Return raised status logs", + "query": "InfobloxCDC_SOCInsights\n| where Status == \"RAISED\"" + }, + { + "description": "Return logs involving a high amount of unblocked DNS hits", + "query": "InfobloxCDC_SOCInsights\n| where NotBlockedCount >= 100" + }, + { + "description": "Return each Insight by ThreatFamily", + "query": "InfobloxCDC_SOCInsights\n| summarize dcount(InfobloxInsightID) by ThreatFamily" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "In order to use the playbooks as part of this solution, find your **Workspace ID** and **Workspace Primary Key** below for your convenience.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Workspace Key" + }, + "type": "CopyableLabel" + } + ], + "title": "Workspace Keys" + }, + { + "description": ">This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution.", + "title": "Parsers" + }, + { + "description": ">This data connector assumes you have access to Infoblox BloxOne Threat Defense SOC Insights. You can find more information about SOC Insights [**here**](https://docs.infoblox.com/space/BloxOneThreatDefense/501514252/SOC+Insights). ", + "title": "SOC Insights" + }, + { + "description": ">This data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of BloxOne Threat Defense, access to an appropriate BloxOne Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements.", + "title": "Infoblox Cloud Data Connector" + }, + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Follow the steps below to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select the **Internal Notifications** Log Type.\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.", + "title": "2. Within the Infoblox Cloud Services Portal, configure Infoblox BloxOne to send CEF Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "id": "[variables('_uiConfigId4')]", + "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20SOC%20Insights/Parsers/InfobloxCDC_SOCInsights.yaml) which is deployed with the Microsoft Sentinel Solution." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId5')]", + "title": "[Recommended] Infoblox Cloud Data Connector via AMA", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CommonSecurityLog", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Return all Block DNS Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"" + }, + { + "description": "Return all DNS Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"DNS\"" + }, + { + "description": "Return all DHCP Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"DHCP\"" + }, + { + "description": "Return all Service Logs Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"Service\"" + }, + { + "description": "Return all Audit Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"Audit\"" + }, + { + "description": "Return all Category Filters security events logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\"" + }, + { + "description": "Return all Application Filters security events logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\"" + }, + { + "description": "Return Top 10 TD Domains Hit Count", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc" + }, + { + "description": "Return Top 10 TD Source IPs Hit Count", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc" + }, + { + "description": "Return Recently Created DHCP Leases", + "query": "CommonSecurityLog\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\"" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of Threat Defense, access to an appropriate Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements." + }, + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Follow the steps below to configure the Infoblox CDC to send data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.", + "title": "2. Configure Infoblox to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId5')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] Infoblox Cloud Data Connector via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId5')]", + "id": "[variables('_dataConnectorcontentProductId5')]", + "version": "[variables('dataConnectorVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId5')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Recommended] Infoblox Cloud Data Connector via AMA", + "publisher": "Infoblox", + "descriptionMarkdown": "The Infoblox Cloud Data Connector allows you to easily connect your Infoblox data with Microsoft Sentinel. By connecting your logs to Microsoft Sentinel, you can take advantage of search & correlation, alerting, and threat intelligence enrichment for each log.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "CommonSecurityLog", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Infoblox'\n |where DeviceProduct =~ 'Data Connector'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Return all Block DNS Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"" + }, + { + "description": "Return all DNS Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"DNS\"" + }, + { + "description": "Return all DHCP Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"DHCP\"" + }, + { + "description": "Return all Service Logs Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"Service\"" + }, + { + "description": "Return all Audit Query/Response logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"Audit\"" + }, + { + "description": "Return all Category Filters security events logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=CAT_\"" + }, + { + "description": "Return all Application Filters security events logs", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\"\n | where AdditionalExtensions has_cs \"InfobloxRPZ=APP_\"" + }, + { + "description": "Return Top 10 TD Domains Hit Count", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by DestinationDnsDomain \n| top 10 by count_ desc" + }, + { + "description": "Return Top 10 TD Source IPs Hit Count", + "query": "CommonSecurityLog\n| where DeviceEventClassID has_cs \"RPZ\" \n| summarize count() by SourceIP \n| top 10 by count_ desc" + }, + { + "description": "Return Recently Created DHCP Leases", + "query": "CommonSecurityLog\n| where DeviceEventClassID == \"DHCP-LEASE-CREATE\"" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": ">**IMPORTANT:** This Microsoft Sentinel data connector assumes an Infoblox Data Connector host has already been created and configured in the Infoblox Cloud Services Portal (CSP). As the [**Infoblox Data Connector**](https://docs.infoblox.com/display/BloxOneThreatDefense/Deploying+the+Data+Connector+Solution) is a feature of Threat Defense, access to an appropriate Threat Defense subscription is required. See this [**quick-start guide**](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-data-connector.pdf) for more information and licensing requirements." + }, + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Follow the steps below to configure the Infoblox CDC to send data to Microsoft Sentinel via the Linux Syslog agent.\n1. Navigate to **Manage > Data Connector**.\n2. Click the **Destination Configuration** tab at the top.\n3. Click **Create > Syslog**. \n - **Name**: Give the new Destination a meaningful **name**, such as **Microsoft-Sentinel-Destination**.\n - **Description**: Optionally give it a meaningful **description**.\n - **State**: Set the state to **Enabled**.\n - **Format**: Set the format to **CEF**.\n - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.\n - **Port**: Leave the port number at **514**.\n - **Protocol**: Select desired protocol and CA certificate if applicable.\n - Click **Save & Close**.\n4. Click the **Traffic Flow Configuration** tab at the top.\n5. Click **Create**.\n - **Name**: Give the new Traffic Flow a meaningful **name**, such as **Microsoft-Sentinel-Flow**.\n - **Description**: Optionally give it a meaningful **description**. \n - **State**: Set the state to **Enabled**. \n - Expand the **Service Instance** section. \n - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled. \n - Expand the **Source Configuration** section. \n - **Source**: Select **BloxOne Cloud Source**. \n - Select all desired **log types** you wish to collect. Currently supported log types are:\n - Threat Defense Query/Response Log\n - Threat Defense Threat Feeds Hits Log\n - DDI Query/Response Log\n - DDI DHCP Lease Log\n - Expand the **Destination Configuration** section. \n - Select the **Destination** you just created. \n - Click **Save & Close**. \n6. Allow the configuration some time to activate.", + "title": "2. Configure Infoblox to send Syslog data to the Infoblox Cloud Data Connector to forward to the Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "id": "[variables('_uiConfigId5')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "The Infoblox Lookup Workbook provides comprehensive insights through lookups on various data types including IP, Host, URL, Hash, and Email.\nThe workbook features distinct tabs for targeted lookups. \nThe 'TIDE' tab delivers insights from Infoblox TIDE data, while the 'Dossier' tab aggregates information from a range of other third party sources. \nTo obtain detailed insights, enter the relevant data into the specified fields within each tab. \nThis allows users to efficiently gather and analyze critical information." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"8db3a050-3c9c-4e91-ab49-ac4d4768f203\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"TIDE Lookup\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"42f28d3c-e462-48c4-9ac9-c616a5b7d1b7\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"TIDE Lookup via Incident\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"718e54eb-4786-4d21-bef1-372877db0a85\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dossier Lookup\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"86d6d161-40c8-4d8c-81cd-78aa762610e6\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Dossier Lookup via Incident\",\"subTarget\":\"3\",\"style\":\"link\"}]},\"name\":\"links - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-TIDE-Lookup** logic app which is deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Infoblox TIDE Lookup\\r\\n---\\r\\n\\r\\n\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"## Steps to perform TIDE Lookup using this workbook\\r\\n- This workbook is intended to help perform TIDE Lookup for Indicators.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select Indicator type from Type filter and provide indicator value corresponding to it's type in the Target parameter.\\r\\n- You will be able to see a lookup panel for that specific indicator. \\r\\n- If lookup information of this target is available in the last 24 hours it will be displayed in the lookup panel.\\r\\n- If there is message like **The query returned no results** on lookup panel, then click on the **GET TIDE DATA** button.\\r\\n- This will execute the **TIDE-Lookup** logic app in the background.\\r\\n- You can check the status of the playbook to identify the TIDE Lookup status.\\r\\n- Click on the refresh button of the lookup panel until you get the TIDE Lookup information.\\r\\n
\\r\\n
\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details. \",\"style\":\"upsell\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| extend ResourceGroupName = resourceGroup\\r\\n| distinct ResourceGroupName\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ca226b80-e11b-4cb2-a1ae-3722f60aa4c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EntityType\",\"label\":\"Type\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\\"host\\\", \\\"ip\\\", \\\"url\\\", \\\"hash\\\", \\\"email\\\"]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"9fbfab7b-f382-483b-975c-ab1fe0815b83\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EntityName\",\"type\":1,\"isGlobal\":true,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\",\"label\":\"Target\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibilities\":[{\"parameterName\":\"SubscriptionId\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"SentinelResourceGroup\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"paragraph\",\"links\":[{\"id\":\"f2242052-b69a-48b7-ac97-1f33d5e58c0f\",\"linkTarget\":\"ArmAction\",\"linkLabel\":\"GET TIDE DATA\",\"style\":\"primary\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup}/providers/Microsoft.Logic/workflows/Infoblox-TIDE-Lookup/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n \\\"type\\\": \\\"{EntityType}\\\",\\r\\n \\\"target\\\": \\\"{EntityName}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}]},\"conditionalVisibilities\":[{\"parameterName\":\"EntityName\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"EntityType\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"links - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| where type_s == toupper('{EntityType}') and ip_s == '{EntityName}'\\r\\n| project \\r\\n IP = column_ifexists(\\\"ip_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for ip : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibilities\":[{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"ip\"},{\"parameterName\":\"EntityName\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| extend host_s = column_ifexists(\\\"host_s\\\",\\\"\\\")\\r\\n| extend type_s = column_ifexists(\\\"type_s\\\",\\\"\\\")\\r\\n| where type_s == toupper('{EntityType}') and host_s == '{EntityName}'\\r\\n| project \\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for host : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibilities\":[{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"host\"},{\"parameterName\":\"EntityName\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| extend url_s = column_ifexists(\\\"url_s\\\",\\\"\\\")\\r\\n| extend type_s = column_ifexists(\\\"type_s\\\",\\\"\\\")\\r\\n| where type_s == toupper('{EntityType}') and url_s == '{EntityName}'\\r\\n| project \\r\\n Url = column_ifexists(\\\"url_s\\\",\\\"\\\"),\\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for url : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibilities\":[{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"url\"},{\"parameterName\":\"EntityName\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| extend hash_s = column_ifexists(\\\"hash_s\\\",\\\"\\\")\\r\\n| extend type_s = column_ifexists(\\\"type_s\\\",\\\"\\\")\\r\\n| where type_s == toupper('{EntityType}') and hash_s == '{EntityName}'\\r\\n| project \\r\\n Hash = column_ifexists(\\\"hash_s\\\",\\\"\\\"),\\r\\n ['Hash Type'] = column_ifexists(\\\"hash_type_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for hash : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibilities\":[{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"hash\"},{\"parameterName\":\"EntityName\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| extend email_s = column_ifexists(\\\"email_s\\\",\\\"\\\")\\r\\n| extend type_s = column_ifexists(\\\"type_s\\\",\\\"\\\")\\r\\n| where type_s == toupper('{EntityType}') and email_s == '{EntityName}'\\r\\n| project \\r\\n Email = column_ifexists(\\\"email_s\\\",\\\"\\\"),\\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for email : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibilities\":[{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"email\"},{\"parameterName\":\"EntityName\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"group - 3\",\"styleSettings\":{\"padding\":\"10px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-TIDE-Lookup-Via-Incident** playbook which is deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 8\"},{\"type\":1,\"content\":{\"json\":\"## Infoblox TIDE Lookup via Incidents\\r\\n---\\r\\n\"},\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"## Steps to perform TIDE Lookup via Incident using this workbook\\r\\n- This workbook is intended to help perform TIDE Lookup for Indicators via Incidents.\\r\\n- Select the **Resource Group**, **Subscription ID**, **Workspace** and provide **[Tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant)**.\\r\\n- Select TimeRange and Type for Incidents.\\r\\n- From the **Available Incidents** panel, select any indicator.\\r\\n- You will be able to see a lookup panel for that specific indicator. \\r\\n- If lookup information of this target is available in the last 24 hours it will be displayed in the lookup panel.\\r\\n- If there is message like **The query returned no results** on lookup panel, then click on the **GET TIDE DATA** link to get the TIDE Lookup information for the Indicator of that Incident.\\r\\n- This will execute the **TIDE-Lookup-Via-Incident** logic app in the background.\\r\\n- You can check the status of the playbook to identify the TIDE Lookup status.\\r\\n- Click on the refresh button of the lookup panel until you get the TIDE Lookup information.\\r\\n
\\r\\n
\\r\\n**Note** :\\r\\n\\t* In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\\t* Please ensure that you select the workspace where your workbook and playbook are available. Otherwise, the data ingested by the playbook will not be reflected in the drilldown panel.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| extend ResourceGroupName = resourceGroup\\r\\n| distinct ResourceGroupName\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"9e2b01b1-798f-4239-a845-f1a0a3781a99\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"854db66e-d6e4-4ae3-bb16-abc9dcd0a334\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"51b0558c-95f7-452c-95c3-c501535f7a92\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000},\"label\":\"Time Range\"},{\"id\":\"ca226b80-e11b-4cb2-a1ae-3722f60aa4c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IOCType\",\"label\":\"Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityAlert\\r\\n| mv-expand todynamic(Entities)\\r\\n| where Entities.Type in ('ip','filehash','url','host')\\r\\n| distinct tostring(Entities.Type)\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibilities\":[{\"parameterName\":\"TenantID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Workspace\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentName\\r\\n| extend AlertIds = todynamic(AlertIds)\\r\\n| extend AlertId = tostring(AlertIds[0])\\r\\n| join kind=inner (SecurityAlert| project SystemAlertId, Entities) on $left.AlertId == $right.SystemAlertId\\r\\n| mv-expand todynamic(Entities)\\r\\n| extend EntityType = case(Entities.Type =~ \\\"filehash\\\",\\\"hash\\\",Entities.Type)\\r\\n| where isnotempty(EntityType)\\r\\n| where \\\"{IOCType:escapejson}\\\" == '*' or EntityType in ({IOCType})\\r\\n| extend EntityName = case(EntityType =~ \\\"ip\\\", Entities.Address, \\r\\n EntityType =~ \\\"hash\\\", Entities.Value,\\r\\n EntityType =~ \\\"host\\\", Entities.NetBiosName,\\r\\n EntityType =~ \\\"url\\\", Entities.Url,\\r\\n \\\"\\\"), ['TIDE Lookup'] = \\\"GET TIDE DATA\\\"\\r\\n| where isnotempty(EntityName)\\r\\n| summarize arg_max(TimeGenerated, *) by EntityName,tostring(EntityType)\\r\\n| project ['IOC Value'] = EntityName, ['IOC Type'] = EntityType, IncidentUrl, ['TIDE Lookup'], IncidentName, Title, Description, Severity, Status, ProviderName, CreatedTime, IncidentNumber, Tasks, Labels, ModifiedBy\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Available Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"IncidentName\",\"parameterName\":\"IncidentName\"},{\"fieldName\":\"IOC Value\",\"parameterName\":\"EntityName\",\"parameterType\":1},{\"fieldName\":\"IOC Type\",\"parameterName\":\"EntityType\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\",\"linkIsContextBlade\":false}},{\"columnMatch\":\"TIDE Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/{Workspace}/providers/Microsoft.SecurityInsights/incidents/{IncidentName}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n\\r\\n\\\"LogicAppsResourceId\\\":\\\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup}/providers/Microsoft.Logic/workflows/Infoblox-TIDE-Lookup-Via-Incident\\\",\\r\\n\\r\\n \\\"TenantId\\\":\\\"{TenantID}\\\"\\r\\n\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibilities\":[{\"parameterName\":\"TenantID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Workspace\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 0\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| where type_s == toupper('{EntityType}') and ip_s == '{EntityName}'\\r\\n| project \\r\\n IP = column_ifexists(\\\"ip_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for ip : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"ip\"},\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| extend host_s = column_ifexists(\\\"host_s\\\",\\\"\\\")\\r\\n| extend type_s = column_ifexists(\\\"type_s\\\",\\\"\\\")\\r\\n| where type_s == toupper('{EntityType}') and host_s == '{EntityName}'\\r\\n| project \\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for host : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"host\"},\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| extend url_s = column_ifexists(\\\"url_s\\\",\\\"\\\")\\r\\n| extend type_s = column_ifexists(\\\"type_s\\\",\\\"\\\")\\r\\n| where type_s == toupper('{EntityType}') and url_s == '{EntityName}'\\r\\n| project \\r\\n Url = column_ifexists(\\\"url_s\\\",\\\"\\\"),\\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for url : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"url\"},\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ntide_lookup_data_CL\\r\\n| extend hash_s = column_ifexists(\\\"hash_s\\\",\\\"\\\")\\r\\n| extend type_s = column_ifexists(\\\"type_s\\\",\\\"\\\")\\r\\n| where type_s == toupper('{EntityType}') and hash_s == '{EntityName}'\\r\\n| project \\r\\n Hash = column_ifexists(\\\"hash_s\\\",\\\"\\\"),\\r\\n ['Hash Type'] = column_ifexists(\\\"hash_type_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ['Threat Level'] = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\",\"size\":0,\"showAnalytics\":true,\"title\":\"Lookup for hash : {EntityName}\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"EntityType\",\"comparison\":\"isEqualTo\",\"value\":\"hash\"},\"name\":\"query - 3\",\"styleSettings\":{\"padding\":\"5px\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"TIDE Incident Lookup\",\"styleSettings\":{\"padding\":\"10px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Dossier Function App** which is deployed with the Microsoft Sentinel Solution. \\r\\n
Please configure this function app first and keep it enabled in order to use this workbook.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":1,\"content\":{\"json\":\"## Infoblox Dossier Lookup\\r\\n---\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"## Steps to perform Dossier Lookup using this workbook\\r\\n- This workbook is intended to help perform Dossier Lookup for Indicators.\\r\\n- Select **Dossier Function App Name** which is deployed with the Microsoft Sentinel Solution.\\r\\n- Select Indicator type from Type filter and provide indicator value corresponding to it's type in the Target parameter.\\r\\n- Click on the **GET DOSSIER DATA** link.\\r\\n- This will execute the function app in the background to get the Dossier Lookup data (You will be redirect in new tab).\\r\\n- You will be able to see a message like **Refresh to check for Dossier data availability**.\\r\\n- Click on the refresh button above the message until you get a message like **Click here to view the data**.\\r\\n- Click on the message **Click here to view the data** and it will display various lookup panels for different source data.\\r\\n
\\r\\n
\\r\\n**Note** :\\r\\n\\t* The lookup information will be cache for 24 hours in sentinel.
\\r\\n\\t* It is suggested to perform a **Hard Refresh** before getting Dossier data for the new target. Otherwise, the source drill down panels will not be populated properly.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1bc43239-b48a-4894-a7ef-5d9326cfe690\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DurableFunction\",\"label\":\"Dossier Function App Name\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type contains \\\"microsoft.web/sites\\\"\\r\\n| where name startswith \\\"dossier\\\"\\r\\n| distinct name\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ca226b80-e11b-4cb2-a1ae-3722f60aa4c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IOCType\",\"label\":\"Type\",\"type\":2,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\\"host\\\", \\\"ip\\\", \\\"url\\\", \\\"hash\\\", \\\"email\\\"]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"9fbfab7b-f382-483b-975c-ab1fe0815b83\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IOCValue\",\"label\":\"Target\",\"type\":1,\"isGlobal\":true,\"timeContext\":{\"durationMs\":86400000},\"value\":\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(Dossier_Lookup: string)\\r\\n[\\r\\n \\\"https://{DurableFunction}.azurewebsites.net/api/orchestrators/InfobloxDossierOrchestrator?target={IOCValue}&type={IOCType}\\\"\\r\\n];\\r\\ndummy_table\",\"size\":3,\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"Dossier_Lookup\",\"exportParameterName\":\"Dossier_Lookup\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Dossier_Lookup\",\"formatter\":1,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"GET DOSSIER DATA\"}},\"showBorder\":false,\"sortCriteriaField\":\"export_param\"}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"IOCValue\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"IOCType\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"20%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string) [];\\r\\nunion isfuzzy=true dummy_table, dossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_source_s == \\\"atp\\\"\\r\\n| summarize count()\\r\\n| extend status = case(count_ == 0 , \\\"Refresh to check for Dossier data availability\\\",\\\"Click here to view the data\\\")\\r\\n| project status\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"exportFieldName\":\"status\",\"exportParameterName\":\"dossier_status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":1},\"showBorder\":false,\"size\":\"auto\"},\"textSettings\":{\"style\":\"editor\"}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"IOCValue\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Dossier_Lookup\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whitelist_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"whitelist\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_whitelisted_b = column_ifexists(\\\"data_whitelisted_b\\\",\\\"\\\")\\r\\n| where isnotempty(data_whitelisted_b)\\r\\n| project tostring(data_whitelisted_b)\",\"size\":3,\"title\":\"Whitelist\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"data_whitelisted_b\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"failed\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_infoblox_web_cat_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"infoblox_web_cat\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_results_s = column_ifexists(\\\"data_results_s\\\",\\\"\\\")\\r\\n| where isnotempty(data_results_s)\\r\\n| extend data_results_s = parse_json(data_results_s)\\r\\n| mv-expand data_results_s\\r\\n| project ['Web Category'] = data_results_s.name\",\"size\":3,\"title\":\"Web Categories\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Web Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Uncategorized\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Found\",\"representation\":\"Unknown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"sortOrderField\":2,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"80\"}}]},\"customWidth\":\"0\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_rpz_feeds_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"rpz_feeds\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n feed_name = column_ifexists(\\\"feed_name_s\\\",\\\"\\\"),\\r\\n property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n threat_level = column_ifexists(\\\"threat_level_d\\\", 0)\\r\\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\\r\\n|extend Severity = case( tolong(threat_level) >= 75, \\\"High\\\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \\\"Medium\\\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\\\"Low\\\",tolong(threat_level) <25 , \\\"Info\\\",\\\"\\\")\\r\\n| project\\r\\n ['Feed Name'] = feed_name,\\r\\n ['Threat Level'] = threat_level,\\r\\n Severity,\\r\\n Property = property,\\r\\n Class = class,\\r\\n Detected = detected,\\r\\n Expiration = expiration\",\"size\":3,\"showAnalytics\":true,\"title\":\"Active Threat Feeds and Status (RPZ Feeds)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_inforank_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"inforank\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\n Domain = column_ifexists(\\\"data_domain_s\\\",\\\"\\\"),\\r\\n Interval = column_ifexists(\\\"data_interval_s\\\",\\\"\\\"),\\r\\n Rank = column_ifexists(\\\"data_rank_d\\\",\\\"\\\"),\\r\\n Message = column_ifexists(\\\"data_message_s\\\",\\\"\\\")\\r\\n| where\\r\\nisnotempty(Domain) or\\r\\nisnotempty(Interval) or\\r\\nisnotempty(Rank) or\\r\\nisnotempty(Message)\\r\\n| project \\r\\n Domain,\\r\\n Interval,\\r\\n Rank,\\r\\n Message\\r\\n\\r\\n\",\"size\":3,\"title\":\"Inforank Ranking\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_threat_actor_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"threat_actor\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\n actor_description = column_ifexists( \\\"data_actor_description_s\\\",\\\"\\\"),\\r\\n actor_name = column_ifexists( \\\"data_actor_name_s\\\",\\\"\\\"),\\r\\n purpose = column_ifexists( \\\"data_purpose_s\\\",\\\"\\\"),\\r\\n related_count = column_ifexists( \\\"data_related_count_s\\\",\\\"\\\"),\\r\\n ttp = column_ifexists( \\\"data_ttp_s\\\",\\\"\\\"),\\r\\n Url = strcat('https://csp.infoblox.com/#/security_research/search/auto/','{IOCValue}','/threat-actor')\\r\\n| where\\r\\n isnotempty(actor_description) or\\r\\n isnotempty(actor_name) or\\r\\n isnotempty(purpose) or\\r\\n isnotempty(ttp)\\r\\n| extend purpose = replace_string(purpose,'\\\"','')\\r\\n| extend purpose = replace_string(purpose,',',', ')\\r\\n| extend purpose = trim(@\\\"[\\\\[\\\\]]\\\",purpose)\\r\\n| extend ttp = replace_string(ttp,'\\\"','')\\r\\n| extend ttp = replace_string(ttp,',',', ')\\r\\n| extend ttp = trim(@\\\"[\\\\[\\\\]]\\\",ttp)\\r\\n| project\\r\\n ['Actor Description'] = actor_description,\\r\\n ['Actor Name'] = actor_name,\\r\\n Purpose = purpose,\\r\\n ['Related Count'] = related_count,\\r\\n ['CSP Portal'] = Url,\\r\\n Ttp = ttp\",\"size\":3,\"title\":\"DNS Threat Actor\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CSP Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"More Detail\"}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_geo_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend\\r\\n asn_num = column_ifexists(\\\"data_asn_num_s\\\", \\\"\\\"),\\r\\n city = column_ifexists(\\\"data_city_s\\\", \\\"\\\"),\\r\\n country_code = column_ifexists(\\\"data_country_code_s\\\", \\\"\\\"),\\r\\n country_name = column_ifexists(\\\"data_country_name_s\\\", \\\"\\\"),\\r\\n isp = column_ifexists(\\\"data_isp_s\\\", \\\"\\\"),\\r\\n latitude = column_ifexists(\\\"data_latitude_d\\\", \\\"\\\"),\\r\\n longitude = column_ifexists(\\\"data_longitude_d\\\", \\\"\\\"),\\r\\n org = column_ifexists(\\\"data_org_s\\\", \\\"\\\"),\\r\\n postal_code = column_ifexists(\\\"data_postal_code_s\\\", \\\"\\\"),\\r\\n region = column_ifexists(\\\"data_region_s\\\", \\\"\\\")\\r\\n| where\\r\\n isnotempty(asn_num) or\\r\\n isnotempty(city) or\\r\\n isnotempty(country_code) or\\r\\n isnotempty(country_name) or\\r\\n isnotempty(isp) or\\r\\n isnotempty(latitude) or\\r\\n isnotempty(longitude) or\\r\\n isnotempty(org) or\\r\\n isnotempty(postal_code) or\\r\\n isnotempty(region)\\r\\n| project \\r\\n ['Asn Number'] = asn_num,\\r\\n City = city,\\r\\n ['Country Code'] = country_code,\\r\\n ['Country Name'] = country_name,\\r\\n Isp = isp,\\r\\n Latitude = latitude,\\r\\n Longitude = longitude,\\r\\n Org = org,\\r\\n ['Postal Code'] = postal_code,\\r\\n Region = region\",\"size\":3,\"title\":\"Geo Graphic Details\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_tld_risk_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"tld_risk\\\" \\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_matches = column_ifexists(\\\"data_matches_s\\\",\\\"\\\")\\r\\n| mv-expand todynamic(data_matches)\\r\\n| project data_matches\\r\\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\\\"')\\r\\n| where\\r\\n isnotempty(confidence) or\\r\\n isnotempty(popular) or\\r\\n isnotempty(rare) or\\r\\n isnotempty(score) or\\r\\n isnotempty(score_label) or\\r\\n isnotempty(tld)\\r\\n| project \\r\\n ['Score Label'] = score_label,\\r\\n Score = score,\\r\\n TLD = tld,\\r\\n Confidence = confidence,\\r\\n Popular = popular,\\r\\n Rare = rare\\r\\n\\r\\n\",\"size\":0,\"title\":\"TLD Reputation\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Score Label\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High Risk\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Moderate Risk\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low Risk\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_nameserver_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"nameserver\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_nameserver_matches_CL) on $left.task_id_g == $right.task_id_g\\r\\n|extend \\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"ns_reputation_confidence_s\\\",\\\"\\\"),\\r\\n Label = column_ifexists(\\\"ns_reputation_label_s\\\",\\\"\\\"),\\r\\n malicious_counts = column_ifexists(\\\"ns_reputation_malicious_counts_s\\\",\\\"\\\"),\\r\\n Popular = column_ifexists(\\\"ns_reputation_popular_s\\\",\\\"\\\"),\\r\\n Rare = column_ifexists(\\\"ns_reputation_rare_s\\\",\\\"\\\"),\\r\\n raw_score = column_ifexists(\\\"ns_reputation_raw_score_s\\\",\\\"\\\"),\\r\\n Score = column_ifexists(\\\"ns_reputation_score_s\\\",\\\"\\\"),\\r\\n total_counts = column_ifexists(\\\"ns_reputation_total_counts_s\\\",\\\"\\\")\\r\\n| where\\r\\n isnotempty(Domain) or\\r\\n isnotempty(Confidence) or\\r\\n isnotempty(Label) or\\r\\n isnotempty(malicious_counts) or\\r\\n isnotempty(Popular) or\\r\\n isnotempty(Rare) or\\r\\n isnotempty(raw_score) or\\r\\n isnotempty(Score) or\\r\\n isnotempty(total_counts)\\r\\n| project \\r\\n Domain,\\r\\n Label,\\r\\n Score,\\r\\n Confidence,\\r\\n Popular,\\r\\n Rare,\\r\\n ['Raw Score'] = raw_score,\\r\\n ['Total Counts'] = total_counts,\\r\\n ['Malicious Counts'] = malicious_counts\\r\\n\",\"size\":0,\"title\":\"Nameserver Reputation\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Label\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High Risk\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Moderate Risk\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low Risk\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Very Low Risk\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"Popular\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Popular\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\")\\r\\n| project \\r\\n Host,\\r\\n Domain,\\r\\n TLD,\\r\\n Profile,\\r\\n Property,\\r\\n Confidence,\\r\\n Class,\\r\\n Detected,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Imported,\\r\\n Received,\\r\\n Up,\\r\\n Expiration,\\r\\n Dga,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whois_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"whois\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\n RegistrantName = column_ifexists(\\\"data_response_registrant_s\\\",\\\"\\\"),\\r\\n Nameservers = column_ifexists(\\\"data_response_nameservers_s\\\",\\\"\\\"),\\r\\n RegistrarEmail = column_ifexists(\\\"data_response_parsed_whois_registrar_abuse_contact_email_s\\\",\\\"\\\"),\\r\\n RegistrarPhone = column_ifexists(\\\"data_response_parsed_whois_registrar_abuse_contact_phone_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"data_response_parsed_whois_domain_s\\\",\\\"\\\"),\\r\\n Created = column_ifexists(\\\"data_response_registration_created_t\\\",\\\"\\\"),\\r\\n Expires = column_ifexists(\\\"data_response_registration_expires_t\\\",\\\"\\\"),\\r\\n Statuses = column_ifexists(\\\"data_response_registration_statuses_s\\\",\\\"\\\"),\\r\\n Updated = column_ifexists(\\\"data_response_registration_updated_t\\\",\\\"\\\")\\r\\n| where \\r\\n isnotempty(RegistrantName) or\\r\\n isnotempty(Nameservers) or\\r\\n isnotempty(RegistrarEmail) or\\r\\n isnotempty(RegistrarPhone) or\\r\\n isnotempty(Domain) or\\r\\n isnotempty(Created) or\\r\\n isnotempty(Expires) or\\r\\n isnotempty(Statuses) or\\r\\n isnotempty(Updated)\\r\\n| extend Nameservers = replace_string(Nameservers,'\\\"','')\\r\\n| extend Nameservers = replace_string(Nameservers,',',', ')\\r\\n| extend Nameservers = trim(@\\\"[\\\\[\\\\]]\\\",Nameservers)\\r\\n| extend Statuses = replace_string(Statuses,'\\\"','')\\r\\n| extend Statuses = replace_string(Statuses,',',', ')\\r\\n| extend Statuses = trim(@\\\"[\\\\[\\\\]]\\\",Statuses)\\r\\n| project \\r\\n ['Registrant Name'] = RegistrantName,\\r\\n Domain,\\r\\n Statuses,\\r\\n ['Name Servers'] = Nameservers,\\r\\n ['Registrar Email'] = RegistrarEmail,\\r\\n ['Registrar Phone'] = RegistrarPhone,\\r\\n Created,\\r\\n Expires,\\r\\n Updated\",\"size\":3,\"title\":\"Registered Owner (WHOIS)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nlet dns_A_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n A = column_ifexists(\\\"data_A_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_A_s)\\r\\n | project Type=\\\"A\\\", Value=data_A_s.ip, Reverse=data_A_s.reverse, TTL=data_A_s.ttl;\\r\\nlet dns_AAAA_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n AAAA = column_ifexists(\\\"data_AAAA_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_AAAA_s)\\r\\n | project Type=\\\"AAAA\\\",Value=data_AAAA_s;\\r\\nlet dns_CERT_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n CERT = column_ifexists(\\\"data_CERT_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_CERT_s)\\r\\n | project Type=\\\"CERT\\\",Value=data_CERT_s;\\r\\nlet dns_CNAME_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n CNAME = column_ifexists(\\\"data_CNAME_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_CNAME_s)\\r\\n | project Type=\\\"CNAME\\\",Value=data_CNAME_s;\\r\\nlet dns_HTTPS_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n HTTPS = column_ifexists(\\\"data_HTTPS_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_HTTPS_s)\\r\\n | project Type=\\\"HTTPS\\\",Value=data_HTTPS_s;\\r\\nlet dns_NS_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n NS = column_ifexists(\\\"data_NS_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_NS_s)\\r\\n | project Type=\\\"NS\\\",Value=data_NS_s;\\r\\nlet dns_SOA_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n SOA = column_ifexists(\\\"data_SOA_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_SOA_s)\\r\\n | project Type=\\\"SOA\\\",Value=data_SOA_s;\\r\\nlet dns_MX_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n MX = column_ifexists(\\\"data_MX_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_MX_s)\\r\\n | project Type=\\\"MX\\\",Value=data_MX_s;\\r\\nlet dns_SVCB_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n SVCB = column_ifexists(\\\"data_SVCB_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_SVCB_s)\\r\\n | project Type=\\\"SVCB\\\",Value=data_SVCB_s;\\r\\nlet dns_TSIG_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n TSIG = column_ifexists(\\\"data_TSIG_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_TSIG_s)\\r\\n | project Type=\\\"TSIG\\\",Value=data_TSIG_s;\\r\\nlet dns_TXT_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n TXT = column_ifexists(\\\"data_TXT_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_TXT_s)\\r\\n | project Type=\\\"TXT\\\",Value=data_TXT_s;\\r\\n union dns_A_data,dns_AAAA_data,dns_CERT_data,\\r\\ndns_CNAME_data,\\r\\ndns_HTTPS_data,\\r\\ndns_NS_data,\\r\\ndns_SOA_data,\\r\\ndns_MX_data,\\r\\ndns_SVCB_data,\\r\\ndns_TSIG_data,\\r\\ndns_TXT_data\\r\\n| where isnotempty( Value) or isnotempty( Reverse) or isnotempty( TTL)\\r\\n| sort by Type asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Current DNS\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Type\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"host\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whitelist_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"whitelist\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_whitelisted_b = column_ifexists(\\\"data_whitelisted_b\\\",\\\"\\\")\\r\\n| where isnotempty(data_whitelisted_b)\\r\\n| project tostring(data_whitelisted_b)\",\"size\":3,\"title\":\"Whitelisted\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"data_whitelisted_b\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"failed\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_ptr_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s == \\\"ip\\\" and params_source_s == \\\"ptr\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend ptr_record = column_ifexists(\\\"data_ptr_record_s\\\",\\\"\\\")\\r\\n| extend ptr_record = case( isempty(ptr_record), \\\"Not Found\\\",ptr_record)\\r\\n| project ptr_record\",\"size\":3,\"title\":\"Domain Name Associated (PTR)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"ptr_record\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Not Found\",\"representation\":\"Unavailable\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"customWidth\":\"0\",\"name\":\"group - 11\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_rpz_feeds_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"rpz_feeds\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n feed_name = column_ifexists(\\\"feed_name_s\\\",\\\"\\\"),\\r\\n property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n threat_level = column_ifexists(\\\"threat_level_d\\\", 0)\\r\\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\\r\\n|extend Severity = case( tolong(threat_level) >= 75, \\\"High\\\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \\\"Medium\\\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\\\"Low\\\",tolong(threat_level) <25 , \\\"Info\\\",\\\"\\\")\\r\\n| project\\r\\n ['Feed Name'] = feed_name,\\r\\n ['Threat Level'] = threat_level,\\r\\n Severity,\\r\\n Property = property,\\r\\n Class = class,\\r\\n Detected = detected,\\r\\n Expiration = expiration\",\"size\":3,\"showAnalytics\":true,\"title\":\"Active Threat Feeds and Status (RPZ Feeds)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_geo_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend\\r\\n asn_num = column_ifexists(\\\"data_asn_num_s\\\", \\\"\\\"),\\r\\n city = column_ifexists(\\\"data_city_s\\\", \\\"\\\"),\\r\\n country_code = column_ifexists(\\\"data_country_code_s\\\", \\\"\\\"),\\r\\n country_name = column_ifexists(\\\"data_country_name_s\\\", \\\"\\\"),\\r\\n isp = column_ifexists(\\\"data_isp_s\\\", \\\"\\\"),\\r\\n latitude = column_ifexists(\\\"data_latitude_d\\\", \\\"\\\"),\\r\\n longitude = column_ifexists(\\\"data_longitude_d\\\", \\\"\\\"),\\r\\n org = column_ifexists(\\\"data_org_s\\\", \\\"\\\"),\\r\\n postal_code = column_ifexists(\\\"data_postal_code_s\\\", \\\"\\\"),\\r\\n region = column_ifexists(\\\"data_region_s\\\", \\\"\\\")\\r\\n| where\\r\\n isnotempty(asn_num) or\\r\\n isnotempty(city) or\\r\\n isnotempty(country_code) or\\r\\n isnotempty(country_name) or\\r\\n isnotempty(isp) or\\r\\n isnotempty(latitude) or\\r\\n isnotempty(longitude) or\\r\\n isnotempty(org) or\\r\\n isnotempty(postal_code) or\\r\\n isnotempty(region) \\r\\n| project \\r\\n ['Asn Number'] = asn_num,\\r\\n City = city,\\r\\n ['Country Code'] = country_code,\\r\\n ['Country Name'] = country_name,\\r\\n Isp = isp,\\r\\n Latitude = latitude,\\r\\n Longitude = longitude,\\r\\n Org = org,\\r\\n ['Postal Code'] = postal_code,\\r\\n Region = region\",\"size\":3,\"title\":\"Geo Graphic Details\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n IP = column_ifexists(\\\"ip_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n Threatlevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n IP,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = Threatlevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whois_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"whois\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\nCountry = column_ifexists(\\\"data_response_ip_response_country_s\\\",\\\"\\\"),\\r\\nHandle = column_ifexists(\\\"data_response_ip_response_handle_s\\\",\\\"\\\"),\\r\\nlast_changed = column_ifexists(\\\"data_response_ip_response_last_changed_t\\\",\\\"\\\"),\\r\\nName = column_ifexists(\\\"data_response_ip_response_name_s\\\",\\\"\\\"),\\r\\nnet_range = column_ifexists(\\\"data_response_ip_response_net_range_s\\\",\\\"\\\"),\\r\\nnet_type = column_ifexists(\\\"data_response_ip_response_net_type_s\\\",\\\"\\\"),\\r\\nParent = column_ifexists(\\\"data_response_ip_response_parent_s\\\",\\\"\\\"),\\r\\nRegistration = column_ifexists(\\\"data_response_ip_response_registration_t\\\",\\\"\\\"),\\r\\nsource_registery = column_ifexists(\\\"data_response_ip_response_source_registery_s\\\",\\\"\\\")\\r\\n| where\\r\\n isnotempty(Country) or\\r\\n isnotempty(Handle) or\\r\\n isnotempty(last_changed) or\\r\\n isnotempty(Name) or\\r\\n isnotempty(net_range) or\\r\\n isnotempty(net_type) or\\r\\n isnotempty(Parent) or\\r\\n isnotempty(Registration) or\\r\\n isnotempty(source_registery)\\r\\n| project \\r\\n Name,\\r\\n Country,\\r\\n Handle,\\r\\n ['Network Range'] = net_range,\\r\\n ['Network Type'] = net_type,\\r\\n Parent,\\r\\n ['Source Registery'] = source_registery,\\r\\n ['Last Changed'] = last_changed ,\\r\\n Registration\",\"size\":3,\"title\":\"Registered Owner (WHOIS)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"ip\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whitelist_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"whitelist\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_whitelisted_b = column_ifexists(\\\"data_whitelisted_b\\\",\\\"\\\")\\r\\n| where isnotempty(data_whitelisted_b)\\r\\n| project tostring(data_whitelisted_b)\",\"size\":3,\"title\":\"Whitelist\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"data_whitelisted_b\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"failed\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_infoblox_web_cat_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"infoblox_web_cat\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_results_s = column_ifexists(\\\"data_results_s\\\",\\\"\\\")\\r\\n| where isnotempty(data_results_s)\\r\\n| extend data_results_s = parse_json(data_results_s)\\r\\n| mv-expand data_results_s\\r\\n| project ['Web Category'] = data_results_s.name\",\"size\":3,\"title\":\"Web Categories\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Web Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Uncategorized\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Found\",\"representation\":\"Unknown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"sortOrderField\":2,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"80\"}}]},\"customWidth\":\"0\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_tld_risk_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"tld_risk\\\" \\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_matches = column_ifexists(\\\"data_matches_s\\\",\\\"\\\")\\r\\n| mv-expand todynamic(data_matches)\\r\\n| project data_matches\\r\\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\\\"')\\r\\n| where\\r\\n isnotempty(confidence) or\\r\\n isnotempty(popular) or\\r\\n isnotempty(rare) or\\r\\n isnotempty(score) or\\r\\n isnotempty(score_label) or\\r\\n isnotempty(tld)\\r\\n| project \\r\\n ['Score Label'] = score_label,\\r\\n Score = score,\\r\\n TLD = tld,\\r\\n Confidence = confidence,\\r\\n Popular = popular,\\r\\n Rare = rare\\r\\n\\r\\n\",\"size\":3,\"title\":\"TLD Reputation\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Score Label\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High Risk\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Moderate Risk\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low Risk\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Url = column_ifexists(\\\"url_s\\\",\\\"\\\"),\\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n Url,\\r\\n Host,\\r\\n Domain,\\r\\n TLD,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Dga,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"url\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"hash\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"hash\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"hash\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Hash = column_ifexists(\\\"hash_s\\\",\\\"\\\"),\\r\\n HashType = column_ifexists(\\\"hash_type_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n Hash,\\r\\n ['Hash Type'] = HashType,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"hash\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5 - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"email\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"email\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Email = column_ifexists(\\\"email_s\\\",\\\"\\\"),\\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n Email,\\r\\n Host,\\r\\n Domain,\\r\\n TLD,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Dga,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"email\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 3\",\"styleSettings\":{\"padding\":\"10px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Dossier Function App** which is deployed with the Microsoft Sentinel Solution.\\r\\n
Please configure this function app first and keep it enabled in order to use this workbook.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":1,\"content\":{\"json\":\"## Infoblox Dossier Lookup via Incidents\\r\\n---\\r\\n\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"## Steps to perform Dossier Lookup via Incident using this workbook\\r\\n- This workbook is intended to help perform Dossier Lookup for Indicators via Incidents.\\r\\n- Select **Dossier Function App Name** which is deployed with the Microsoft Sentinel Solution.\\r\\n- Select TimeRange and Type for Incidents .\\r\\n- From the **Available Incidents** panel, select any indicator and click on the **GET DOSSIER DATA** link (You will be redirect in new tab) to get the Dossier Lookup information for the Indicator of that Incident.\\r\\n- This will execute the function app in the background to get the Dossier Lookup data.\\r\\n- You will be able to see a message like **Refresh to check for Dossier data availability**.\\r\\n- Click on the refresh button above the message until you get a message like **Click here to view the data**.\\r\\n- Click on that message and it will display various lookup panels for different source data.\\r\\n
\\r\\n
\\r\\n**Note** :\\r\\n\\t* The lookup information will be cache for 24 hours in sentinel.
\\r\\n\\t* It is suggested to perform a **Hard Refresh** before getting Dossier data for the new target. Otherwise, the source drill down panels will not be populated properly.\",\"style\":\"upsell\"},\"name\":\"text - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1bc43239-b48a-4894-a7ef-5d9326cfe690\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DurableFunction\",\"label\":\"Dossier Function App Name\",\"type\":5,\"isRequired\":true,\"query\":\"resources\\r\\n| where type contains \\\"microsoft.web/sites\\\"\\r\\n| where name startswith \\\"dossier\\\"\\r\\n| distinct name\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"de1d2274-20d3-4f7f-81cf-d8df4db9c0ec\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"10e7adfc-f0de-45db-b3e7-1adc0b3fe3b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Type\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityAlert\\r\\n| mv-expand todynamic(Entities)\\r\\n| where Entities.Type in ('ip','filehash','url','host')\\r\\n| distinct tostring(Entities.Type)\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentName\\r\\n| extend AlertIds = todynamic(AlertIds)\\r\\n| extend AlertId = tostring(AlertIds[0])\\r\\n| join kind=inner (SecurityAlert| project SystemAlertId, Entities) on $left.AlertId == $right.SystemAlertId\\r\\n| mv-expand todynamic(Entities)\\r\\n| extend IOCType = case(Entities.Type =~ \\\"filehash\\\",\\\"hash\\\",Entities.Type)\\r\\n| extend IOCValue = case(IOCType =~ \\\"ip\\\", Entities.Address, \\r\\n IOCType =~ \\\"hash\\\", Entities.Value,\\r\\n IOCType =~ \\\"host\\\", Entities.NetBiosName,\\r\\n IOCType =~ \\\"url\\\", Entities.Url,\\r\\n \\\"\\\")\\r\\n|extend ['Dossier Lookup'] =strcat('https://','{DurableFunction}','.azurewebsites.net/api/orchestrators/InfobloxDossierOrchestrator?target=',IOCValue,'&type=',IOCType)\\r\\n| where isnotempty(IOCType) and isnotempty(IOCValue)\\r\\n| where \\\"{Type:escapejson}\\\" == '*' or IOCType in ({Type})\\r\\n| summarize arg_max(TimeGenerated, *) by ['IOC Value'] = IOCValue,['IOC Type'] = tostring(IOCType)\\r\\n| project ['IOC Value'], ['IOC Type'], IncidentUrl, ['Dossier Lookup'], IncidentName, Title, Description, Severity, Status, ProviderName, CreatedTime, IncidentNumber, Tasks, Labels, ModifiedBy\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Available Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"IOC Value\",\"parameterName\":\"IOCValue\",\"parameterType\":1},{\"fieldName\":\"IOC Type\",\"parameterName\":\"IOCType\",\"parameterType\":1},{\"fieldName\":\"Dossier Lookup\",\"parameterName\":\"Dossier_Lookup\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"Dossier Lookup\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"GET DOSSIER DATA\"}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DurableFunction\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 0\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string) [];\\r\\nunion isfuzzy=true dummy_table, dossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_source_s == \\\"atp\\\"\\r\\n| summarize count()\\r\\n| extend status = case(count_ == 0 , \\\"Refresh to check for Dossier data availability\\\",\\\"Click here to view the data\\\")\\r\\n| project status\\r\\n\",\"size\":3,\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"exportFieldName\":\"status\",\"exportParameterName\":\"dossier_status\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":1},\"showBorder\":false,\"size\":\"auto\"},\"textSettings\":{\"style\":\"editor\"}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"IOCValue\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Dossier_Lookup\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 10\",\"styleSettings\":{\"maxWidth\":\"30%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whitelist_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"whitelist\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_whitelisted_b = column_ifexists(\\\"data_whitelisted_b\\\",\\\"\\\")\\r\\n| where isnotempty(data_whitelisted_b)\\r\\n| project tostring(data_whitelisted_b)\",\"size\":3,\"title\":\"Whitelist\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"data_whitelisted_b\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"failed\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_infoblox_web_cat_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"infoblox_web_cat\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_results_s = column_ifexists(\\\"data_results_s\\\",\\\"\\\")\\r\\n| where isnotempty(data_results_s)\\r\\n| extend data_results_s = parse_json(data_results_s)\\r\\n| mv-expand data_results_s\\r\\n| project ['Web Category'] = data_results_s.name\",\"size\":3,\"title\":\"Web Categories\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Web Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Uncategorized\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Found\",\"representation\":\"Unknown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"sortOrderField\":2,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"80\"}}]},\"customWidth\":\"0\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_rpz_feeds_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"rpz_feeds\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n feed_name = column_ifexists(\\\"feed_name_s\\\",\\\"\\\"),\\r\\n property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n threat_level = column_ifexists(\\\"threat_level_d\\\", 0)\\r\\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\\r\\n|extend Severity = case( tolong(threat_level) >= 75, \\\"High\\\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \\\"Medium\\\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\\\"Low\\\",tolong(threat_level) <25 , \\\"Info\\\",\\\"\\\")\\r\\n| project\\r\\n ['Feed Name'] = feed_name,\\r\\n ['Threat Level'] = threat_level,\\r\\n Severity,\\r\\n Property = property,\\r\\n Class = class,\\r\\n Detected = detected,\\r\\n Expiration = expiration\",\"size\":3,\"showAnalytics\":true,\"title\":\"Active Threat Feeds and Status (RPZ Feeds)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_inforank_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"inforank\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\n Domain = column_ifexists(\\\"data_domain_s\\\",\\\"\\\"),\\r\\n Interval = column_ifexists(\\\"data_interval_s\\\",\\\"\\\"),\\r\\n Rank = column_ifexists(\\\"data_rank_d\\\",\\\"\\\"),\\r\\n Message = column_ifexists(\\\"data_message_s\\\",\\\"\\\")\\r\\n| where\\r\\nisnotempty(Domain) or\\r\\nisnotempty(Interval) or\\r\\nisnotempty(Rank) or\\r\\nisnotempty(Message)\\r\\n| project \\r\\n Domain,\\r\\n Interval,\\r\\n Rank,\\r\\n Message\\r\\n\\r\\n\",\"size\":3,\"title\":\"Inforank Ranking\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_threat_actor_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"threat_actor\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\n actor_description = column_ifexists( \\\"data_actor_description_s\\\",\\\"\\\"),\\r\\n actor_name = column_ifexists( \\\"data_actor_name_s\\\",\\\"\\\"),\\r\\n purpose = column_ifexists( \\\"data_purpose_s\\\",\\\"\\\"),\\r\\n related_count = column_ifexists( \\\"data_related_count_s\\\",\\\"\\\"),\\r\\n ttp = column_ifexists( \\\"data_ttp_s\\\",\\\"\\\"),\\r\\n Url = strcat('https://csp.infoblox.com/#/security_research/search/auto/','{IOCValue}','/threat-actor')\\r\\n| where\\r\\n isnotempty(actor_description) or\\r\\n isnotempty(actor_name) or\\r\\n isnotempty(purpose) or\\r\\n isnotempty(ttp)\\r\\n| extend purpose = replace_string(purpose,'\\\"','')\\r\\n| extend purpose = replace_string(purpose,',',', ')\\r\\n| extend purpose = trim(@\\\"[\\\\[\\\\]]\\\",purpose)\\r\\n| extend ttp = replace_string(ttp,'\\\"','')\\r\\n| extend ttp = replace_string(ttp,',',', ')\\r\\n| extend ttp = trim(@\\\"[\\\\[\\\\]]\\\",ttp)\\r\\n| project\\r\\n ['Actor Description'] = actor_description,\\r\\n ['Actor Name'] = actor_name,\\r\\n Purpose = purpose,\\r\\n ['Related Count'] = related_count,\\r\\n ['CSP Portal'] = Url,\\r\\n Ttp = ttp\",\"size\":3,\"title\":\"DNS Threat Actor\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CSP Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"More Detail\"}}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_geo_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend\\r\\n asn_num = column_ifexists(\\\"data_asn_num_s\\\", \\\"\\\"),\\r\\n city = column_ifexists(\\\"data_city_s\\\", \\\"\\\"),\\r\\n country_code = column_ifexists(\\\"data_country_code_s\\\", \\\"\\\"),\\r\\n country_name = column_ifexists(\\\"data_country_name_s\\\", \\\"\\\"),\\r\\n isp = column_ifexists(\\\"data_isp_s\\\", \\\"\\\"),\\r\\n latitude = column_ifexists(\\\"data_latitude_d\\\", \\\"\\\"),\\r\\n longitude = column_ifexists(\\\"data_longitude_d\\\", \\\"\\\"),\\r\\n org = column_ifexists(\\\"data_org_s\\\", \\\"\\\"),\\r\\n postal_code = column_ifexists(\\\"data_postal_code_s\\\", \\\"\\\"),\\r\\n region = column_ifexists(\\\"data_region_s\\\", \\\"\\\")\\r\\n| where\\r\\n isnotempty(asn_num) or\\r\\n isnotempty(city) or\\r\\n isnotempty(country_code) or\\r\\n isnotempty(country_name) or\\r\\n isnotempty(isp) or\\r\\n isnotempty(latitude) or\\r\\n isnotempty(longitude) or\\r\\n isnotempty(org) or\\r\\n isnotempty(postal_code) or\\r\\n isnotempty(region)\\r\\n| project \\r\\n ['Asn Number'] = asn_num,\\r\\n City = city,\\r\\n ['Country Code'] = country_code,\\r\\n ['Country Name'] = country_name,\\r\\n Isp = isp,\\r\\n Latitude = latitude,\\r\\n Longitude = longitude,\\r\\n Org = org,\\r\\n ['Postal Code'] = postal_code,\\r\\n Region = region\",\"size\":3,\"title\":\"Geo Graphic Details\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_tld_risk_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"tld_risk\\\" \\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_matches = column_ifexists(\\\"data_matches_s\\\",\\\"\\\")\\r\\n| mv-expand todynamic(data_matches)\\r\\n| project data_matches\\r\\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\\\"')\\r\\n| where\\r\\n isnotempty(confidence) or\\r\\n isnotempty(popular) or\\r\\n isnotempty(rare) or\\r\\n isnotempty(score) or\\r\\n isnotempty(score_label) or\\r\\n isnotempty(tld)\\r\\n| project \\r\\n ['Score Label'] = score_label,\\r\\n Score = score,\\r\\n TLD = tld,\\r\\n Confidence = confidence,\\r\\n Popular = popular,\\r\\n Rare = rare\\r\\n\\r\\n\",\"size\":0,\"title\":\"TLD Reputation\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Score Label\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High Risk\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Moderate Risk\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low Risk\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_nameserver_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"nameserver\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_nameserver_matches_CL) on $left.task_id_g == $right.task_id_g\\r\\n|extend \\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"ns_reputation_confidence_s\\\",\\\"\\\"),\\r\\n Label = column_ifexists(\\\"ns_reputation_label_s\\\",\\\"\\\"),\\r\\n malicious_counts = column_ifexists(\\\"ns_reputation_malicious_counts_s\\\",\\\"\\\"),\\r\\n Popular = column_ifexists(\\\"ns_reputation_popular_s\\\",\\\"\\\"),\\r\\n Rare = column_ifexists(\\\"ns_reputation_rare_s\\\",\\\"\\\"),\\r\\n raw_score = column_ifexists(\\\"ns_reputation_raw_score_s\\\",\\\"\\\"),\\r\\n Score = column_ifexists(\\\"ns_reputation_score_s\\\",\\\"\\\"),\\r\\n total_counts = column_ifexists(\\\"ns_reputation_total_counts_s\\\",\\\"\\\")\\r\\n| where\\r\\n isnotempty(Domain) or\\r\\n isnotempty(Confidence) or\\r\\n isnotempty(Label) or\\r\\n isnotempty(malicious_counts) or\\r\\n isnotempty(Popular) or\\r\\n isnotempty(Rare) or\\r\\n isnotempty(raw_score) or\\r\\n isnotempty(Score) or\\r\\n isnotempty(total_counts)\\r\\n| project \\r\\n Domain,\\r\\n Label,\\r\\n Score,\\r\\n Confidence,\\r\\n Popular,\\r\\n Rare,\\r\\n ['Raw Score'] = raw_score,\\r\\n ['Total Counts'] = total_counts,\\r\\n ['Malicious Counts'] = malicious_counts\\r\\n\",\"size\":0,\"title\":\"Nameserver Reputation\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Label\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High Risk\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Moderate Risk\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low Risk\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Very Low Risk\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"sortBy\":[{\"itemKey\":\"Popular\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Popular\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\")\\r\\n| project \\r\\n Host,\\r\\n Domain,\\r\\n TLD,\\r\\n Profile,\\r\\n Property,\\r\\n Confidence,\\r\\n Class,\\r\\n Detected,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Imported,\\r\\n Received,\\r\\n Up,\\r\\n Expiration,\\r\\n Dga,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whois_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"whois\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\n RegistrantName = column_ifexists(\\\"data_response_registrant_s\\\",\\\"\\\"),\\r\\n Nameservers = column_ifexists(\\\"data_response_nameservers_s\\\",\\\"\\\"),\\r\\n RegistrarEmail = column_ifexists(\\\"data_response_parsed_whois_registrar_abuse_contact_email_s\\\",\\\"\\\"),\\r\\n RegistrarPhone = column_ifexists(\\\"data_response_parsed_whois_registrar_abuse_contact_phone_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"data_response_parsed_whois_domain_s\\\",\\\"\\\"),\\r\\n Created = column_ifexists(\\\"data_response_registration_created_t\\\",\\\"\\\"),\\r\\n Expires = column_ifexists(\\\"data_response_registration_expires_t\\\",\\\"\\\"),\\r\\n Statuses = column_ifexists(\\\"data_response_registration_statuses_s\\\",\\\"\\\"),\\r\\n Updated = column_ifexists(\\\"data_response_registration_updated_t\\\",\\\"\\\")\\r\\n| where \\r\\n isnotempty(RegistrantName) or\\r\\n isnotempty(Nameservers) or\\r\\n isnotempty(RegistrarEmail) or\\r\\n isnotempty(RegistrarPhone) or\\r\\n isnotempty(Domain) or\\r\\n isnotempty(Created) or\\r\\n isnotempty(Expires) or\\r\\n isnotempty(Statuses) or\\r\\n isnotempty(Updated)\\r\\n| extend Nameservers = replace_string(Nameservers,'\\\"','')\\r\\n| extend Nameservers = replace_string(Nameservers,',',', ')\\r\\n| extend Nameservers = trim(@\\\"[\\\\[\\\\]]\\\",Nameservers)\\r\\n| extend Statuses = replace_string(Statuses,'\\\"','')\\r\\n| extend Statuses = replace_string(Statuses,',',', ')\\r\\n| extend Statuses = trim(@\\\"[\\\\[\\\\]]\\\",Statuses)\\r\\n| project \\r\\n ['Registrant Name'] = RegistrantName,\\r\\n Domain,\\r\\n Statuses,\\r\\n ['Name Servers'] = Nameservers,\\r\\n ['Registrar Email'] = RegistrarEmail,\\r\\n ['Registrar Phone'] = RegistrarPhone,\\r\\n Created,\\r\\n Expires,\\r\\n Updated\",\"size\":3,\"title\":\"Registered Owner (WHOIS)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nlet dns_A_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n A = column_ifexists(\\\"data_A_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_A_s)\\r\\n | project Type=\\\"A\\\", Value=data_A_s.ip, Reverse=data_A_s.reverse, TTL=data_A_s.ttl;\\r\\nlet dns_AAAA_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n AAAA = column_ifexists(\\\"data_AAAA_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_AAAA_s)\\r\\n | project Type=\\\"AAAA\\\",Value=data_AAAA_s;\\r\\nlet dns_CERT_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n CERT = column_ifexists(\\\"data_CERT_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_CERT_s)\\r\\n | project Type=\\\"CERT\\\",Value=data_CERT_s;\\r\\nlet dns_CNAME_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n CNAME = column_ifexists(\\\"data_CNAME_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_CNAME_s)\\r\\n | project Type=\\\"CNAME\\\",Value=data_CNAME_s;\\r\\nlet dns_HTTPS_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n HTTPS = column_ifexists(\\\"data_HTTPS_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_HTTPS_s)\\r\\n | project Type=\\\"HTTPS\\\",Value=data_HTTPS_s;\\r\\nlet dns_NS_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n NS = column_ifexists(\\\"data_NS_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_NS_s)\\r\\n | project Type=\\\"NS\\\",Value=data_NS_s;\\r\\nlet dns_SOA_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n SOA = column_ifexists(\\\"data_SOA_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_SOA_s)\\r\\n | project Type=\\\"SOA\\\",Value=data_SOA_s;\\r\\nlet dns_MX_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n MX = column_ifexists(\\\"data_MX_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_MX_s)\\r\\n | project Type=\\\"MX\\\",Value=data_MX_s;\\r\\nlet dns_SVCB_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n SVCB = column_ifexists(\\\"data_SVCB_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_SVCB_s)\\r\\n | project Type=\\\"SVCB\\\",Value=data_SVCB_s;\\r\\nlet dns_TSIG_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n TSIG = column_ifexists(\\\"data_TSIG_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_TSIG_s)\\r\\n | project Type=\\\"TSIG\\\",Value=data_TSIG_s;\\r\\nlet dns_TXT_data=\\r\\n union isfuzzy=true dummy_table,\\r\\n dossier_dns_CL\\r\\n | where params_target_s == '{IOCValue}' and params_type_s ==\\\"host\\\" and params_source_s == \\\"dns\\\"\\r\\n | summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n | extend\\r\\n TXT = column_ifexists(\\\"data_TXT_s\\\",\\\"\\\")\\r\\n | mv-expand todynamic(data_TXT_s)\\r\\n | project Type=\\\"TXT\\\",Value=data_TXT_s;\\r\\n union dns_A_data,dns_AAAA_data,dns_CERT_data,\\r\\ndns_CNAME_data,\\r\\ndns_HTTPS_data,\\r\\ndns_NS_data,\\r\\ndns_SOA_data,\\r\\ndns_MX_data,\\r\\ndns_SVCB_data,\\r\\ndns_TSIG_data,\\r\\ndns_TXT_data\\r\\n| where isnotempty( Value) or isnotempty( Reverse) or isnotempty( TTL)\\r\\n| sort by Type asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Current DNS\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Type\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"host\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whitelist_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"whitelist\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_whitelisted_b = column_ifexists(\\\"data_whitelisted_b\\\",\\\"\\\")\\r\\n| where isnotempty(data_whitelisted_b)\\r\\n| project tostring(data_whitelisted_b)\",\"size\":3,\"title\":\"Whitelisted\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"data_whitelisted_b\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"failed\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_ptr_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s == \\\"ip\\\" and params_source_s == \\\"ptr\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend ptr_record = column_ifexists(\\\"data_ptr_record_s\\\",\\\"\\\")\\r\\n| extend ptr_record = case( isempty(ptr_record), \\\"Not Found\\\",ptr_record)\\r\\n| project ptr_record\",\"size\":3,\"title\":\"Domain Name Associated (PTR)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"ptr_record\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Not Found\",\"representation\":\"Unavailable\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"20\"}}]},\"customWidth\":\"0\",\"name\":\"group - 11\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 7 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_rpz_feeds_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"rpz_feeds\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n feed_name = column_ifexists(\\\"feed_name_s\\\",\\\"\\\"),\\r\\n property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n threat_level = column_ifexists(\\\"threat_level_d\\\", 0)\\r\\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\\r\\n|extend Severity = case( tolong(threat_level) >= 75, \\\"High\\\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \\\"Medium\\\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\\\"Low\\\",tolong(threat_level) <25 , \\\"Info\\\",\\\"\\\")\\r\\n| project\\r\\n ['Feed Name'] = feed_name,\\r\\n ['Threat Level'] = threat_level,\\r\\n Severity,\\r\\n Property = property,\\r\\n Class = class,\\r\\n Detected = detected,\\r\\n Expiration = expiration\",\"size\":3,\"showAnalytics\":true,\"title\":\"Active Threat Feeds and Status (RPZ Feeds)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]}}]}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_geo_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"geo\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend\\r\\n asn_num = column_ifexists(\\\"data_asn_num_s\\\", \\\"\\\"),\\r\\n city = column_ifexists(\\\"data_city_s\\\", \\\"\\\"),\\r\\n country_code = column_ifexists(\\\"data_country_code_s\\\", \\\"\\\"),\\r\\n country_name = column_ifexists(\\\"data_country_name_s\\\", \\\"\\\"),\\r\\n isp = column_ifexists(\\\"data_isp_s\\\", \\\"\\\"),\\r\\n latitude = column_ifexists(\\\"data_latitude_d\\\", \\\"\\\"),\\r\\n longitude = column_ifexists(\\\"data_longitude_d\\\", \\\"\\\"),\\r\\n org = column_ifexists(\\\"data_org_s\\\", \\\"\\\"),\\r\\n postal_code = column_ifexists(\\\"data_postal_code_s\\\", \\\"\\\"),\\r\\n region = column_ifexists(\\\"data_region_s\\\", \\\"\\\")\\r\\n| where\\r\\n isnotempty(asn_num) or\\r\\n isnotempty(city) or\\r\\n isnotempty(country_code) or\\r\\n isnotempty(country_name) or\\r\\n isnotempty(isp) or\\r\\n isnotempty(latitude) or\\r\\n isnotempty(longitude) or\\r\\n isnotempty(org) or\\r\\n isnotempty(postal_code) or\\r\\n isnotempty(region) \\r\\n| project \\r\\n ['Asn Number'] = asn_num,\\r\\n City = city,\\r\\n ['Country Code'] = country_code,\\r\\n ['Country Name'] = country_name,\\r\\n Isp = isp,\\r\\n Latitude = latitude,\\r\\n Longitude = longitude,\\r\\n Org = org,\\r\\n ['Postal Code'] = postal_code,\\r\\n Region = region\",\"size\":3,\"title\":\"Geo Graphic Details\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"60\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n IP = column_ifexists(\\\"ip_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n Threatlevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n IP,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = Threatlevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whois_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"ip\\\" and params_source_s == \\\"whois\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend \\r\\nCountry = column_ifexists(\\\"data_response_ip_response_country_s\\\",\\\"\\\"),\\r\\nHandle = column_ifexists(\\\"data_response_ip_response_handle_s\\\",\\\"\\\"),\\r\\nlast_changed = column_ifexists(\\\"data_response_ip_response_last_changed_t\\\",\\\"\\\"),\\r\\nName = column_ifexists(\\\"data_response_ip_response_name_s\\\",\\\"\\\"),\\r\\nnet_range = column_ifexists(\\\"data_response_ip_response_net_range_s\\\",\\\"\\\"),\\r\\nnet_type = column_ifexists(\\\"data_response_ip_response_net_type_s\\\",\\\"\\\"),\\r\\nParent = column_ifexists(\\\"data_response_ip_response_parent_s\\\",\\\"\\\"),\\r\\nRegistration = column_ifexists(\\\"data_response_ip_response_registration_t\\\",\\\"\\\"),\\r\\nsource_registery = column_ifexists(\\\"data_response_ip_response_source_registery_s\\\",\\\"\\\")\\r\\n| where\\r\\n isnotempty(Country) or\\r\\n isnotempty(Handle) or\\r\\n isnotempty(last_changed) or\\r\\n isnotempty(Name) or\\r\\n isnotempty(net_range) or\\r\\n isnotempty(net_type) or\\r\\n isnotempty(Parent) or\\r\\n isnotempty(Registration) or\\r\\n isnotempty(source_registery)\\r\\n| project \\r\\n Name,\\r\\n Country,\\r\\n Handle,\\r\\n ['Network Range'] = net_range,\\r\\n ['Network Type'] = net_type,\\r\\n Parent,\\r\\n ['Source Registery'] = source_registery,\\r\\n ['Last Changed'] = last_changed ,\\r\\n Registration\",\"size\":3,\"title\":\"Registered Owner (WHOIS)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"ip\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_whitelist_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"whitelist\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_whitelisted_b = column_ifexists(\\\"data_whitelisted_b\\\",\\\"\\\")\\r\\n| where isnotempty(data_whitelisted_b)\\r\\n| project tostring(data_whitelisted_b)\",\"size\":3,\"title\":\"Whitelist\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"data_whitelisted_b\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"False\",\"representation\":\"failed\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"True\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"20\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_infoblox_web_cat_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"infoblox_web_cat\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_results_s = column_ifexists(\\\"data_results_s\\\",\\\"\\\")\\r\\n| where isnotempty(data_results_s)\\r\\n| extend data_results_s = parse_json(data_results_s)\\r\\n| mv-expand data_results_s\\r\\n| project ['Web Category'] = data_results_s.name\",\"size\":3,\"title\":\"Web Categories\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Web Category\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Uncategorized\",\"representation\":\"Normal\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Found\",\"representation\":\"Unknown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Sev3\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"sortOrderField\":2,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"80\"}}]},\"customWidth\":\"0\",\"name\":\"group - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_tld_risk_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"tld_risk\\\" \\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_matches = column_ifexists(\\\"data_matches_s\\\",\\\"\\\")\\r\\n| mv-expand todynamic(data_matches)\\r\\n| project data_matches\\r\\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\\\"')\\r\\n| where\\r\\n isnotempty(confidence) or\\r\\n isnotempty(popular) or\\r\\n isnotempty(rare) or\\r\\n isnotempty(score) or\\r\\n isnotempty(score_label) or\\r\\n isnotempty(tld)\\r\\n| project \\r\\n ['Score Label'] = score_label,\\r\\n Score = score,\\r\\n TLD = tld,\\r\\n Confidence = confidence,\\r\\n Popular = popular,\\r\\n Rare = rare\\r\\n\\r\\n\",\"size\":3,\"title\":\"TLD Reputation\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Score Label\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High Risk\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Moderate Risk\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low Risk\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}]},\"tileSettings\":{\"showBorder\":false}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"url\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Url = column_ifexists(\\\"url_s\\\",\\\"\\\"),\\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n Url,\\r\\n Host,\\r\\n Domain,\\r\\n TLD,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Dga,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"url\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"hash\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_malware_analysis_v3_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"hash\\\" and params_source_s == \\\"malware_analysis_v3\\\"| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| extend data_info = column_ifexists(\\\"data_info_s\\\",\\\"\\\"), data_reason = column_ifexists(\\\"data_reason_s\\\",\\\"\\\"), Status = column_ifexists(\\\"status_s\\\",\\\"\\\")\\r\\n| where Status == \\\"error\\\"\\r\\n| project Information = data_info, Reason = data_reason\",\"size\":3,\"title\":\"VirusTotal\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"hash\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Hash = column_ifexists(\\\"hash_s\\\",\\\"\\\"),\\r\\n HashType = column_ifexists(\\\"hash_type_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n Hash,\\r\\n ['Hash Type'] = HashType,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"hash\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 5 - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"email\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\")\\r\\n| where todatetime(Expiration) >= now()\\r\\n| distinct ['Threat Property'] = Property\",\"size\":3,\"title\":\"Threat Property\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Threat Property\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"}]}},\"showBorder\":true,\"size\":\"auto\"}},\"customWidth\":\"0\",\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"---\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\ndossier_atp_CL\\r\\n| where params_target_s == '{IOCValue}' and params_type_s ==\\\"email\\\" and params_source_s == \\\"atp\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by params_target_s\\r\\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\\r\\n| extend \\r\\n Email = column_ifexists(\\\"email_s\\\",\\\"\\\"),\\r\\n Host = column_ifexists(\\\"host_s\\\",\\\"\\\"),\\r\\n Domain = column_ifexists(\\\"domain_s\\\",\\\"\\\"),\\r\\n TLD = column_ifexists(\\\"tld_s\\\",\\\"\\\"),\\r\\n Profile = column_ifexists(\\\"profile_s\\\",\\\"\\\"),\\r\\n Property = column_ifexists(\\\"property_s\\\",\\\"\\\"),\\r\\n Class = column_ifexists(\\\"class_s\\\",\\\"\\\"),\\r\\n Confidence = column_ifexists(\\\"confidence_d\\\",\\\"\\\"),\\r\\n ThreatLevel = column_ifexists(\\\"threat_level_d\\\",\\\"\\\"),\\r\\n Detected = column_ifexists(\\\"detected_t\\\",\\\"\\\"),\\r\\n Received = column_ifexists(\\\"received_t\\\",\\\"\\\"),\\r\\n Imported = column_ifexists(\\\"imported_t\\\",\\\"\\\"),\\r\\n Expiration = column_ifexists(\\\"expiration_t\\\",\\\"\\\"),\\r\\n Up = column_ifexists(\\\"up_s\\\",\\\"\\\"),\\r\\n Dga = column_ifexists(\\\"dga_s\\\",\\\"\\\"),\\r\\n Notes = column_ifexists(\\\"extended_notes_s\\\",\\\"\\\")\\r\\n| project \\r\\n Email,\\r\\n Host,\\r\\n Domain,\\r\\n TLD,\\r\\n Profile,\\r\\n Property,\\r\\n Class,\\r\\n Confidence,\\r\\n ['Threat Level'] = ThreatLevel,\\r\\n Detected,\\r\\n Received,\\r\\n Imported,\\r\\n Expiration,\\r\\n Up,\\r\\n Dga,\\r\\n Notes\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Details (ATP)\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"},\"name\":\"query - 12\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibilities\":[{\"parameterName\":\"IOCType\",\"comparison\":\"isEqualTo\",\"value\":\"email\"},{\"parameterName\":\"dossier_status\",\"comparison\":\"isEqualTo\",\"value\":\"Click here to view the data\"}],\"name\":\"group - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 2\",\"styleSettings\":{\"padding\":\"10px\"}}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Lookup Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=InfobloxLookupWorkbook; logoFileName=infoblox_logo.svg; description=The Infoblox Lookup Workbook provides comprehensive insights through lookups on various data types including IP, Host, URL, Hash, and Email.\nThe workbook features distinct tabs for targeted lookups. \nThe 'TIDE' tab delivers insights from Infoblox TIDE data, while the 'Dossier' tab aggregates information from a range of other third party sources. \nTo obtain detailed insights, enter the relevant data into the specified fields within each tab. \nThis allows users to efficiently gather and analyze critical information.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0; title=Infoblox Lookup Workbook; templateRelativePath=Infoblox_Lookup_Workbook.json; subtitle=Efficiently Gather and Analyze Critical Information of TIDE and Dossier with Targeted Lookups; provider=Infoblox}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "dossier_whois_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_whitelist_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_tld_risk_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_threat_actor_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_rpz_feeds_records_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_rpz_feeds_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_nameserver_matches_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_nameserver_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_malware_analysis_v3_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_inforank_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_infoblox_web_cat_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_geo_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_dns_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_atp_threat_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_atp_CL", + "kind": "DataType" + }, + { + "contentId": "dossier_ptr_CL", + "kind": "DataType" + }, + { + "contentId": "tide_lookup_data_CL", + "kind": "DataType" + }, + { + "contentId": "SecurityAlert", + "kind": "DataType" + }, + { + "contentId": "SecurityIncident", + "kind": "DataType" + }, + { + "contentId": "InfobloxDataConnector", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "The Infoblox Workbook is a detailed analytical tool comprising six tabs: SOC Insights, Config Insights, Blocked DNS, DNS, DHCP, Service Log, Audit and Threat Intelligence. \nIt fetches data from Common Event Format (CEF) logs to provide standardized and comprehensive insights into network security and operations. \nEach tab focuses on specific areas such as overall security metrics, blocked DNS requests, DNS activities, DHCP allocations, various service logs, and a combination of audit records with threat intelligence. \nThis workbook enables efficient monitoring and proactive management of network security and performance." + }, + "properties": { + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"N/A\\\"},\\r\\n { \\\"value\\\":\\\"INFO\\\"},\\r\\n { \\\"value\\\":\\\"LOW\\\"},\\r\\n { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n { \\\"value\\\":\\\"HIGH\\\"},\\r\\n { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n (InfobloxInsight\\r\\n | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n SecurityAlert\\r\\n | extend AlertEntities = parse_json(Entities)\\r\\n //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' == \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' == \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"66b112e0-3187-4faa-9357-d229e98002ca\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \\\"All\\\"\\r\\n| join\\r\\n (\\r\\n AssetCount\\r\\n ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n ThreatLevel == \\\"High\\\", 5,\\r\\n ThreatLevel == \\\"Medium\\\", 4,\\r\\n ThreatLevel == \\\"Low\\\", 3,\\r\\n ThreatLevel == \\\"N/A\\\", 2,\\r\\n 1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n
\\r\\n
\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "properties": { + "description": "@{workbookKey=InfobloxWorkbook; logoFileName=infoblox_logo.svg; description=The Infoblox Workbook is a detailed analytical tool comprising six tabs: SOC Insights, Config Insights, Blocked DNS, DNS, DHCP, Service Log, Audit and Threat Intelligence. \nIt fetches data from Common Event Format (CEF) logs to provide standardized and comprehensive insights into network security and operations. \nEach tab focuses on specific areas such as overall security metrics, blocked DNS requests, DNS activities, DHCP allocations, various service logs, and a combination of audit records with threat intelligence. \nThis workbook enables efficient monitoring and proactive management of network security and performance.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0; title=Infoblox Workbook; templateRelativePath=Infoblox_Workbook.json; subtitle=Efficiently Monitor and Manage Network Security and Performance with Comprehensive Insights; provider=Infoblox}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "CommonSecurityLog", + "kind": "DataType" + }, + { + "contentId": "IP_Space_Info_CL", + "kind": "DataType" + }, + { + "contentId": "Service_Name_Info_CL", + "kind": "DataType" + }, + { + "contentId": "Host_Name_Info_CL", + "kind": "DataType" + }, + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + }, + { + "contentId": "SecurityAlert", + "kind": "DataType" + }, + { + "contentId": "SecurityIncident", + "kind": "DataType" + }, + { + "contentId": "InfobloxInsight", + "kind": "DataType" + }, + { + "contentId": "InfobloxInsightAssets", + "kind": "DataType" + }, + { + "contentId": "InfobloxInsightComments", + "kind": "DataType" + }, + { + "contentId": "InfobloxInsightIndicators", + "kind": "DataType" + }, + { + "contentId": "InfobloxInsightEvents", + "kind": "DataType" + }, + { + "contentId": "Infoblox_Config_Insights_CL", + "kind": "DataType" + }, + { + "contentId": "Infoblox_Config_Insight_Details_CL", + "kind": "DataType" + }, + { + "contentId": "InfobloxCloudDataConnectorAma", + "kind": "DataConnector" + }, + { + "contentId": "InfobloxSOCInsightsDataConnector_AMA", + "kind": "DataConnector" + }, + { + "contentId": "InfobloxSOCInsightsDataConnector_API", + "kind": "DataConnector" + }, + { + "contentId": "InfobloxSOCInsightsDataConnector_Legacy", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Infoblox SOC Insight detected in logs sourced via REST API. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxInsight**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Parsers/InfobloxInsight.yaml).", + "displayName": "Infoblox - SOC Insight Detected - API Source", + "enabled": false, + "query": "InfobloxInsight\n| summarize arg_max(TimeGenerated, *) by InfobloxInsightID\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "InfobloxSOCInsightsDataConnector_API", + "dataTypes": [ + "InfobloxInsight" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1498", + "T1565" + ], + "entityMappings": [ + { + "entityType": "SecurityGroup", + "fieldMappings": [ + { + "columnName": "InfobloxInsightID", + "identifier": "ObjectGuid" + } + ] + }, + { + "entityType": "Malware", + "fieldMappings": [ + { + "columnName": "ThreatClass", + "identifier": "Name" + }, + { + "columnName": "ThreatProperty", + "identifier": "Category" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "UnblockedHits": "NotBlockedCount", + "Severity": "Priority", + "FirstSeen": "FirstSeen", + "SpreadingDate": "SpreadingDate", + "LastSeen": "LastSeen", + "FeedSource": "FeedSource", + "Status": "Status", + "BlockedHits": "BlockedCount", + "InfobloxInsightID": "InfobloxInsightID", + "TotalHits": "EventsCount", + "PersistentDate": "PersistentDate" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}", + "alertSeverityColumnName": "IncidentSeverity", + "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}" + }, + "incidentConfiguration": { + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Infoblox Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Infoblox - SOC Insight Detected - API Source", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Infoblox SOC Insight detected in logs sourced via Infoblox CDC. Customize scheduling, responses and more. This rule depends on a parser based on a Kusto Function to work as expected called [**InfobloxCDC_SOCInsights**](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox/Parsers/InfobloxCDC_SOCInsights.yaml).", + "displayName": "Infoblox - SOC Insight Detected - CDC Source", + "enabled": false, + "query": "InfobloxCDC_SOCInsights\n| summarize arg_max(TimeGenerated, *) by InfobloxInsightID\n", + "queryFrequency": "P1D", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "InfobloxSOCInsightsDataConnector_Legacy", + "dataTypes": [ + "CommonSecurityLog (InfobloxCDC_SOCInsights)" + ] + }, + { + "connectorId": "InfobloxSOCInsightsDataConnector_AMA", + "dataTypes": [ + "CommonSecurityLog (InfobloxCDC_SOCInsights)" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1498", + "T1565" + ], + "entityMappings": [ + { + "entityType": "SecurityGroup", + "fieldMappings": [ + { + "columnName": "InfobloxInsightID", + "identifier": "ObjectGuid" + } + ] + }, + { + "entityType": "Malware", + "fieldMappings": [ + { + "columnName": "ThreatClass", + "identifier": "Name" + }, + { + "columnName": "ThreatProperty", + "identifier": "Category" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "UnblockedHits": "NotBlockedCount", + "TotalHits": "EventsCount", + "FeedSource": "FeedSource", + "Status": "Status", + "BlockedHits": "BlockedCount", + "InfobloxInsightID": "InfobloxInsightID" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}", + "alertSeverityColumnName": "IncidentSeverity", + "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}" + }, + "incidentConfiguration": { + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Infoblox Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Infoblox - SOC Insight Detected - CDC Source", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxCDC_SOCInsights", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxCDC_SOCInsights", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID == \"BloxOne-InsightsNotification-Log\"\n| extend AdditionalExtensions = strcat(AdditionalExtensions, \";\")\n| extend \n// SOC Insights\nBlockedCount = toint(extract(\"InfobloxEventsBlockedCount=(.*?);\", 1, AdditionalExtensions)),\nNotBlockedCount = toint(extract(\"InfobloxEventsNotBlockedCount=(.*?);\", 1, AdditionalExtensions)),\nInfobloxInsightID = extract(\"InfobloxInsightId=(.*?);\", 1, AdditionalExtensions),\nThreatType = extract(\"InfobloxInsightThreatType=(.*?);\", 1, AdditionalExtensions),\nThreatClass = extract(\"InfobloxThreatClass=(.*?);\", 1, AdditionalExtensions),\nThreatProperty = extract(\"InfobloxThreatFamily=(.*?);\", 1, AdditionalExtensions),\nThreatFamily = extract(\"InfobloxThreatFamily=(.*?);\", 1, AdditionalExtensions),\nStatus = extract(\"status=(.*?);\", 1, AdditionalExtensions),\nFeedSource = extract(\"InfobloxInsightFeedSource=(.*?);\", 1, AdditionalExtensions),\nComment = extract(\"InfobloxInsightUserComment=(.*?);\", 1, AdditionalExtensions),\nDescription = extract(\"InfobloxInsightDescription=(.*?);\", 1, AdditionalExtensions),\nInfobloxInsightLogType = \"Insight\",\nThreatConfidence_Score = toint(extract(\"InfobloxThreatConfidence=(.*?);\", 1, AdditionalExtensions))\n| extend ThreatConfidence= case(ThreatConfidence_Score==3, \"High\",\n ThreatConfidence_Score==2, \"Medium\",\n ThreatConfidence_Score==1, \"Low\",\n ThreatConfidence_Score == 0,\"Info\",\n \"N/A\" ),\nThreatLevel_Score = toint(extract(\"InfobloxThreatLevel=(.*?);\", 1, AdditionalExtensions))\n| extend ThreatLevel= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Info\",\n \"N/A\" )\n| extend IncidentSeverity= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Informational\",\n \"N/A\" )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxCDC_SOCInsights')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Infoblox", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "Parser for InfobloxCDC_SOCInsights", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxCDC_SOCInsights", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxCDC_SOCInsights", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID == \"BloxOne-InsightsNotification-Log\"\n| extend AdditionalExtensions = strcat(AdditionalExtensions, \";\")\n| extend \n// SOC Insights\nBlockedCount = toint(extract(\"InfobloxEventsBlockedCount=(.*?);\", 1, AdditionalExtensions)),\nNotBlockedCount = toint(extract(\"InfobloxEventsNotBlockedCount=(.*?);\", 1, AdditionalExtensions)),\nInfobloxInsightID = extract(\"InfobloxInsightId=(.*?);\", 1, AdditionalExtensions),\nThreatType = extract(\"InfobloxInsightThreatType=(.*?);\", 1, AdditionalExtensions),\nThreatClass = extract(\"InfobloxThreatClass=(.*?);\", 1, AdditionalExtensions),\nThreatProperty = extract(\"InfobloxThreatFamily=(.*?);\", 1, AdditionalExtensions),\nThreatFamily = extract(\"InfobloxThreatFamily=(.*?);\", 1, AdditionalExtensions),\nStatus = extract(\"status=(.*?);\", 1, AdditionalExtensions),\nFeedSource = extract(\"InfobloxInsightFeedSource=(.*?);\", 1, AdditionalExtensions),\nComment = extract(\"InfobloxInsightUserComment=(.*?);\", 1, AdditionalExtensions),\nDescription = extract(\"InfobloxInsightDescription=(.*?);\", 1, AdditionalExtensions),\nInfobloxInsightLogType = \"Insight\",\nThreatConfidence_Score = toint(extract(\"InfobloxThreatConfidence=(.*?);\", 1, AdditionalExtensions))\n| extend ThreatConfidence= case(ThreatConfidence_Score==3, \"High\",\n ThreatConfidence_Score==2, \"Medium\",\n ThreatConfidence_Score==1, \"Low\",\n ThreatConfidence_Score == 0,\"Info\",\n \"N/A\" ),\nThreatLevel_Score = toint(extract(\"InfobloxThreatLevel=(.*?);\", 1, AdditionalExtensions))\n| extend ThreatLevel= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Info\",\n \"N/A\" )\n| extend IncidentSeverity= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Informational\",\n \"N/A\" )\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxCDC_SOCInsights')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject2').parserTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "InfobloxInsight Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject2').parserVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject2')._parserName2]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsight", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsight", + "query": "InfobloxInsight_CL\n| where InfobloxInsightLogType_s == \"Insight\"\n| extend \nInfobloxInsightID=column_ifexists('insightId_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nBlockedCount=toint(column_ifexists('eventsBlockedCount_s', '')),\nFeedSource=column_ifexists('feedSource_s', ''),\nStatus=column_ifexists('status_s', ''),\nLastSeen=column_ifexists('mostRecentAt_t', ''),\nNotBlockedCount=toint(column_ifexists('eventsNotBlockedCount_s', '')),\nEventsCount=toint(column_ifexists('numEvents_s', '')),\nPersistent=column_ifexists('persistent_b', ''),\nPersistentDate=column_ifexists('persistentDate_t', ''),\nSpreading=column_ifexists('spreading_b', ''),\nSpreadingDate=column_ifexists('spreadingDate_t', ''),\nFirstSeen=column_ifexists('startedAt_t', ''),\nThreatClass=column_ifexists('tClass_s', ''),\nThreatProperty=column_ifexists('tFamily_s', ''),\nThreatFamily=column_ifexists('tFamily_s', ''),\nThreatType=column_ifexists('threatType_s', ''),\nPriority=column_ifexists('priorityText_s', ''),\nDateChanged=column_ifexists('dateChanged_t ', ''),\nCommentChanger=column_ifexists('changer_s', ''),\nComment=column_ifexists('userComment_s', '')\n| extend IncidentSeverity = case(Priority==\"CRITICAL\", \"High\",\n Priority==\"HIGH\", \"High\",\n Priority==\"MEDIUM\", \"Medium\",\n Priority ==\"LOW\",\"Low\",\n Priority ==\"INFO\",\"Informational\",\n \"N/A\" )\n| project-away \n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsight')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "name": "Infoblox", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject2').parserContentId2]", + "contentKind": "Parser", + "displayName": "Parser for InfobloxInsight", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "version": "[variables('parserObject2').parserVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject2')._parserName2]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsight", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsight", + "query": "InfobloxInsight_CL\n| where InfobloxInsightLogType_s == \"Insight\"\n| extend \nInfobloxInsightID=column_ifexists('insightId_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nBlockedCount=toint(column_ifexists('eventsBlockedCount_s', '')),\nFeedSource=column_ifexists('feedSource_s', ''),\nStatus=column_ifexists('status_s', ''),\nLastSeen=column_ifexists('mostRecentAt_t', ''),\nNotBlockedCount=toint(column_ifexists('eventsNotBlockedCount_s', '')),\nEventsCount=toint(column_ifexists('numEvents_s', '')),\nPersistent=column_ifexists('persistent_b', ''),\nPersistentDate=column_ifexists('persistentDate_t', ''),\nSpreading=column_ifexists('spreading_b', ''),\nSpreadingDate=column_ifexists('spreadingDate_t', ''),\nFirstSeen=column_ifexists('startedAt_t', ''),\nThreatClass=column_ifexists('tClass_s', ''),\nThreatProperty=column_ifexists('tFamily_s', ''),\nThreatFamily=column_ifexists('tFamily_s', ''),\nThreatType=column_ifexists('threatType_s', ''),\nPriority=column_ifexists('priorityText_s', ''),\nDateChanged=column_ifexists('dateChanged_t ', ''),\nCommentChanger=column_ifexists('changer_s', ''),\nComment=column_ifexists('userComment_s', '')\n| extend IncidentSeverity = case(Priority==\"CRITICAL\", \"High\",\n Priority==\"HIGH\", \"High\",\n Priority==\"MEDIUM\", \"Medium\",\n Priority ==\"LOW\",\"Low\",\n Priority ==\"INFO\",\"Informational\",\n \"N/A\" )\n| project-away \n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsight')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject3').parserTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "InfobloxInsightAssets Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject3').parserVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject3')._parserName3]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightAssets", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightAssets", + "query": "InfobloxInsightAssets_CL\n| where InfobloxInsightLogType_s == \"Asset\"\n| extend \nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nAssetID=column_ifexists('cid_s', ''),\nSourceMACAddress=column_ifexists('cmac_s', ''),\nEventCount=column_ifexists('count_d', ''),\nInfobloxB1SrcOSVersion=column_ifexists('os_version_s', ''),\nSourceIP=column_ifexists('qip_s', ''),\nSourceIPDistinctCount=column_ifexists('qipDistinctCount_d', ''),\nIndicatorDistinctCount=column_ifexists('threatIndicatorDistinctCount_s', ''),\nLastSeen=column_ifexists('timeMax_t', ''),\nFirstSeen=column_ifexists('timeMin_t', ''),\nSourceUserName=column_ifexists('user_s', ''),\nLocation=column_ifexists('location_s', '')\n| extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', ''))\n| extend ThreatLevel= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Info\",\n \"N/A\" )\n| extend ThreatConfidence_Score=toint(column_ifexists('confidenceLevelMax_d', ''))\n| extend ThreatConfidence= case(ThreatConfidence_Score==3, \"High\",\n ThreatConfidence_Score==2, \"Medium\",\n ThreatConfidence_Score==1, \"Low\",\n ThreatConfidence_Score == 0,\"Info\",\n \"N/A\" )\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightAssets')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "name": "Infoblox", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject3').parserContentId3]", + "contentKind": "Parser", + "displayName": "Parser for InfobloxInsightAssets", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", + "version": "[variables('parserObject3').parserVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject3')._parserName3]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightAssets", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightAssets", + "query": "InfobloxInsightAssets_CL\n| where InfobloxInsightLogType_s == \"Asset\"\n| extend \nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nAssetID=column_ifexists('cid_s', ''),\nSourceMACAddress=column_ifexists('cmac_s', ''),\nEventCount=column_ifexists('count_d', ''),\nInfobloxB1SrcOSVersion=column_ifexists('os_version_s', ''),\nSourceIP=column_ifexists('qip_s', ''),\nSourceIPDistinctCount=column_ifexists('qipDistinctCount_d', ''),\nIndicatorDistinctCount=column_ifexists('threatIndicatorDistinctCount_s', ''),\nLastSeen=column_ifexists('timeMax_t', ''),\nFirstSeen=column_ifexists('timeMin_t', ''),\nSourceUserName=column_ifexists('user_s', ''),\nLocation=column_ifexists('location_s', '')\n| extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', ''))\n| extend ThreatLevel= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Info\",\n \"N/A\" )\n| extend ThreatConfidence_Score=toint(column_ifexists('confidenceLevelMax_d', ''))\n| extend ThreatConfidence= case(ThreatConfidence_Score==3, \"High\",\n ThreatConfidence_Score==2, \"Medium\",\n ThreatConfidence_Score==1, \"Low\",\n ThreatConfidence_Score == 0,\"Info\",\n \"N/A\" )\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightAssets')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject4').parserTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "InfobloxInsightComments Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject4').parserVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject4')._parserName4]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightComments", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightComments", + "query": "InfobloxInsightComments_CL\n| where InfobloxInsightLogType_s == \"Comment\"\n| extend\nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nCommentChanger=column_ifexists('commentsChanger_s', ''),\nComment=column_ifexists('newComment_s', ''),\nDateChanged=column_ifexists('dateChanged_t', ''),\nStatus=column_ifexists('status_s', '')\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightComments')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "name": "Infoblox", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject4').parserContentId4]", + "contentKind": "Parser", + "displayName": "Parser for InfobloxInsightComments", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "version": "[variables('parserObject4').parserVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject4')._parserName4]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightComments", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightComments", + "query": "InfobloxInsightComments_CL\n| where InfobloxInsightLogType_s == \"Comment\"\n| extend\nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nCommentChanger=column_ifexists('commentsChanger_s', ''),\nComment=column_ifexists('newComment_s', ''),\nDateChanged=column_ifexists('dateChanged_t', ''),\nStatus=column_ifexists('status_s', '')\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightComments')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject5').parserTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "InfobloxInsightEvents Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject5').parserVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject5')._parserName5]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightEvents", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightEvents", + "query": "InfobloxInsightEvents_CL\n| where InfobloxInsightLogType_s == \"Event\"\n| extend \nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nThreatConfidence=column_ifexists('confidenceLevel_s', ''),\nDeviceName=column_ifexists('deviceName_s', ''),\nSourceMACAddress=column_ifexists('macAddress_s', ''),\nInfobloxB1Network=column_ifexists('source_s', ''),\nInfobloxB1SrcOSVersion=column_ifexists('osVersion_s', ''),\nInfobloxB1PolicyAction=column_ifexists('action_s', ''),\nInfobloxB1PolicyName=column_ifexists('policy_s', ''),\nSourceIP=column_ifexists('deviceIp_s', ''),\nDestinationDnsDomain=column_ifexists('query_s', ''),\nInfobloxDNSQType=column_ifexists('queryType_s', ''),\nThreatClass=column_ifexists('class_s', ''),\nThreatProperty=column_ifexists('threatFamily_s', ''),\nDetected = todatetime(trim_end(@\"\\+(.*?)\", column_ifexists('detected_s', ''))), \nThreatIndicator=iff(isnotempty(column_ifexists('threatIndicator_s', '')), column_ifexists('threatIndicator_s', ''), column_ifexists('query_s', '')),\nSourceUserName=column_ifexists('user_s', ''),\nDNSResponse=column_ifexists('response_s', ''),\nDNSView=column_ifexists('dnsView_s', ''),\nDeviceRegion=column_ifexists('deviceRegion_s', ''),\nDeviceCountry=column_ifexists('deviceCountry_s', ''),\nResponseRegion=column_ifexists('responseRegion_s', ''),\nResponseCountry=column_ifexists('responseCountry_s', ''),\nInfobloxB1FeedName=column_ifexists('feed_s', ''),\nInfobloxB1DHCPFingerprint=column_ifexists('dhcpFingerprint_s', ''),\nThreatLevel=column_ifexists('threatLevel_s', '')\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightEvents')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "name": "Infoblox", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject5').parserContentId5]", + "contentKind": "Parser", + "displayName": "Parser for InfobloxInsightEvents", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "version": "[variables('parserObject5').parserVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject5')._parserName5]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightEvents", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightEvents", + "query": "InfobloxInsightEvents_CL\n| where InfobloxInsightLogType_s == \"Event\"\n| extend \nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nThreatConfidence=column_ifexists('confidenceLevel_s', ''),\nDeviceName=column_ifexists('deviceName_s', ''),\nSourceMACAddress=column_ifexists('macAddress_s', ''),\nInfobloxB1Network=column_ifexists('source_s', ''),\nInfobloxB1SrcOSVersion=column_ifexists('osVersion_s', ''),\nInfobloxB1PolicyAction=column_ifexists('action_s', ''),\nInfobloxB1PolicyName=column_ifexists('policy_s', ''),\nSourceIP=column_ifexists('deviceIp_s', ''),\nDestinationDnsDomain=column_ifexists('query_s', ''),\nInfobloxDNSQType=column_ifexists('queryType_s', ''),\nThreatClass=column_ifexists('class_s', ''),\nThreatProperty=column_ifexists('threatFamily_s', ''),\nDetected = todatetime(trim_end(@\"\\+(.*?)\", column_ifexists('detected_s', ''))), \nThreatIndicator=iff(isnotempty(column_ifexists('threatIndicator_s', '')), column_ifexists('threatIndicator_s', ''), column_ifexists('query_s', '')),\nSourceUserName=column_ifexists('user_s', ''),\nDNSResponse=column_ifexists('response_s', ''),\nDNSView=column_ifexists('dnsView_s', ''),\nDeviceRegion=column_ifexists('deviceRegion_s', ''),\nDeviceCountry=column_ifexists('deviceCountry_s', ''),\nResponseRegion=column_ifexists('responseRegion_s', ''),\nResponseCountry=column_ifexists('responseCountry_s', ''),\nInfobloxB1FeedName=column_ifexists('feed_s', ''),\nInfobloxB1DHCPFingerprint=column_ifexists('dhcpFingerprint_s', ''),\nThreatLevel=column_ifexists('threatLevel_s', '')\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightEvents')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject6').parserTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "InfobloxInsightIndicators Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject6').parserVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject6')._parserName6]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightIndicators", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightIndicators", + "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nInfobloxInsightIndicators_CL\n| where InfobloxInsightLogType_s == \"Indicator\"\n| extend \nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nInfobloxB1PolicyAction=column_ifexists('action_s', ''),\nSourceMACAddress=column_ifexists('cmac_s', ''),\nEventCount=column_ifexists('count_d', ''),\nThreatIndicator=column_ifexists('indicator_s', ''),\nDestinationDnsDomain=column_ifexists('indicator_s', ''),\nInfobloxB1FeedName=column_ifexists('feedName_s', ''),\nLastSeen=column_ifexists('timeMax_t', ''),\nFirstSeen=column_ifexists('timeMin_t', ''),\nThreatActor=column_ifexists('actor_s', '')\n| extend isIP = isnotempty(extract(IPRegex, 0, ThreatIndicator))\n| extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', ''))\n| extend ThreatLevel= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Info\",\n \"N/A\" )\n| extend ThreatConfidence_Score=toint(column_ifexists('confidence_s', ''))\n| extend ThreatConfidence= case(ThreatConfidence_Score==3, \"High\",\n ThreatConfidence_Score==2, \"Medium\",\n ThreatConfidence_Score==1, \"Low\",\n ThreatConfidence_Score == 0,\"Info\",\n \"N/A\" )\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "dependsOn": [ + "[variables('parserObject6')._parserId6]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightIndicators')]", + "contentId": "[variables('parserObject6').parserContentId6]", + "kind": "Parser", + "version": "[variables('parserObject6').parserVersion6]", + "source": { + "name": "Infoblox", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject6').parserContentId6]", + "contentKind": "Parser", + "displayName": "Parser for InfobloxInsightIndicators", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", + "version": "[variables('parserObject6').parserVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject6')._parserName6]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for InfobloxInsightIndicators", + "category": "Microsoft Sentinel Parser", + "functionAlias": "InfobloxInsightIndicators", + "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nInfobloxInsightIndicators_CL\n| where InfobloxInsightLogType_s == \"Indicator\"\n| extend \nInfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''),\nInfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''),\nInfobloxB1PolicyAction=column_ifexists('action_s', ''),\nSourceMACAddress=column_ifexists('cmac_s', ''),\nEventCount=column_ifexists('count_d', ''),\nThreatIndicator=column_ifexists('indicator_s', ''),\nDestinationDnsDomain=column_ifexists('indicator_s', ''),\nInfobloxB1FeedName=column_ifexists('feedName_s', ''),\nLastSeen=column_ifexists('timeMax_t', ''),\nFirstSeen=column_ifexists('timeMin_t', ''),\nThreatActor=column_ifexists('actor_s', '')\n| extend isIP = isnotempty(extract(IPRegex, 0, ThreatIndicator))\n| extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', ''))\n| extend ThreatLevel= case(ThreatLevel_Score==3, \"High\",\n ThreatLevel_Score==2, \"Medium\",\n ThreatLevel_Score==1, \"Low\",\n ThreatLevel_Score == 0,\"Info\",\n \"N/A\" )\n| extend ThreatConfidence_Score=toint(column_ifexists('confidence_s', ''))\n| extend ThreatConfidence= case(ThreatConfidence_Score==3, \"High\",\n ThreatConfidence_Score==2, \"Medium\",\n ThreatConfidence_Score==1, \"Low\",\n ThreatConfidence_Score == 0,\"Info\",\n \"N/A\" )\n| project-away\n*_*\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "dependsOn": [ + "[variables('parserObject6')._parserId6]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'InfobloxInsightIndicators')]", + "contentId": "[variables('parserObject6').parserContentId6]", + "kind": "Parser", + "version": "[variables('parserObject6').parserVersion6]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Block-Allow-IP-Domain", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "minLength": 1, + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + }, + "Teams Group Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Group where the adaptive card will be posted" + } + }, + "Teams Channel Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Channel where the adaptive card will be posted" + } + } + }, + "variables": { + "TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API_Token": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]", + "type": "String" + }, + "TeamsChannelId": { + "defaultValue": "[[trim(parameters('Teams Channel Id'))]", + "type": "String" + }, + "TeamsGroupId": { + "defaultValue": "[[trim(parameters('Teams Group Id'))]", + "type": "String" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "GET" + } + } + }, + "actions": { + "Condition_For_Base_URL_is_Empty_or_Not": { + "actions": { + "Set_Default_Value_For_Base_URL": { + "type": "SetVariable", + "inputs": { + "name": "base_url", + "value": "https://csp.infoblox.com" + } + } + }, + "runAfter": { + "Initialize_Named_List_Action": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('base_url'))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_For_Response_is_Success_or_Not": { + "actions": { + "Condition_To_Check_If_There_is_Named_List_is_Available_in_Response": { + "actions": { + "Append_Add_to_List_Action_Variable": { + "runAfter": { + "For_Each_Lists_in_Result": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Add", + "value": "inserted" + } + } + }, + "Append_Remove_to_List_Action_Variable": { + "runAfter": { + "Append_Add_to_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Remove", + "value": "deleted" + } + } + }, + "Condition_For_Response_is_Success_or_Not_For_PATCH_Call": { + "actions": { + "Terminate_If_Successfully_Added_to_Named_List": { + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + }, + "runAfter": { + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": [ + "Succeeded", + "Failed", + "TimedOut" + ] + }, + "else": { + "actions": { + "Terminate_If_Not_Added_In_Named_List": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']}", + "message": "@{body('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']", + 201 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Lists_in_Result": { + "foreach": "@body('Parse_JSON_API_Call_Response')?['results']", + "actions": { + "Condition": { + "actions": { + "Append_Input_List_For_Adaptive_Card_DropDown": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Lists", + "value": { + "title": "@{items('For_Each_Lists_in_Result')?['name']}", + "value": "@{items('For_Each_Lists_in_Result')?['id']}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "startsWith": [ + "@items('For_Each_Lists_in_Result')?['name']", + "Threat Insight" + ] + } + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + }, + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": { + "runAfter": { + "Set_Request_Body_For_PATCH_Call": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "@variables('req_body')", + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "PATCH", + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists/@{variables('list_id')}/items" + } + }, + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": { + "runAfter": { + "Append_Remove_to_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"actions\": [\n {\n \"title\": \"Submit Answer\",\n \"type\": \"Action.Submit\",\n \"style\": \"positive\",\n \"id\": \"Submit\"\n }\n ],\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"horizontalAlignment\": \"center\",\n \"style\": \"heading\",\n \"color\": \"accent\",\n \"fontType\": \"Default\",\n \"wrap\": true,\n \"id\": \"heading\",\n \"text\": \"Block and Allow IP / Domain\"\n },\n {\n \"id\": \"group-choice\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('Lists')},\n \"isRequired\": true,\n \"separator\": true,\n \"label\": \"Select Named list to add/remove IP or Domain\",\n \"errorMessage\": \"Please select one Named list first.\"\n },\n{\n \"id\": \"group-choice-1\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('List_action')},\n \"isRequired\": true,\n \"weight\": \"bolder\",\n \"label\": \"Select Named list action\",\n \"errorMessage\": \"Please select one Named list action.\"\n },\n {\n \"id\": \"member-input-1\",\n \"type\": \"Input.Text\",\n \"separator\": true,\n \"placeholder\": \"Provide IP / Domain value\",\n \"isRequired\": true,\n \"label\": \"Provide IP or Domain value to add/remove into Named list\",\n \"errorMessage\": \"Please enter one IP or Domain.\"\n },\n {\n \"id\": \"member-input-2\",\n \"type\": \"Input.Text\",\n \"separator\": true,\n \"placeholder\": \"Provide IP / Domain description\",\n \"label\": \"Provide IP or Domain description\"\n }\n ],\n \"type\": \"AdaptiveCard\",\n \"version\": \"1.3\"\n}", + "recipient": { + "channelId": "@parameters('TeamsChannelId')", + "groupId": "@parameters('TeamsGroupId')" + }, + "updateMessage": "Thanks for your response!" + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Set_ID_From_Named_List_DropDown": { + "runAfter": { + "Set_Value_From_Adaptive_Card_Description": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "list_id", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice']}" + } + }, + "Set_Named_List_Action_Variable": { + "runAfter": { + "Set_ID_From_Named_List_DropDown": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "named_list_action", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice-1']}" + } + }, + "Set_Request_Body_For_PATCH_Call": { + "runAfter": { + "Set_Named_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "req_body", + "value": { + "@{variables('named_list_action')}_items_described": [ + { + "description": "@{variables('block_allow_description')}", + "item": "@{variables('block_allow_value')}" + } + ] + } + } + }, + "Set_Value_From_Adaptive_Card": { + "runAfter": { + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "block_allow_value", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['member-input-1']}" + } + }, + "Set_Value_From_Adaptive_Card_Description": { + "runAfter": { + "Set_Value_From_Adaptive_Card": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "block_allow_description", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['member-input-2']}" + } + } + }, + "runAfter": { + "Parse_JSON_API_Call_Response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_When_List_is_Empty": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "No Any Named List Available. " + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(body('Parse_JSON_API_Call_Response')?['results'])", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_API_Call_Response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_When_not_Getting_Named_List": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "@{body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": { + "runAfter": { + "Condition_For_Base_URL_is_Empty_or_Not": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "GET", + "queries": { + "_fields": "name,id" + }, + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists" + } + }, + "Initialize_Description_For_Adaptive_Card_": { + "runAfter": { + "Initialize_Value_For_Adaptive_Card": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_description", + "type": "string" + } + ] + } + }, + "Initialize_Id_For_Named_List_DropDown": { + "runAfter": { + "Initialize_Input_List_For_Adaptive_Card_DropDown": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "list_id", + "type": "string" + } + ] + } + }, + "Initialize_Input_List_For_Adaptive_Card_DropDown": { + "runAfter": { + "Initialize_Variable_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Lists", + "type": "array" + } + ] + } + }, + "Initialize_List_For_Action": { + "runAfter": { + "Initialize_Request_Body_For_PATCH_Call": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "List_action", + "type": "array" + } + ] + } + }, + "Initialize_Named_List_Action": { + "runAfter": { + "Initialize_List_For_Action": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "named_list_action", + "type": "string" + } + ] + } + }, + "Initialize_Request_Body_For_PATCH_Call": { + "runAfter": { + "Initialize_Description_For_Adaptive_Card_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "req_body", + "type": "object" + } + ] + } + }, + "Initialize_Value_For_Adaptive_Card": { + "runAfter": { + "Initialize_Id_For_Named_List_DropDown": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_value", + "type": "string" + } + ] + } + }, + "Initialize_Variable_Base_URL": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Block-Allow-IP-Domain", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Block-Allow-IP-Domain", + "description": "The playbook will add/remove IP or Domain value in Named List of Infoblox.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key", + "2. Obtain Teams GroupId and ChannelId", + "a. Create a Team with public channel.", + "b. Click on three dots (...) present on right side of the your newly created teams channel and Get link to the channel.", + "c. Copy the text from the link between /channel and /, decode it using online url decoder and copy it to use as channelId.", + "d. Copy the text of groupId parameter from link to use as groupId. " + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app → API connections → Select teams connection resource", + "2. Go to General → edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "**b. Get Workflow URL**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app → Overview", + "2. Copy Workflow URL", + "This URL can be use to trigger the Logic App directly" + ], + "entities": [ + "IP", + "Domain" + ], + "tags": [ + "Infoblox", + "IP", + "Domain" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Block-Allow-IP-Domain", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Block-Allow-IP-Domain-Incident-Based", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "minLength": 1, + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + }, + "Teams Group Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Group where the adaptive card will be posted" + } + }, + "Teams Channel Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Channel where the adaptive card will be posted" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API_Token": { + "type": "String", + "defaultValue": "[[trim(parameters('Infoblox API Key'))]" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]" + }, + "TeamsChannelId": { + "type": "String", + "defaultValue": "[[trim(parameters('Teams Channel Id'))]" + }, + "TeamsGroupId": { + "type": "String", + "defaultValue": "[[trim(parameters('Teams Group Id'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_2']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_For_Base_URL_is_Empty_or_Not": { + "actions": { + "Set_Default_Value_For_Base_URL": { + "type": "SetVariable", + "inputs": { + "name": "base_url", + "value": "https://csp.infoblox.com" + } + } + }, + "runAfter": { + "Initialize_IP_or_Domain_String_Variable": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('base_url'))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_For_No_Entity_is_Available_in_Incident": { + "actions": { + "Condition_For_Continue_Execution_of_Logic_App": { + "actions": { + "Terminate_When_User_Terminated_The_Logic__App": { + "type": "Terminate", + "inputs": { + "runError": { + "message": "User Terminated The Logic App" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Set_Cancel_Variable_For_Selection_of_Execution": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_For_Response_is_Success_or_Not": { + "actions": { + "Condition_To_Check_If_There_is_Named_List_is_Available_in_Response": { + "actions": { + "Append_Add_to_List_Action_Variable": { + "runAfter": { + "For_Each_Lists_in_Result": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Add", + "value": "inserted" + } + } + }, + "Append_Remove_to_List_Action_Variable": { + "runAfter": { + "Append_Add_to_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Remove", + "value": "deleted" + } + } + }, + "Condition_For_Response_is_Success_or_Not_For_PATCH_Call": { + "actions": { + "Terminate_If_Successfully_Added_to_Named_List": { + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + }, + "runAfter": { + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_If_Not_Added_In_Named_List": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']}", + "message": "Error Response : @{body('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']", + 201 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Lists_in_Result": { + "foreach": "@body('Parse_JSON_API_Call_Response')?['results']", + "actions": { + "Condition": { + "actions": { + "Append_Input_List_For_Adaptive_Card_DropDown": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "Lists", + "value": { + "title": "@{items('For_Each_Lists_in_Result')?['name']}", + "value": "@{items('For_Each_Lists_in_Result')?['id']}" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "startsWith": [ + "@items('For_Each_Lists_in_Result')?['name']", + "Threat Insight" + ] + } + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + }, + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": { + "runAfter": { + "Set_Request_Body_For_PATCH_Call": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "@variables('req_body')", + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "PATCH", + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists/@{variables('list_id')}/items" + } + }, + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": { + "runAfter": { + "Append_Remove_to_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"actions\": [\n {\n \"title\": \"Submit\",\n \"type\": \"Action.Submit\",\n \"style\": \"positive\",\n \"id\": \"Submit\",\n\"value\":\"Submit\"\n }\n ],\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"horizontalAlignment\": \"center\",\n \"style\": \"heading\",\n \"color\": \"accent\",\n \"fontType\": \"Default\",\n \"wrap\": true,\n \"id\": \"heading\",\n \"text\": \"Block and Allow IP / Domain\"\n },\n {\n \"id\": \"group-choice\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('Lists')},\n \"isRequired\": true,\n \"separator\": true,\n \"weight\": \"bolder\",\n \"label\": \"Select Named list to add/remove IP or Domain\",\n \"errorMessage\": \"Select one Named list first.\"\n }, {\n \"id\": \"group-choice-1\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('List_action')},\n \"isRequired\": true,\n \"weight\": \"bolder\",\n \"label\": \"Select Named list action\",\n \"errorMessage\": \"Select one Named list action.\"\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"weight\": \"bolder\",\n \"text\": \"List of IP / Domain to perform selected action for Named list\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"spacing\": \"None\",\n \"text\": \"@{variables('ip_domain_string')}\" ,\n \"isSubtle\": true,\n \"wrap\": true\n }\n ],\n \"width\": \"stretch\"\n }\n ]\n }\n ],\n \"type\": \"AdaptiveCard\",\n \"version\": \"1.3\"\n}", + "recipient": { + "channelId": "@{parameters('TeamsChannelId')}", + "groupId": "@{parameters('TeamsGroupId')}" + }, + "updateMessage": "Thanks for your response!" + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Set_ID_From_Named_List_DropDown": { + "runAfter": { + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "list_id", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice']}" + } + }, + "Set_Named_List_Action_Variable": { + "runAfter": { + "Set_ID_From_Named_List_DropDown": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "named_list_action", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice-1']}" + } + }, + "Set_Request_Body_For_PATCH_Call": { + "runAfter": { + "Set_Named_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "req_body", + "value": { + "@{variables('named_list_action')}_items_described": "@variables('ip_domain_req_body')" + } + } + } + }, + "runAfter": { + "Parse_JSON_API_Call_Response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_When_No_Named_List_Found": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "No Any Named List Available. " + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(body('Parse_JSON_API_Call_Response')?['results'])", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_API_Call_Response": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_When_Request_Call_Get_Failed": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "@{body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "GET", + "queries": { + "_fields": "name,id" + }, + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('cancel_adaptive_card')", + "Cancel" + ] + } + ] + }, + "type": "If" + }, + "Post_Adaptive_Card_and_Wait_if_User_Want_To_Perform_Further_Action_or_Not": { + "runAfter": { + "Set_IP_or_Domain_String_Variable": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"actions\": [\n {\n \"title\": \"Yes\",\n \"type\": \"Action.Submit\",\n \"style\": \"positive\",\n \"id\": \"Submit\"\n },\n {\n \"title\": \"No\",\n \"type\": \"Action.Submit\",\n \"style\": \"destructive\",\n \"id\": \"Cancel\"\n }\n ],\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"horizontalAlignment\": \"center\",\n \"style\": \"heading\",\n \"color\": \"accent\",\n \"fontType\": \"Default\",\n \"wrap\": true,\n \"id\": \"heading\",\n \"text\": \"Block and Allow IP / Domain\"\n },\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"separator\": true,\n \"text\": \"List of IP / Domain to be added in Named list\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"spacing\": \"None\",\n \"text\": \"@{variables('ip_domain_string')}\" ,\n \"isSubtle\": true,\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Want to add or remove above IP or Domain in Named list?\"\n }\n ],\n \"type\": \"AdaptiveCard\",\n \"version\": \"1.3\"\n}", + "recipient": { + "channelId": "@parameters('TeamsChannelId')", + "groupId": "@parameters('TeamsGroupId')" + }, + "updateMessage": "Thanks for your response!" + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Set_Cancel_Variable_For_Selection_of_Execution": { + "runAfter": { + "Post_Adaptive_Card_and_Wait_if_User_Want_To_Perform_Further_Action_or_Not": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cancel_adaptive_card", + "value": "@{body('Post_Adaptive_Card_and_Wait_if_User_Want_To_Perform_Further_Action_or_Not')?['submitActionId']}" + } + }, + "Set_IP_or_Domain_String_Variable": { + "type": "SetVariable", + "inputs": { + "name": "ip_domain_string", + "value": "@{substring(variables('ip_domain_list'),0,sub(length(variables('ip_domain_list')),2))}" + } + } + }, + "runAfter": { + "For_Each_IP": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_When_No_Entity_Mapping_Found": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "404", + "message": "No Entity Mapping Found For IP or Host" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@empty(variables('ip_domain_req_body'))", + "@true" + ] + } + } + ] + }, + "type": "If" + }, + "Entities_-_Get_Hosts": { + "runAfter": { + "Condition_For_Base_URL_is_Empty_or_Not": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_2']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "Entities_-_Get_IPs": { + "runAfter": { + "For_Each_Domain": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_2']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_Domain": { + "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", + "actions": { + "Condition_To_Check_If_Host_Name_Empty_Found": { + "actions": { + "Append_Domain_in_IP_or_Domain_list_For_Request_Body_": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ip_domain_req_body", + "value": { + "item": "@items('For_Each_Domain')?['NetBiosName']" + } + } + }, + "Append_Domain_in_IP_or_Domain_list_variable": { + "runAfter": { + "Append_Domain_in_IP_or_Domain_list_For_Request_Body_": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_domain_list", + "value": "@{items('For_Each_Domain')?['NetBiosName']}, " + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_Each_Domain')?['NetBiosName']", + "@true" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Entities_-_Get_Hosts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_Each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Check_If_IP_Name_Empty_Found": { + "actions": { + "Append_IP_in_IP_or_Domain_String_Variable": { + "runAfter": { + "Append_IP_in_IP_or_Domain_list_For_Request_Body_": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_domain_list", + "value": "@{items('For_Each_IP')?['Address']}, " + } + }, + "Append_IP_in_IP_or_Domain_list_For_Request_Body_": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "ip_domain_req_body", + "value": { + "item": "@items('For_Each_IP')?['Address']" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@empty(items('For_Each_IP')?['Address'])", + "@true" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_Cancel_Adaptive_Card_Variable": { + "runAfter": { + "Initialize_IP_or_Domain_list_for_Request_Body": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "cancel_adaptive_card", + "type": "string" + } + ] + } + }, + "Initialize_Description_For_Adaptive_Card_": { + "runAfter": { + "Initialize_Value_For_Adaptive_Card": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_description", + "type": "string" + } + ] + } + }, + "Initialize_IP_or_Domain_String_Variable": { + "runAfter": { + "Initialize_Named_List_Action": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_domain_string", + "type": "string" + } + ] + } + }, + "Initialize_IP_or_Domain_list_for_Request_Body": { + "runAfter": { + "Initialize_IP_or_Domain_list_in_Incidents": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_domain_req_body", + "type": "array" + } + ] + } + }, + "Initialize_IP_or_Domain_list_in_Incidents": { + "runAfter": { + "Initialize_Request_Body_For_PATCH_Call": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_domain_list", + "type": "string" + } + ] + } + }, + "Initialize_Id_For_Named_List_DropDown": { + "runAfter": { + "Initialize_Input_List_For_Adaptive_Card_DropDown": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "list_id", + "type": "string" + } + ] + } + }, + "Initialize_Input_List_For_Adaptive_Card_DropDown": { + "runAfter": { + "Initialize_Variable_Comment_Count": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Lists", + "type": "array" + } + ] + } + }, + "Initialize_List_For_Action": { + "runAfter": { + "Initialize_Selected_Choice_Value": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "List_action", + "type": "array" + } + ] + } + }, + "Initialize_Named_List_Action": { + "runAfter": { + "Initialize_List_For_Action": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "named_list_action", + "type": "string" + } + ] + } + }, + "Initialize_Request_Body_For_PATCH_Call": { + "runAfter": { + "Initialize_Description_For_Adaptive_Card_": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "req_body", + "type": "object" + } + ] + } + }, + "Initialize_Selected_Choice_Value": { + "runAfter": { + "Initialize_Cancel_Adaptive_Card_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "selected_name_list", + "type": "string" + } + ] + } + }, + "Initialize_Value_For_Adaptive_Card": { + "runAfter": { + "Initialize_Id_For_Named_List_DropDown": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_value", + "type": "string" + } + ] + } + }, + "Initialize_Variable_Base_Url": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Variable_Comment_Count": { + "runAfter": { + "Initialize_Variable_Base_Url": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "comment_limit", + "type": "integer", + "value": "@triggerBody()?['object']?['properties']?['additionalData']?['commentsCount']" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_2": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Block-Allow-IP-Domain-Incident-Based", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Block-Allow-IP-Domain-Incident-Based", + "description": "The playbook will add / remove IP or Domain values in Named List that available in incidents of Infoblox.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key", + "2. Obtain Teams GroupId and ChannelId", + "a. Create a Team with public channel.", + "b. Click on three dots (...) present on right side of the your newly created teams channel and Get link to the channel.", + "c. Copy the text from the link between /channel and /, decode it using online url decoder and copy it to use as channelId.", + "d. Copy the text of groupId parameter from link to use as groupId. " + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app → API connections → Select teams connection resource", + "2. Go to General → edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save" + ], + "entities": [ + "IP", + "Domain" + ], + "tags": [ + "Infoblox", + "IP", + "Domain", + "Incident" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Block-Allow-IP-Domain-Incident-Based", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Config-Insight-Details", + "metadata": { + "description": "Please keep the 'PlaybookName' parameter unchanged. Otherwise, you will need to manually adjust the 'PlaybookName' in the 'Infoblox Workbook - Infoblox Config Insights' Panel in edit mode" + }, + "type": "string" + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "InfobloxAPIKey": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "InfobloxBaseUrl": { + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "POST" + } + } + }, + "actions": { + "Condition": { + "actions": { + "Parse_Config_Insight_Details_Response": { + "type": "ParseJson", + "inputs": { + "content": "@body('GET_Config_Insight_Details')", + "schema": { + "properties": { + "result": { + "properties": { + "analyticInsightId": { + "type": "string" + }, + "feeds": { + "items": { + "properties": { + "currentAction": { + "type": "string" + }, + "feedName": { + "type": "string" + }, + "id": { + "type": "string" + }, + "recommendedAction": { + "type": "string" + }, + "ruleName": { + "type": "string" + }, + "ruleType": { + "type": "string" + }, + "status": { + "type": "string" + } + }, + "required": [ + "id", + "ruleType", + "ruleName", + "feedName", + "currentAction" + ], + "type": "object" + }, + "type": "array" + }, + "insightType": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Send_Data_to_Sentinel": { + "runAfter": { + "Parse_Config_Insight_Details_Response": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{body('Parse_Config_Insight_Details_Response')?['result']}", + "headers": { + "Log-Type": "@variables('config_insight_details_table_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_11']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "GET_Config_Insight_Details": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('GET_Config_Insight_Details')['statusCode']}", + "message": "There was an error fetching config insights details. Error: @{body('GET_Config_Insight_Details')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('GET_Config_Insight_Details')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "GET_Config_Insight_Details": { + "runAfter": { + "Initialize_Config_Insight_Details_Table_Name": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('InfobloxAPIKey')}" + }, + "method": "GET", + "uri": "@variables('config_insight_details_url')" + } + }, + "Initialize_Config_Insight_Details_Table_Name": { + "runAfter": { + "Initialize_Config_Insights_Details_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insight_details_table_name", + "type": "string", + "value": "Infoblox_Config_Insight_Details" + } + ] + } + }, + "Initialize_Config_Insights_Details_URL": { + "runAfter": { + "Parse_Request_JSON": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insight_details_url", + "type": "string", + "value": "@{parameters('InfobloxBaseUrl')}/api/v1/config-insights/analytics/@{body('Parse_Request_JSON')?['config_insight_id']}" + } + ] + } + }, + "Parse_Request_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()", + "schema": { + "properties": { + "config_insight_id": { + "type": "string" + } + }, + "type": "object" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_11": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Config-Insight-Details", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Config-Insight-Details", + "description": "The playbook retrieves Config Insight Details Data and ingests it into a custom table within the Log Analytics Workspace on an on-demand basis from the Workbook.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Authorize azuremonitorlogs connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save" + ], + "tags": [ + "Infoblox", + "Insights" + ], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Config-Insight-Details", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Config-Insights Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Config-Insights", + "type": "string" + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + }, + "Workspace Name": { + "type": "String", + "metadata": { + "description": "Enter name of Log Analytics Workspace where Infoblox Workbook is available" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "InfobloxAPIKey": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "InfobloxBaseUrl": { + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Check_if_Status_code_200_or_not": { + "actions": { + "Fetch_Existing_Data": { + "runAfter": { + "Parse_Config_Insight_List_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "let dummyschema = datatable(TimeGenerated:datetime, policyAnalyticsId_g:string, insightType_s:string, type_s:string)[];\nunion isfuzzy=true dummyschema,\n@{variables('config_insights_table_name')}\n| where TimeGenerated>ago(365d)\n| project policyAnalyticsId_g", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[[resourceGroup().name]", + "resourcename": "[[trim(parameters('Workspace Name'))]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[subscription().subscriptionId]", + "timerange": "Last 24 hours" + } + } + }, + "For_Each_to_Append_Existing_Ids": { + "foreach": "@body('Fetch_Existing_Data')?['value']", + "actions": { + "Append_to_Existing_Ids": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "existing_ids", + "value": "@items('For_Each_to_Append_Existing_Ids')?['policyAnalyticsId_g']" + } + } + }, + "runAfter": { + "Fetch_Existing_Data": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_Each_to_ingest_data_to_Sentinel": { + "foreach": "@body('Parse_Config_Insight_List_ID')?['policyAnalyticsList']", + "actions": { + "Check_whether_Config_Insight_ID_already_in_Sentinel": { + "else": { + "actions": { + "Send_Data": { + "type": "ApiConnection", + "inputs": { + "body": "@{items('For_Each_to_ingest_data_to_Sentinel')}", + "headers": { + "Log-Type": "@variables('config_insights_table_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('existing_ids'), items('For_each_to_ingest_data_to_Sentinel')['policyAnalyticsId'])", + true + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_Each_to_Append_Existing_Ids": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_Config_Insight_List_ID": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP')", + "schema": { + "properties": { + "policyAnalyticsList": { + "items": { + "properties": { + "insightType": { + "type": "string" + }, + "policyAnalyticsId": { + "type": "string" + } + }, + "required": [ + "policyAnalyticsId", + "insightType" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP')['statusCode']}", + "message": "API request call failed. Kindly Run again after checking credentials. Error: @{body('HTTP')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP": { + "runAfter": { + "Initialize_Config_Insights_Table_Name": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('InfobloxAPIKey')}" + }, + "method": "GET", + "uri": "@variables('config_insight_list_url')" + } + }, + "Initialize_Config_Ids": { + "runAfter": { + "Initialize_Config_Insights_List_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_ids", + "type": "array" + } + ] + } + }, + "Initialize_Config_Insights_List_URL": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insight_list_url", + "type": "string", + "value": "@{parameters('InfobloxBaseUrl')}/api/v1/config-insights/analytics" + } + ] + } + }, + "Initialize_Config_Insights_Table_Name": { + "runAfter": { + "Initialize_Data_To_Send": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insights_table_name", + "type": "string", + "value": "Infoblox_Config_Insights_CL" + } + ] + } + }, + "Initialize_Data_To_Send": { + "runAfter": { + "Initialize_Existing_Ids": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "data_to_send", + "type": "array" + } + ] + } + }, + "Initialize_Existing_Ids": { + "runAfter": { + "Initialize_Config_Ids": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "existing_ids", + "type": "array" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Config-Insights", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzuremonitorlogsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzuremonitorlogsConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Config-Insights", + "description": "The playbook retrieves Config Insight Data and ingests it into a custom table within the Log Analytics Workspace on a scheduled basis.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Authorize azuremonitorlogs connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Authorize azureloganalyticsdatacollector connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "tags": [ + "Infoblox", + "Insights" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Config-Insights", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Data-Connector-Trigger-Sync", + "type": "string", + "metadata": { + "description": "Enter the playbook name" + } + }, + "Tenant ID": { + "type": "string", + "metadata": { + "description": "Enter the Azure Tenant ID" + } + }, + "Client ID": { + "type": "string", + "metadata": { + "description": "Enter the Azure Client ID" + } + }, + "Client Secret": { + "type": "securestring", + "metadata": { + "description": "Enter the Azure Client Secret" + } + }, + "Resource Group Name": { + "type": "string", + "metadata": { + "description": "Enter the Azure Resource Group Name in which your Infoblox data connectors are available" + } + }, + "Subscription ID": { + "type": "string", + "metadata": { + "description": "Enter the Azure Subscription ID in which your Infoblox data connectors are available, make sure that the subscription id is as per the Azure portal at all places" + } + } + }, + "variables": { + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "triggers": { + "manual": { + "type": "Request", + "kind": "Http" + } + }, + "actions": { + "For_each_app": { + "foreach": "@body('Get_all_Infoblox_Function_apps')", + "actions": { + "Sync_timer_trigger_request": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "POST", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites/@{items('For_each_app')?['name']}/syncfunctiontriggers?api-version=2022-03-01" + } + } + }, + "runAfter": { + "Get_all_Infoblox_Function_apps": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Auth_token": { + "runAfter": { + "Initialize_Management_variable": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "client_id=@{variables('Client Id')}&\nclient_secret=@{variables('Client Secret')}&\ngrant_type=client_credentials&\nscope=https://@{variables('Manage')}.azure.com/.default", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "https://login.@{variables('MicrosoftOnline')}.com/@{variables('Tenant Id')}/oauth2/v2.0/token" + } + }, + "Get_all_Infoblox_Function_apps": { + "runAfter": { + "Get_all_running_function_app": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Get_all_running_function_app')", + "where": "@or(startsWith(item()?['name'], 'Curr'), startsWith(item()?['name'], 'Hist'),startsWith(item()?['name'], 'Jparsehist'),startsWith(item()?['name'], 'Jparsecurr'),startsWith(item()?['name'], 'indhist'),startsWith(item()?['name'], 'indcurr'),startsWith(item()?['name'], 'dossierlook'))" + } + }, + "Get_all_running_function_app": { + "runAfter": { + "Parse_function_app_list": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_function_app_list')?['value']", + "where": "@equals(item()?['properties']?['state'], 'Running')" + } + }, + "Get_function_app_list": { + "runAfter": { + "Parse_Auth_token": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "GET", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites?api-version=2022-03-01" + } + }, + "Initialize_Client_Id": { + "runAfter": { + "Initialize_Tenant_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Id", + "type": "string", + "value": "[[trim(parameters('Client ID'))]" + } + ] + } + }, + "Initialize_Client_Secret": { + "runAfter": { + "Initialize_Client_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Secret", + "type": "string", + "value": "[[trim(parameters('Client Secret'))]" + } + ] + } + }, + "Initialize_Management_variable": { + "runAfter": { + "Initialize_Microsoftonline_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Manage", + "type": "string", + "value": "management" + } + ] + } + }, + "Initialize_Microsoftonline_variable": { + "runAfter": { + "Subscription_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MicrosoftOnline", + "type": "string", + "value": "microsoftonline" + } + ] + } + }, + "Initialize_Resource_Group": { + "runAfter": { + "Initialize_Client_Secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Resource Group Name", + "type": "string", + "value": "[[trim(parameters('Resource Group Name'))]" + } + ] + } + }, + "Initialize_Tenant_Id": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Tenant Id", + "type": "string", + "value": "[[trim(parameters('Tenant ID'))]" + } + ] + } + }, + "Parse_Auth_token": { + "runAfter": { + "Get_Auth_token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Auth_token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "ext_expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_function_app_list": { + "runAfter": { + "Get_function_app_list": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_function_app_list')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "identity": { + "properties": { + "principalId": { + "type": "string" + }, + "tenantId": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "kind": { + "type": "string" + }, + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "adminEnabled": { + "type": "boolean" + }, + "afdEnabled": { + "type": "boolean" + }, + "availabilityState": { + "type": "string" + }, + "clientAffinityEnabled": { + "type": "boolean" + }, + "clientCertEnabled": { + "type": "boolean" + }, + "clientCertMode": { + "type": "string" + }, + "containerSize": { + "type": "integer" + }, + "contentAvailabilityState": { + "type": "string" + }, + "csrs": { + "type": "array" + }, + "customDomainVerificationId": { + "type": "string" + }, + "dailyMemoryTimeQuota": { + "type": "integer" + }, + "defaultHostName": { + "type": "string" + }, + "defaultHostNameScope": { + "type": "string" + }, + "deploymentId": { + "type": "string" + }, + "dnsConfiguration": { + "type": "object" + }, + "eligibleLogCategories": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "enabledHostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "endToEndEncryptionEnabled": { + "type": "boolean" + }, + "ftpUsername": { + "type": "string" + }, + "ftpsHostName": { + "type": "string" + }, + "functionsRuntimeAdminIsolationEnabled": { + "type": "boolean" + }, + "homeStamp": { + "type": "string" + }, + "hostNameSslStates": { + "items": { + "properties": { + "hostType": { + "type": "string" + }, + "ipBasedSslState": { + "type": "string" + }, + "name": { + "type": "string" + }, + "sslState": { + "type": "string" + } + }, + "required": [ + "name", + "sslState", + "ipBasedSslResult", + "virtualIP", + "virtualIPv6", + "thumbprint", + "certificateResourceId", + "toUpdate", + "toUpdateIpBasedSsl", + "ipBasedSslState", + "hostType" + ], + "type": "object" + }, + "type": "array" + }, + "hostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostNamesDisabled": { + "type": "boolean" + }, + "httpsOnly": { + "type": "boolean" + }, + "hyperV": { + "type": "boolean" + }, + "inboundIpAddress": { + "type": "string" + }, + "ipMode": { + "type": "string" + }, + "isXenon": { + "type": "boolean" + }, + "keyVaultReferenceIdentity": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "lastModifiedTimeUtc": { + "type": "string" + }, + "name": { + "type": "string" + }, + "outboundIpAddresses": { + "type": "string" + }, + "possibleInboundIpAddresses": { + "type": "string" + }, + "possibleOutboundIpAddresses": { + "type": "string" + }, + "redundancyMode": { + "type": "string" + }, + "repositorySiteName": { + "type": "string" + }, + "reserved": { + "type": "boolean" + }, + "resourceGroup": { + "type": "string" + }, + "runtimeAvailabilityState": { + "type": "string" + }, + "scmSiteAlsoStopped": { + "type": "boolean" + }, + "secretsCollection": { + "type": "array" + }, + "selfLink": { + "type": "string" + }, + "serverFarmId": { + "type": "string" + }, + "siteConfig": { + "properties": { + "acrUseManagedIdentityCreds": { + "type": "boolean" + }, + "alwaysOn": { + "type": "boolean" + }, + "functionAppScaleLimit": { + "type": "integer" + }, + "http20Enabled": { + "type": "boolean" + }, + "linuxFxVersion": { + "type": "string" + }, + "minimumElasticInstanceCount": { + "type": "integer" + }, + "numberOfWorkers": { + "type": "integer" + } + }, + "type": "object" + }, + "siteDisabledReason": { + "type": "integer" + }, + "siteProperties": { + "properties": { + "properties": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "sku": { + "type": "string" + }, + "state": { + "type": "string" + }, + "storageAccountRequired": { + "type": "boolean" + }, + "storageRecoveryDefaultState": { + "type": "string" + }, + "usageState": { + "type": "string" + }, + "vnetBackupRestoreEnabled": { + "type": "boolean" + }, + "vnetContentShareEnabled": { + "type": "boolean" + }, + "vnetImagePullEnabled": { + "type": "boolean" + }, + "vnetRouteAllEnabled": { + "type": "boolean" + }, + "webSpace": { + "type": "string" + } + }, + "type": "object" + }, + "tags": { + "properties": { + "Jira": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "type", + "kind", + "location", + "properties" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Subscription_Id": { + "runAfter": { + "Initialize_Resource_Group": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Subscription Id", + "type": "string", + "value": "[[trim(parameters('Subscription ID'))]" + } + ] + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Data-Connector-Trigger-Sync", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": "[variables('TemplateEmptyArray')]" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Data-Connector-Trigger-Sync", + "description": "Playbook to sync timer trigger of all Infoblox data connectors.", + "prerequisites": [ + "Users must have a below Microsoft credentials:", + "1.Tenant ID", + "2.Client ID", + "3.Client Secret", + "4.Resource Group Name", + "5.Subscription ID" + ], + "postDeployment": [ + "Run the playbook to sync timer trigger of all Infoblox data connectors." + ], + "tags": [ + "Infoblox", + "Sync", + "Timer", + "Trigger" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Data-Connector-Trigger-Sync", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-DHCP-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Workspace Name": { + "type": "string", + "metadata": { + "description": "Enter name of Log Analytics Workspace where DHCP data is available" + } + }, + "Lookup Time": { + "type": "string", + "defaultValue": "14d", + "metadata": { + "description": "Enter time period (in days) in which you want to search for DHCP lookup data" + } + } + }, + "variables": { + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": { + "actions": { + "Terminate_As_No_IPs_Found": { + "type": "Terminate", + "inputs": { + "runError": { + "message": "No IPs found associated with incident." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Entities_-_Get_IPs')?['IPs'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Initialize_Number_Of_Comments": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Verify_IP_Address_is_Empty_Or_Not": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Empty IP Address found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_IP_Address": { + "runAfter": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Condition_To_Verify_No_Empty_Results": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": { + "actions": { + "Add_Comment__For_Empty_Results_Found_For_IP": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No Latest DHCP Lookup Data Found For IP: @{items('For_Each_IP')?['Address']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_Results_For_IP": { + "runAfter": { + "Add_Comment__For_Empty_Results_Found_For_IP": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Count_Reach_To_99": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_To_100": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_Each_Query_Result": { + "foreach": "@body('Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period')?['value']", + "actions": { + "Condition_To_Verify_That_Comment_Limit_Does_Not_Exceeded": { + "actions": { + "Condition_To_Verify_Character_Limit_Does_Not_Exceeded": { + "actions": { + "Comment_For_HTML_Table": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Latest DCHP Lookup Detail For IP :-  @{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
\n@{variables('html_table')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_HTML_Table": { + "runAfter": { + "Comment_For_HTML_Table": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "else": { + "actions": { + "Comment_For_Characters_Limit": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Query contains more than 30000 characters for IP: @{items('For_Each_IP')?['Address']} Latest DHCP lookup data.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Characters_Limit": { + "runAfter": { + "Comment_For_Characters_Limit": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "lessOrEquals": [ + "@length(variables('html_table'))", + 30000 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_HTML_Table_Content_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Query_Result_Data": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_Each_Query_Result')", + "schema": { + "properties": { + "Activity": { + "type": "string" + }, + "DeviceAddress": { + "type": "string" + }, + "DeviceDnsDomain": { + "type": "string" + }, + "DeviceName": { + "type": "string" + }, + "InfobloxClientID": { + "type": "string" + }, + "InfobloxDHCPOptions": { + "type": "string" + }, + "InfobloxDUID": { + "type": "string" + }, + "InfobloxFingerprint": { + "type": "string" + }, + "InfobloxFingerprintPr": { + "type": "string" + }, + "InfobloxHost": { + "type": "string" + }, + "InfobloxHostID": { + "type": "string" + }, + "InfobloxIPSpace": { + "type": "string" + }, + "InfobloxLeaseOp": { + "type": "string" + }, + "InfobloxLeaseUUID": { + "type": "string" + }, + "InfobloxLifetime": { + "type": "string" + }, + "InfobloxRangeEnd": { + "type": "string" + }, + "InfobloxRangeStart": { + "type": "string" + }, + "InfobloxSubnet": { + "type": "string" + }, + "SourceHostName": { + "type": "string" + }, + "SourceIP": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Set_HTML_Table_Content_Data": { + "runAfter": { + "Parse_JSON_For_Query_Result_Data": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
DHCP Lookup For IP @{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source IP@{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source HostName@{body('Parse_JSON_For_Query_Result_Data')?['SourceHostName']}
Source Mac Address@{body('Parse_JSON_For_Query_Result_Data')?['SourceMACAddress']}
Device Name@{body('Parse_JSON_For_Query_Result_Data')?['DeviceName']}
Device Address@{body('Parse_JSON_For_Query_Result_Data')?['DeviceAddress']}
Device DNS Domain@{body('Parse_JSON_For_Query_Result_Data')?['DeviceDnsDomain']}
Infoblox Host@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxHost']}
Infoblox Subnet@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxSubnet']}
Infoblox Range Start@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeStart']}
Infoblox Range End@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeEnd']}
Infoblox Lease Op@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLeaseOp']}
Infoblox Client ID@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxClientID']}
Infoblox Lifetime@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLifetime']}
Infoblox Fingerprint Pr@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprintPr']}
Infoblox Fingerprint@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprint']}
Infoblox DHCP Options@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxDHCPOptions']}

" + } + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period')?['value'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period": { + "type": "ApiConnection", + "inputs": { + "body": "let DHCP_VALUE = 'DHCP';\nlet IP = '@{items('For_each_IP')?['Address']}';\nCommonSecurityLog\n| where TimeGenerated >= ago(@{variables('lookup_time')})\n| where DeviceEventClassID contains DHCP_VALUE\n and SourceIP == IP\n| top 1 by TimeGenerated desc\n| parse-kv AdditionalExtensions as (InfobloxHost : string,\nInfobloxHostID : string,\nInfobloxIPSpace : string,\nInfobloxSubnet : string,\nInfobloxRangeStart : string,\nInfobloxRangeEnd : string,\nInfobloxLeaseOp : string,\nInfobloxClientID : string,\nInfobloxDUID : string,\nInfobloxLifetime : string,\nInfobloxLeaseUUID : string,\nInfobloxFingerprintPr : string,\nInfobloxFingerprint : string,\nInfobloxDHCPOptions : string) with(kv_delimiter=\"=\", pair_delimiter=\";\")\n| project \nSourceIP,SourceHostName,SourceMACAddress, Activity, DeviceName,DeviceAddress,DeviceDnsDomain,\nInfobloxHost,\nInfobloxHostID,\nInfobloxIPSpace,\nInfobloxSubnet,\nInfobloxRangeStart,\nInfobloxRangeEnd,\nInfobloxLeaseOp,\nInfobloxClientID,\nInfobloxDUID,\nInfobloxLifetime,\nInfobloxLeaseUUID,\nInfobloxFingerprintPr,\nInfobloxFingerprint,\nInfobloxDHCPOptions\n", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[[resourceGroup().name]", + "resourcename": "[[trim(parameters('Workspace Name'))]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[subscription().subscriptionId]", + "timerange": "Set in query" + } + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_IP')?['Address'])", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Lookup_Back_Time_Period": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table", + "type": "string" + } + ] + } + }, + "Initialize_Lookup_Back_Time_Period": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "lookup_time", + "type": "string", + "value": "[[trim(parameters('Lookup Time'))]" + } + ] + } + }, + "Initialize_Number_Of_Comments": { + "runAfter": { + "Initialize_HTML_Table": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "no_of_comments", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-DHCP-Lookup", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzuremonitorlogsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzuremonitorlogsConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-DHCP-Lookup", + "description": "The playbook will retrieve IP entities from an incident, search for related DHCP data in a table, and if found, add the DHCP lookup data as a comment on the incident.", + "prerequisites": [ + "1. CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel." + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**c. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": [ + "IP" + ], + "tags": [ + "Infoblox", + "DHCP", + "IP", + "Lookup" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "Infoblox-DHCP-Lookup", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion7')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Get-IP-Space-Data", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API Key": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Initialize_Base_URL": { + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Break_Loop": { + "inputs": { + "variables": [ + { + "name": "Break_Loop", + "type": "boolean", + "value": "@false" + } + ] + }, + "runAfter": { + "Initialize_Limit": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Limit": { + "inputs": { + "variables": [ + { + "name": "limit", + "type": "integer", + "value": 25 + } + ] + }, + "runAfter": { + "Initialize_Offset": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Offset": { + "inputs": { + "variables": [ + { + "name": "offset", + "type": "integer", + "value": 0 + } + ] + }, + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Retry_Count": { + "inputs": { + "variables": [ + { + "name": "Retry Count", + "type": "integer", + "value": 3 + } + ] + }, + "runAfter": { + "Initialize_Table_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Table_Name": { + "inputs": { + "variables": [ + { + "name": "Table Name", + "type": "string", + "value": "IP_Space_Info" + } + ] + }, + "runAfter": { + "Initialize_Break_Loop": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Until_Loop_For_Fetching_IP_Space_Endpoint_Data_With_Pagination": { + "actions": { + "Condition_To_Verify_API_Call_Is_Success_Or_Not": { + "actions": { + "Condition_For_IP_Space_Result_Is_Available_Or_Not": { + "actions": { + "Set_Break_Loop_True_Because_Of_Empty_Results": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Data_Is_Sent_To_Workspace": { + "actions": { + "Condition_For_Length_Of_Data_is_Less_Than_Limit_": { + "actions": { + "Set_Break_Loop_True_Because_Of_Data_Is_Less_Than_Limit": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(body('Parse_JSON_For_IP_Space_Data')?['results'])", + "@variables('limit')" + ] + } + ] + }, + "runAfter": { + "Increment_Offset_By_Limit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Increment_Offset_By_Limit": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Retry_Count": { + "actions": { + "Increment_Offset_And_Skip_The_One_Page": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_New_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_New_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Retry Count')", + 0 + ] + } + ] + }, + "runAfter": { + "Decrement_Retry_Count": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Decrement_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 1 + }, + "type": "DecrementVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Send_Data_Into_Log_Analytics_Workspace')?['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "Send_Data_Into_Log_Analytics_Workspace": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Send_Data_Into_Log_Analytics_Workspace": { + "inputs": { + "body": "@{body('Parse_JSON_For_IP_Space_Data')?['results']}", + "headers": { + "Log-Type": "@variables('Table Name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_3']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_IP_Space_Data')?['results'])", + "@true" + ] + } + ] + }, + "runAfter": { + "Parse_JSON_For_IP_Space_Data": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Parse_JSON_For_IP_Space_Data": { + "inputs": { + "content": "@body('HTTP_Request_To_IP_Space_Endpoint')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "asm_config": { + "properties": { + "asm_threshold": { + "type": "integer" + }, + "enable": { + "type": "boolean" + }, + "enable_notification": { + "type": "boolean" + }, + "forecast_period": { + "type": "integer" + }, + "growth_factor": { + "type": "integer" + }, + "growth_type": { + "type": "string" + }, + "history": { + "type": "integer" + }, + "min_total": { + "type": "integer" + }, + "min_unused": { + "type": "integer" + }, + "reenable_date": { + "format": "date-time", + "type": "string" + } + }, + "required": [ + "asm_threshold", + "enable", + "enable_notification", + "forecast_period", + "growth_factor", + "growth_type", + "history", + "min_total", + "min_unused", + "reenable_date" + ], + "type": "object" + }, + "asm_scope_flag": { + "type": "integer" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "format": "date-time", + "type": "string" + }, + "ddns_client_update": { + "type": "string" + }, + "ddns_conflict_resolution_mode": { + "type": "string" + }, + "ddns_domain": { + "type": "string" + }, + "ddns_generate_name": { + "type": "boolean" + }, + "ddns_generated_prefix": { + "type": "string" + }, + "ddns_send_updates": { + "type": "boolean" + }, + "ddns_ttl_percent": { + "type": "integer" + }, + "ddns_update_on_renew": { + "type": "boolean" + }, + "ddns_use_conflict_resolution": { + "type": "boolean" + }, + "default_realms": { + "items": { + "type": "string" + }, + "type": "array" + }, + "dhcp_config": { + "properties": { + "abandoned_reclaim_time": { + "type": "integer" + }, + "abandoned_reclaim_time_v6": { + "type": "integer" + }, + "allow_unknown": { + "type": "boolean" + }, + "allow_unknown_v6": { + "type": "boolean" + }, + "echo_client_id": { + "type": "boolean" + }, + "filters": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters_large_selection": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters_v6": { + "items": { + "type": "string" + }, + "type": "array" + }, + "ignore_client_uid": { + "type": "boolean" + }, + "ignore_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "lease_time": { + "type": "integer" + }, + "lease_time_v6": { + "type": "integer" + } + }, + "required": [ + "abandoned_reclaim_time", + "abandoned_reclaim_time_v6", + "allow_unknown", + "allow_unknown_v6", + "echo_client_id", + "filters", + "filters_large_selection", + "filters_v6", + "ignore_client_uid", + "ignore_list", + "lease_time", + "lease_time_v6" + ], + "type": "object" + }, + "dhcp_options": { + "items": { + "properties": { + "group": { + "type": [ + "string", + "null" + ] + }, + "option_code": { + "type": "string" + }, + "option_value": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "group", + "option_code", + "option_value", + "type" + ], + "type": "object" + }, + "type": "array" + }, + "dhcp_options_v6": { + "items": { + "type": "object" + }, + "type": "array" + }, + "header_option_filename": { + "type": "string" + }, + "header_option_server_address": { + "type": "string" + }, + "header_option_server_name": { + "type": "string" + }, + "hostname_rewrite_char": { + "type": "string" + }, + "hostname_rewrite_enabled": { + "type": "boolean" + }, + "hostname_rewrite_regex": { + "type": "string" + }, + "id": { + "type": "string" + }, + "inheritance_sources": { + "type": [ + "object", + "null" + ] + }, + "name": { + "type": "string" + }, + "tags": { + "type": [ + "object", + "null" + ] + }, + "threshold": { + "properties": { + "enabled": { + "type": "boolean" + }, + "high": { + "type": "integer" + }, + "low": { + "type": "integer" + } + }, + "required": [ + "enabled", + "high", + "low" + ], + "type": "object" + }, + "updated_at": { + "format": "date-time", + "type": "string" + }, + "utilization": { + "properties": { + "abandon_utilization": { + "type": "integer" + }, + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "free": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + }, + "utilization": { + "type": "integer" + } + }, + "required": [ + "abandon_utilization", + "abandoned", + "dynamic", + "free", + "static", + "total", + "used", + "utilization" + ], + "type": "object" + }, + "utilization_v6": { + "properties": { + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + } + }, + "required": [ + "abandoned", + "dynamic", + "static", + "total", + "used" + ], + "type": "object" + }, + "vendor_specific_option_option_space": { + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "asm_config", + "asm_scope_flag", + "comment", + "compartment_id", + "created_at", + "ddns_client_update", + "ddns_conflict_resolution_mode", + "ddns_domain", + "ddns_generate_name", + "ddns_generated_prefix", + "ddns_send_updates", + "ddns_ttl_percent", + "ddns_update_on_renew", + "ddns_use_conflict_resolution", + "default_realms", + "dhcp_config", + "dhcp_options", + "dhcp_options_v6", + "header_option_filename", + "header_option_server_address", + "header_option_server_name", + "hostname_rewrite_char", + "hostname_rewrite_enabled", + "hostname_rewrite_regex", + "id", + "inheritance_sources", + "name", + "tags", + "threshold", + "updated_at", + "utilization", + "utilization_v6", + "vendor_specific_option_option_space" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "results" + ], + "type": "object" + } + }, + "type": "ParseJson" + } + }, + "else": { + "actions": { + "Set_Break_Loop_True_Because_Of_Status_Code_Is_Not_200": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_IP_Space_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "HTTP_Request_To_IP_Space_Endpoint": [ + "Succeeded" + ] + }, + "type": "If" + }, + "HTTP_Request_To_IP_Space_Endpoint": { + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_limit": "@{variables('limit')}", + "_offset": "@{variables('offset')}" + }, + "uri": "@{variables('base_url')}/api/ddi/v1/ipam/ip_space" + }, + "type": "Http" + } + }, + "expression": "@equals(variables('Break_Loop'), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Retry_Count": [ + "Succeeded" + ] + }, + "type": "Until" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_3": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Get-IP-Space-Data", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Get-IP-Space-Data", + "description": "The playbook will fetch the data from 'IP Space' API and ingest it into custom table", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "entities": [ + "IP" + ], + "tags": [ + "Infoblox", + "IP Space Name" + ], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Get-IP-Space-Data", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Get-Service-Name", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'PlaybookName' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API Key": { + "defaultValue": "[[parameters('Infoblox API Key')]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[[parameters('Infoblox Base Url')]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Initialize_Base_URL": { + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Break_Loop": { + "inputs": { + "variables": [ + { + "name": "Break_Loop", + "type": "boolean", + "value": "@false" + } + ] + }, + "runAfter": { + "Initialize_Limit": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Limit": { + "inputs": { + "variables": [ + { + "name": "limit", + "type": "integer", + "value": 25 + } + ] + }, + "runAfter": { + "Initialize_Offset": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Offset": { + "inputs": { + "variables": [ + { + "name": "offset", + "type": "integer", + "value": 0 + } + ] + }, + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Retry_Count": { + "inputs": { + "variables": [ + { + "name": "Retry Count", + "type": "integer", + "value": 3 + } + ] + }, + "runAfter": { + "Initialize_Table_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Table_Name": { + "inputs": { + "variables": [ + { + "name": "Table Name", + "type": "string", + "value": "Service_Name_Info" + } + ] + }, + "runAfter": { + "Initialize_Break_Loop": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Until_Loop_For_Fetching_Service_Endpoint_Data_With_Pagination": { + "actions": { + "Condition_To_Verify_API_Call_Is_Success_Or_Not": { + "actions": { + "Condition_For_Services_Result_Is_Available_Or_Not": { + "actions": { + "Set_Break_Loop_True_Because_Of_Empty_Results": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Data_Is_Sent_To_Workspace": { + "actions": { + "Condition_For_Length_Of_Data_is_Less_Than_Limit_": { + "actions": { + "Set_Break_Loop_True_Because_Of_Data_Is_Less_Than_Limit": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(body('Parse_JSON_For_Services_Data')?['results'])", + "@variables('limit')" + ] + } + ] + }, + "runAfter": { + "Increment_Offset_By_Limit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Increment_Offset_By_Limit": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Retry_Count": { + "actions": { + "Increment_Offset_And_Skip_The_One_Page": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_New_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_New_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Retry Count')", + 0 + ] + } + ] + }, + "runAfter": { + "Decrement_Retry_Count": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Decrement_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 1 + }, + "type": "DecrementVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Send_Data_Into_Log_Analytics_Workspace')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "Send_Data_Into_Log_Analytics_Workspace": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Send_Data_Into_Log_Analytics_Workspace": { + "inputs": { + "body": "@{body('Parse_JSON_For_Services_Data')?['results']}", + "headers": { + "Log-Type": "@variables('Table Name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Services_Data')?['results'])", + "@true" + ] + } + ] + }, + "runAfter": { + "Parse_JSON_For_Services_Data": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Parse_JSON_For_Services_Data": { + "inputs": { + "content": "@body('HTTP_Request_To_Services_Endpoint')", + "schema": { + "results": [ + { + "configs": [ + { + "current_version": "string", + "host_id": "string", + "id": "string", + "service_id": "string", + "upgraded_at": "string" + } + ], + "created_at": "string", + "desired_state": "string", + "destinations": "[variables('TemplateEmptyArray')]", + "id": "string", + "name": "string", + "pool_id": "string", + "service_type": "string", + "source_interfaces": "[variables('TemplateEmptyArray')]", + "updated_at": "string" + } + ] + } + }, + "type": "ParseJson" + } + }, + "else": { + "actions": { + "Set_Break_Loop_True_Because_Of_Status_Code_Is_Not_200": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Services_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "HTTP_Request_To_Services_Endpoint": [ + "Succeeded" + ] + }, + "type": "If" + }, + "HTTP_Request_To_Services_Endpoint": { + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_limit": "@{variables('limit')}", + "_offset": "@{variables('offset')}" + }, + "uri": "@{variables('base_url')}/api/infra/v1/services" + }, + "type": "Http" + } + }, + "expression": "@equals(variables('Break_Loop'), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Retry_Count": [ + "Succeeded" + ] + }, + "type": "Until" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Get-Service-Name", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Get-Service-Name", + "description": "This playbook will fetch the data from 'Services' API and ingest it into custom table", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "3. Click Save" + ], + "tags": [ + "Infoblox", + "Service Name" + ], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Get-Service-Name", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-IPAM-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base URL for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API Key": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Terminate_Execution_If_Error_Occurred_While_Fetching_IPs_Data": { + "actions": { + "Terminate_Due_To_Error_Occured_While_API_Failure": { + "type": "Terminate", + "inputs": { + "runError": { + "message": "@variables('error_message')" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "For_Each_IP_Address": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('api_failure_error')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Terminate_Execution_If_No_IPs_Found": { + "actions": { + "Add_Comment_To_Incident_No_IPs_Found": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No IPs found associated with incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Terminate_Due_To_No_IPs_Found_Associated_With_Incident_Entities": { + "runAfter": { + "Add_Comment_To_Incident_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "message": "No IPs found associated with incident." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@length(body('Entities_-_Get_IPs')?['IPs'])", + 0 + ] + } + ] + }, + "type": "If" + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Initialize_Error_False_While_Fetching_IP_Details_From_API": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_IP_Address": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Verify_If_IP_Address_is_Empty": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Empty IP Address found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_IP_Address": { + "runAfter": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Condition_To_Verify_If_IP_Lookup_Information_Fetched_Successfully": { + "actions": { + "Condition_To_Verify_IP_Lookup_Results_Are_Empty": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": { + "actions": { + "Add_Comment_To_Incident_For_No_Results_Found_For_IP_Address": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No IPAM Lookup Results Found For IP: @{items('For_Each_IP_Address')?['Address']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count": { + "runAfter": { + "Add_Comment_To_Incident_For_No_Results_Found_For_IP_Address": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Count_Reach_To_99": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_To_100": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_JSON_For_IP_Lookup_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Comment_For_Whole_API_Response_Of_One_IP": { + "actions": { + "Add_Comment_To_Incident_For_Whole_API_Response_Of_One_IP_Traversed_(V3)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Whole_API_Response_Of_One_IP": { + "runAfter": { + "Add_Comment_To_Incident_For_Whole_API_Response_Of_One_IP_Traversed_(V3)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + }, + "Reset_HTML_Table_For_Whole_API_Response_Of_One_IP": { + "runAfter": { + "Reset_Incident_Comment_For_Whole_API_Response_Of_One_IP": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "@{null}" + } + }, + "Reset_Incident_Comment_For_Whole_API_Response_Of_One_IP": { + "runAfter": { + "Increment_Number_Of_Comments_For_Whole_API_Response_Of_One_IP": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@{null}" + } + } + }, + "runAfter": { + "For_Each_IP_Lookup_Result": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + }, + { + "not": { + "equals": [ + "@variables('incident_comment')", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "For_Each_IP_Lookup_Result": { + "foreach": "@body('Parse_JSON_For_IP_Lookup_Data')?['results']", + "actions": { + "Append_End_String_Of_HTML_Table": { + "runAfter": { + "Condition_To_Verify_Subnet_Id_Empty": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table", + "value": "

" + } + }, + "Append_HTML_Table_Record_To_HTML_Table": { + "runAfter": { + "Append_End_String_Of_HTML_Table": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table", + "value": "@variables('html_table_record')" + } + }, + "Append_to_Human_Readable_Tags": { + "type": "AppendToStringVariable", + "inputs": { + "name": "Human_Readable_Tags", + "value": "@replace(replace(replace(replace(replace(string(items('For_Each_IP_Lookup_Result')?['tags']),'\"',''),'{',''),'}',''),':',' : '),',',variables('new_line'))" + } + }, + "Condition_To_Verify_Comment_Exceeded_More_Than_30000_Characters_Limit": { + "actions": { + "Set_Incident_Comment": { + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@variables('html_table')" + } + } + }, + "runAfter": { + "Append_HTML_Table_Record_To_HTML_Table": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Comment_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comment": { + "runAfter": { + "Add_Comment_To_Incident": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + }, + "Reset_HTML_Table": { + "runAfter": { + "Reset_Incident_Comment": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "@{null}" + } + }, + "Reset_Incident_Comment": { + "runAfter": { + "Increment_Number_Of_Comment": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@{null}" + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(3)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Incident_Comment": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(3)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(variables('html_table'))", + 30000 + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_IP_Space_Id_Is_Empty": { + "runAfter": { + "Set_IP_Space": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_IP_Space_Lookup_Is_Success_Or_Not": { + "actions": { + "Condition_To_Verify_That_IP_Space_Lookup_Result_is_Empty": { + "runAfter": { + "Parse_JSON_For_IP_Space_Lookup_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_IP_Space_Name_To_HTML_Table": { + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table_record", + "value": "IP Space@{body('Parse_JSON_For_IP_Space_Lookup_Data')?['result']?['name']}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_IP_Space_Lookup_Data')?['result'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_IP_Space_Lookup_Data": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')", + "schema": { + "properties": { + "result": { + "properties": { + "asm_config": { + "properties": { + "asm_threshold": { + "type": "integer" + }, + "enable": { + "type": "boolean" + }, + "enable_notification": { + "type": "boolean" + }, + "forecast_period": { + "type": "integer" + }, + "growth_factor": { + "type": "integer" + }, + "growth_type": { + "type": "string" + }, + "history": { + "type": "integer" + }, + "min_total": { + "type": "integer" + }, + "min_unused": { + "type": "integer" + }, + "reenable_date": { + "type": "string" + } + }, + "type": "object" + }, + "asm_scope_flag": { + "type": "integer" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "type": "string" + }, + "ddns_client_update": { + "type": "string" + }, + "ddns_conflict_resolution_mode": { + "type": "string" + }, + "ddns_domain": { + "type": "string" + }, + "ddns_generate_name": { + "type": "boolean" + }, + "ddns_generated_prefix": { + "type": "string" + }, + "ddns_send_updates": { + "type": "boolean" + }, + "ddns_ttl_percent": { + "type": "integer" + }, + "ddns_update_on_renew": { + "type": "boolean" + }, + "ddns_use_conflict_resolution": { + "type": "boolean" + }, + "default_realms": { + "type": "array" + }, + "dhcp_config": { + "properties": { + "abandoned_reclaim_time": { + "type": "integer" + }, + "abandoned_reclaim_time_v6": { + "type": "integer" + }, + "allow_unknown": { + "type": "boolean" + }, + "allow_unknown_v6": { + "type": "boolean" + }, + "echo_client_id": { + "type": "boolean" + }, + "filters": { + "type": "array" + }, + "filters_large_selection": { + "type": "array" + }, + "filters_v6": { + "type": "array" + }, + "ignore_client_uid": { + "type": "boolean" + }, + "ignore_list": { + "type": "array" + }, + "lease_time": { + "type": "integer" + }, + "lease_time_v6": { + "type": "integer" + } + }, + "type": "object" + }, + "dhcp_options": { + "items": { + "properties": { + "option_code": { + "type": "string" + }, + "option_value": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "dhcp_options_v6": { + "type": "array" + }, + "header_option_filename": { + "type": "string" + }, + "header_option_server_address": { + "type": "string" + }, + "header_option_server_name": { + "type": "string" + }, + "hostname_rewrite_char": { + "type": "string" + }, + "hostname_rewrite_enabled": { + "type": "boolean" + }, + "hostname_rewrite_regex": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "threshold": { + "properties": { + "enabled": { + "type": "boolean" + }, + "high": { + "type": "integer" + }, + "low": { + "type": "integer" + } + }, + "type": "object" + }, + "updated_at": { + "type": "string" + }, + "utilization": { + "properties": { + "abandon_utilization": { + "type": "integer" + }, + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "free": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + }, + "utilization": { + "type": "integer" + } + }, + "type": "object" + }, + "utilization_v6": { + "properties": { + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Lookup_Information_For_An_IP_Space_": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_Error_Message_For_IP_Space_API_Failure": { + "type": "SetVariable", + "inputs": { + "name": "error_message_ip_space", + "value": "IP Space API request failed with status code:@{outputs('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')['statusCode']} and error message: @{body('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Lookup_Information_For_An_IP_Space_": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "uri": "@{variables('base_url')}/api/ddi/v1/@{variables('ip_space_id')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('ip_space_id'))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_Subnet_Id_Empty": { + "runAfter": { + "Set_Subnet": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Subnet_Lookup_Is_Success_Or_Not": { + "actions": { + "Condition_For_Subnet_Lookup_Result_is_Empty": { + "runAfter": { + "Parse_JSON_For_Subnet_Lookup_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_Subnet_Name_To_HTML_Table": { + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table_record", + "value": "Subnet Name@{body('Parse_JSON_For_Subnet_Lookup_Data')?['result']?['name']}\nSubnet@{body('Parse_JSON_For_Subnet_Lookup_Data')?['result']?['address']}/@{body('Parse_JSON_For_Subnet_Lookup_Data')?['result']?['cidr']}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Subnet_Lookup_Data')?['result'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Subnet_Lookup_Data": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Lookup_Information_For_Subnet')", + "schema": { + "properties": { + "result": { + "properties": { + "address": { + "type": "string" + }, + "asm_config": { + "properties": { + "asm_threshold": { + "type": "integer" + }, + "enable": { + "type": "boolean" + }, + "enable_notification": { + "type": "boolean" + }, + "forecast_period": { + "type": "integer" + }, + "growth_factor": { + "type": "integer" + }, + "growth_type": { + "type": "string" + }, + "history": { + "type": "integer" + }, + "min_total": { + "type": "integer" + }, + "min_unused": { + "type": "integer" + }, + "reenable_date": { + "type": "string" + } + }, + "type": "object" + }, + "asm_scope_flag": { + "type": "integer" + }, + "cidr": { + "type": "integer" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "type": "string" + }, + "ddns_client_update": { + "type": "string" + }, + "ddns_conflict_resolution_mode": { + "type": "string" + }, + "ddns_domain": { + "type": "string" + }, + "ddns_generate_name": { + "type": "boolean" + }, + "ddns_generated_prefix": { + "type": "string" + }, + "ddns_send_updates": { + "type": "boolean" + }, + "ddns_ttl_percent": { + "type": "integer" + }, + "ddns_update_on_renew": { + "type": "boolean" + }, + "ddns_use_conflict_resolution": { + "type": "boolean" + }, + "dhcp_config": { + "properties": { + "abandoned_reclaim_time": { + "type": "integer" + }, + "abandoned_reclaim_time_v6": { + "type": "integer" + }, + "allow_unknown": { + "type": "boolean" + }, + "allow_unknown_v6": { + "type": "boolean" + }, + "echo_client_id": { + "type": "boolean" + }, + "filters": { + "type": "array" + }, + "filters_large_selection": { + "type": "array" + }, + "filters_v6": { + "type": "array" + }, + "ignore_client_uid": { + "type": "boolean" + }, + "ignore_list": { + "type": "array" + }, + "lease_time": { + "type": "integer" + }, + "lease_time_v6": { + "type": "integer" + } + }, + "type": "object" + }, + "dhcp_options": { + "type": "array" + }, + "dhcp_utilization": { + "properties": { + "dhcp_free": { + "type": "string" + }, + "dhcp_total": { + "type": "string" + }, + "dhcp_used": { + "type": "string" + }, + "dhcp_utilization": { + "type": "integer" + } + }, + "type": "object" + }, + "disable_dhcp": { + "type": "boolean" + }, + "federated_realms": { + "type": "array" + }, + "federation": { + "type": "string" + }, + "header_option_filename": { + "type": "string" + }, + "header_option_server_address": { + "type": "string" + }, + "header_option_server_name": { + "type": "string" + }, + "hostname_rewrite_char": { + "type": "string" + }, + "hostname_rewrite_enabled": { + "type": "boolean" + }, + "hostname_rewrite_regex": { + "type": "string" + }, + "id": { + "type": "string" + }, + "inheritance_assigned_hosts": { + "type": "array" + }, + "name": { + "type": "string" + }, + "protocol": { + "type": "string" + }, + "rebind_time": { + "type": "integer" + }, + "renew_time": { + "type": "integer" + }, + "space": { + "type": "string" + }, + "threshold": { + "properties": { + "enabled": { + "type": "boolean" + }, + "high": { + "type": "integer" + }, + "low": { + "type": "integer" + } + }, + "type": "object" + }, + "updated_at": { + "type": "string" + }, + "usage": { + "items": { + "type": "string" + }, + "type": "array" + }, + "utilization": { + "properties": { + "abandon_utilization": { + "type": "integer" + }, + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "free": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + }, + "utilization": { + "type": "integer" + } + }, + "type": "object" + }, + "utilization_v6": { + "properties": { + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Lookup_Information_For_Subnet": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_Error_Message_For_Subnet_API_Failure": { + "type": "SetVariable", + "inputs": { + "name": "error_message_subnet", + "value": "IP Space API request failed with status code:@{outputs('HTTP_Request_To_Lookup_Information_For_Subnet')['statusCode']} and error message:@{body('HTTP_Request_To_Lookup_Information_For_Subnet')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Lookup_Information_For_Subnet')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Lookup_Information_For_Subnet": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "uri": "@{variables('base_url')}/api/ddi/v1/@{variables('subnet_id')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('subnet_id'))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Set_HTML_Table": { + "runAfter": { + "Append_to_Human_Readable_Tags": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table_record", + "value": "

\n\n\n\n\n\n\n\n" + } + }, + "Set_IP_Space": { + "runAfter": { + "Set_HTML_Table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ip_space_id", + "value": "@items('For_Each_IP_Lookup_Result')?['space']" + } + }, + "Set_Subnet": { + "runAfter": { + "Condition_To_Verify_IP_Space_Id_Is_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "subnet_id", + "value": "@items('For_Each_IP_Lookup_Result')?['parent']" + } + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_IP_Lookup_Data')?['results'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_IP_Lookup_Data": { + "runAfter": { + "Set_Error_False_For_API_Failure": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Lookup_Information_About_An_IP_Address')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "address": { + "type": "string" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "type": "string" + }, + "dhcp_info": { + "properties": { + "client_hostname": { + "type": "string" + }, + "client_hwaddr": { + "type": "string" + }, + "client_id": { + "type": "string" + }, + "end": { + "type": "string" + }, + "fingerprint": { + "type": "string" + }, + "iaid": { + "type": "integer" + }, + "lease_type": { + "type": "string" + }, + "preferred_lifetime": { + "type": "string" + }, + "remain": { + "type": "integer" + }, + "start": { + "type": "string" + }, + "state": { + "type": "string" + }, + "state_ts": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "disable_dhcp": { + "type": "boolean" + }, + "discovery_attrs": { + "properties": { + "ip_address": { + "type": "string" + }, + "network": { + "type": "string" + }, + "os": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "discovery_metadata": { + "properties": { + "first_discovered_timestamp": { + "type": "string" + }, + "last_discovered_timestamp": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "host": { + "type": [ + "string", + "null" + ] + }, + "hwaddr": { + "type": "string" + }, + "id": { + "type": "string" + }, + "interface": { + "type": "string" + }, + "names": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "name", + "type" + ], + "type": "object" + }, + "type": "array" + }, + "parent": { + "type": "string" + }, + "protocol": { + "type": "string" + }, + "range": { + "type": [ + "string", + "null" + ] + }, + "space": { + "type": "string" + }, + "state": { + "type": "string" + }, + "tags": { + "properties": { + "nios/grid_name": { + "type": "string" + }, + "nios/import_timestamp": { + "type": "string" + }, + "nios/imported": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "updated_at": { + "type": "string" + }, + "usage": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "address", + "comment", + "compartment_id", + "created_at", + "dhcp_info", + "disable_dhcp", + "discovery_attrs", + "discovery_metadata", + "host", + "hwaddr", + "id", + "interface", + "names", + "parent", + "protocol", + "range", + "space", + "state", + "tags", + "updated_at", + "usage" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Set_Error_False_For_API_Failure": { + "type": "SetVariable", + "inputs": { + "name": "api_failure_error", + "value": "@false" + } + } + }, + "runAfter": { + "HTTP_Request_To_Lookup_Information_About_An_IP_Address": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_Error_Message_For_IPAM_API_Failure": { + "type": "SetVariable", + "inputs": { + "name": "error_message", + "value": "IPAM API request failed with status code:@{outputs('HTTP_Request_To_Lookup_Information_About_An_IP_Address')['statusCode']} and error message: for ip @{items('For_Each_IP_Address')?['Address']}" + } + }, + "Set_Error_True_For_API_Failure": { + "runAfter": { + "Set_Error_Message_For_IPAM_API_Failure": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "api_failure_error", + "value": "@true" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Lookup_Information_About_An_IP_Address')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Lookup_Information_About_An_IP_Address": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_filter": "address=='@{items('For_Each_IP_Address')?['Address']}'" + }, + "uri": "@{variables('base_url')}/api/ddi/v1/ipam/address" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_IP_Address')?['Address'])", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_Base_URL": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Error_False_While_Fetching_IP_Details_From_API": { + "runAfter": { + "Initialize_Error_Message_For_Subnet_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "api_failure_error", + "type": "boolean", + "value": "@false" + } + ] + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_New_Line": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "string" + } + ] + } + }, + "Initialize_Error_Message_For_IP_Space_Name": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message_ip_space", + "type": "string" + } + ] + } + }, + "Initialize_Error_Message_For_Subnet_ID": { + "runAfter": { + "Initialize_Error_Message_For_IP_Space_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message_subnet", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table": { + "runAfter": { + "Initialize_Number_Of_Comments": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table_Record": { + "runAfter": { + "Initialize_HTML_Table": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table_record", + "type": "string" + } + ] + } + }, + "Initialize_Human_Readable_Tags": { + "runAfter": { + "Initialize_Subnet_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "human_readable_tags", + "type": "string" + } + ] + } + }, + "Initialize_IP_Space_Id": { + "runAfter": { + "Initialize_Incident_Comment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_space_id", + "type": "string" + } + ] + } + }, + "Initialize_Incident_Comment": { + "runAfter": { + "Initialize_HTML_Table_Record": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_comment", + "type": "string" + } + ] + } + }, + "Initialize_New_Line": { + "runAfter": { + "Initialize_Human_Readable_Tags": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "new_line", + "type": "string", + "value": "\n" + } + ] + } + }, + "Initialize_Number_Of_Comments": { + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "no_of_comments", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Subnet_Id": { + "runAfter": { + "Initialize_IP_Space_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "subnet_id", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-IPAM-Lookup", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-IPAM-Lookup", + "description": "The playbook will retrieve IP entities from an incident, call an API to obtain IPAM lookup data, and add this data, along with IP space and subnet information, as a comment on the incident.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key." + ], + "postDeployment": [ + "**a. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**b. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": [ + "IP" + ], + "tags": [ + "Infoblox", + "IPAM", + "IP", + "Lookup" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "Infoblox-IPAM-Lookup", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName10')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion10')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-SOC-Get-Insight-Details", + "type": "string" + }, + "Infoblox API Key": { + "type": "string", + "metadata": { + "description": "Enter value for Infoblox API Key" + } + }, + "Workspace ID": { + "type": "string", + "metadata": { + "description": "Enter value for Workspace ID,use same Workspace ID for Authorization" + } + }, + "Workspace Key": { + "type": "string", + "metadata": { + "description": "Enter value for Workspace Key,use same Workspace Key for Authorization" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Infoblox API Key": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "string" + }, + "Workspace ID": { + "defaultValue": "[[trim(parameters('Workspace ID'))]", + "type": "string" + }, + "Workspace Key": { + "defaultValue": "[[trim(parameters('Workspace Key'))]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Filter_array_for_Malware_Entity": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_Entities_JSON')", + "where": "@equals(item()['kind'], 'Malware')" + } + }, + "Filter_array_for_Object_GUID_Entity": { + "runAfter": { + "Parse_Entities_JSON": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_Entities_JSON')", + "where": "@equals(item()?['kind'], 'SecurityGroup')" + } + }, + "For_each": { + "foreach": "@body('Filter_array_for_Object_GUID_Entity')", + "actions": { + "Test_Connection_to_Infoblox_CSP": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each')?['properties']?['objectGuid']}" + } + } + }, + "runAfter": { + "Filter_array_for_Object_GUID_Entity": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Insight_ID": { + "foreach": "@body('Filter_array_for_Object_GUID_Entity')", + "actions": { + "Add_InfobloxInsightID_Tag": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "InfobloxInsightID: @{items('For_each_Insight_ID')?['properties']?['objectGuid']}" + } + ] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + }, + "Add_Summary_data_if_observed_via_CDC": { + "actions": { + "Get_Summary_Data": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}" + } + }, + "Parse_Summary_JSON": { + "runAfter": { + "Get_Summary_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Summary_Data')", + "schema": { + "properties": { + "insight": { + "properties": { + "changer": { + "type": "string" + }, + "dateChanged": { + "type": "string" + }, + "description": { + "type": "string" + }, + "eventsBlockedCount": { + "type": "string" + }, + "eventsNotBlockedCount": { + "type": "string" + }, + "feedSource": { + "type": "string" + }, + "insightId": { + "type": "string" + }, + "mostRecentAt": { + "type": "string" + }, + "numEvents": { + "type": "string" + }, + "persistent": { + "type": "string" + }, + "persistentDate": { + "type": "string" + }, + "priorityText": { + "type": "string" + }, + "spreading": { + "type": "string" + }, + "spreadingDate": { + "type": "string" + }, + "startedAt": { + "type": "string" + }, + "status": { + "type": "string" + }, + "tClass": { + "type": "string" + }, + "tFamily": { + "type": "string" + }, + "threatType": { + "type": "string" + }, + "userComment": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Send_Summary_(Insight)_Data": { + "runAfter": { + "Parse_Summary_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(body('Parse_Summary_JSON')?['insight'], 'InfobloxInsightLogType', 'Insight')}", + "headers": { + "Log-Type": "InfobloxInsight" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@body('Add_InfobloxInsightID_Tag')?['properties']?['description']", + "Observed via CDC" + ] + } + ] + }, + "type": "If" + }, + "For_each_Asset": { + "foreach": "@body('Parse_Assets_JSON')?['assets']", + "actions": { + "Send_Asset_Data": { + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Asset'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Asset')}", + "headers": { + "Log-Type": "InfobloxInsightAssets" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Assets_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Comment": { + "foreach": "@body('Parse_Comment_JSON')?['comments']", + "actions": { + "Send_Comment_Data": { + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Comment'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Comment')}", + "headers": { + "Log-Type": "InfobloxInsightComments" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Comment_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Event": { + "foreach": "@body('Parse_Event_JSON')?['events']", + "actions": { + "Send_Event_Data": { + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Event'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Event')}", + "headers": { + "Log-Type": "InfobloxInsightEvents" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Event_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Indicator": { + "foreach": "@body('Parse_Indicator_JSON')?['indicators']", + "actions": { + "Send_Indicator_Data": { + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Indicator'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Indicator')\r\n}", + "headers": { + "Log-Type": "InfobloxInsightIndicators" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Indicator_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Asset_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/assets" + } + }, + "Get_Comment_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/comments" + } + }, + "Get_Event_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/events" + } + }, + "Get_Indicator_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/indicators" + } + }, + "Parse_Assets_JSON": { + "runAfter": { + "Get_Asset_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Asset_Data')", + "schema": { + "properties": { + "assets": { + "items": { + "properties": { + "cid": { + "type": "string" + }, + "cmac": { + "type": "string" + }, + "count": { + "type": "integer" + }, + "location": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "qip": { + "type": "string" + }, + "threat_indicator_distinct_count": { + "type": "string" + }, + "threat_level_max": { + "type": "string" + }, + "time_max": { + "type": "string" + }, + "time_min": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_Comment_JSON": { + "runAfter": { + "Get_Comment_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Comment_Data')", + "schema": { + "properties": { + "comments": { + "items": { + "properties": { + "commentsChanger": { + "type": "string" + }, + "dateChanged": { + "type": "string" + }, + "newComment": { + "type": "string" + }, + "status": { + "type": "string" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_Event_JSON": { + "runAfter": { + "Get_Event_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Event_Data')", + "schema": { + "properties": { + "events": { + "items": { + "properties": { + "action": { + "type": "string" + }, + "class": { + "type": "string" + }, + "confidence_level": { + "type": "string" + }, + "detected": { + "type": "string" + }, + "deviceIp": { + "type": "string" + }, + "device_country": { + "type": "string" + }, + "device_name": { + "type": "string" + }, + "device_region": { + "type": "string" + }, + "dhcp_fingerprint": { + "type": "string" + }, + "dns_view": { + "type": "string" + }, + "feed": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "policy": { + "type": "string" + }, + "property": { + "type": "string" + }, + "query": { + "type": "string" + }, + "query_type": { + "type": "string" + }, + "response": { + "type": "string" + }, + "response_country": { + "type": "string" + }, + "response_region": { + "type": "string" + }, + "source": { + "type": "string" + }, + "threat_family": { + "type": "string" + }, + "threat_indicator": { + "type": "string" + }, + "threat_level": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_Indicator_JSON": { + "runAfter": { + "Get_Indicator_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Indicator_Data')", + "schema": { + "properties": { + "indicators": { + "items": { + "properties": { + "action": { + "type": "string" + }, + "actor": { + "type": "string" + }, + "confidence": { + "type": "string" + }, + "count": { + "type": "integer" + }, + "feed_name": { + "type": "string" + }, + "indicator": { + "type": "string" + }, + "threat_level_max": { + "type": "string" + }, + "time_max": { + "type": "string" + }, + "time_min": { + "type": "string" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "For_each_Malware_Entity": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Malware_Entity": { + "foreach": "@body('Filter_array_for_Malware_Entity')", + "actions": { + "Update_Incident_Tags": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "@items('For_each_Malware_Entity')?['kind']" + }, + { + "Tag": "@items('For_each_Malware_Entity')?['properties']?['malwareName']" + }, + { + "Tag": "@items('For_each_Malware_Entity')?['properties']?['category']" + }, + { + "Tag": "Insight" + } + ] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Filter_array_for_Malware_Entity": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_Entities_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "schema": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "friendlyName": { + "type": "string" + }, + "objectGuid": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-SOC-Get-Insight-Details", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId10')]", + "contentId": "[variables('_playbookContentId10')]", + "kind": "Playbook", + "version": "[variables('playbookVersion10')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-SOC-Get-Insight-Details", + "description": "Leverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight & ingest Insight details into custom InfobloxInsight tables. The tables are used to build the Infoblox SOC Insights Workbook. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key", + "2. User must have a valid Workspace ID", + "3. User must have a valid Workspace Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign Role to Update in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign" + ], + "entities": [ + "Security Group", + "SecurityGroup", + "Malware" + ], + "tags": [ + "Enrichment" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId10')]", + "contentKind": "Playbook", + "displayName": "Infoblox-SOC-Get-Insight-Details", + "contentProductId": "[variables('_playbookcontentProductId10')]", + "id": "[variables('_playbookcontentProductId10')]", + "version": "[variables('playbookVersion10')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName11')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion11')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-SOC-Get-Open-Insights-API", + "type": "string" + }, + "Infoblox API Key": { + "type": "string", + "metadata": { + "description": "Enter value for Infoblox API Key" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Infoblox API Key": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "string" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each_Insight": { + "foreach": "@body('Parse_JSON')?['insightList']", + "actions": { + "Send_Data": { + "type": "ApiConnection", + "inputs": { + "body": "@{union(variables('Extra Cols'), items('For_Each_Insight'))}", + "headers": { + "Log-Type": "InfobloxInsight" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_1']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_All_Insights": { + "runAfter": { + "Initialize_Extra_Cols": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights" + } + }, + "Initialize_Extra_Cols": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Extra Cols", + "type": "object", + "value": { + "InfobloxInsightLogType": "Insight" + } + } + ] + } + }, + "Parse_JSON": { + "runAfter": { + "Get_All_Insights": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_All_Insights')", + "schema": { + "properties": { + "insightList": { + "items": { + "properties": { + "changer": { + "type": "string" + }, + "dateChanged": { + "type": "string" + }, + "eventsBlockedCount": { + "type": "string" + }, + "eventsNotBlockedCount": { + "type": "string" + }, + "feedSource": { + "type": "string" + }, + "insightId": { + "type": "string" + }, + "mostRecentAt": { + "type": "string" + }, + "numEvents": { + "type": "string" + }, + "persistentDate": { + "type": "string" + }, + "priorityText": { + "type": "string" + }, + "startedAt": { + "type": "string" + }, + "status": { + "type": "string" + }, + "tClass": { + "type": "string" + }, + "tFamily": { + "type": "string" + }, + "threatType": { + "type": "string" + }, + "userComment": { + "type": "string" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-SOC-Get-Open-Insights-API", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId11')]", + "contentId": "[variables('_playbookContentId11')]", + "kind": "Playbook", + "version": "[variables('playbookVersion11')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-SOC-Get-Open-Insights-API", + "description": "Leverages the Infoblox SOC Insights API to ingest all Open/Active SOC Insights at time of run into the custom InfobloxInsight table. This playbook is scheduled to run on a daily basis.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId11')]", + "contentKind": "Playbook", + "displayName": "Infoblox-SOC-Get-Open-Insights-API", + "contentProductId": "[variables('_playbookcontentProductId11')]", + "id": "[variables('_playbookcontentProductId11')]", + "version": "[variables('playbookVersion11')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName12')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion12')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-SOC-Import-Indicators-TI", + "type": "string" + }, + "Entra ID Application Secret": { + "type": "string", + "metadata": { + "description": "Enter value for Entra ID Application Secret" + } + }, + "Client ID": { + "type": "string", + "metadata": { + "description": "Enter value for Application (Client) ID" + } + }, + "Tenant ID": { + "type": "string", + "metadata": { + "description": "Enter value for Directory (Tenant) ID" + } + } + }, + "variables": { + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "Entra ID Application Secret": { + "defaultValue": "[[trim(parameters('Entra ID Application Secret'))]", + "type": "string" + }, + "Client ID": { + "defaultValue": "[[trim(parameters('Client ID'))]", + "type": "string" + }, + "Tenant ID": { + "defaultValue": "[[trim(parameters('Tenant ID'))]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Filter_array_for_Object_GUID_Entity_(InsightID)": { + "runAfter": { + "Parse_Entities_JSON": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_Entities_JSON')", + "where": "@equals(item()?['kind'], 'SecurityGroup')" + } + }, + "For_each_InsightID": { + "foreach": "@body('Filter_array_for_Object_GUID_Entity_(InsightID)')", + "actions": { + "For_each": { + "foreach": "@body('Parse_IPs')?['value']", + "actions": { + "Send_IPs_to_Sentinel": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "@parameters('Client ID')", + "secret": "@parameters('Entra ID Application Secret')", + "tenant": "@parameters('Tenant ID')", + "type": "ActiveDirectoryOAuth" + }, + "body": { + "action": "alert", + "additionalInformation": "Added via Infoblox SOC Insights", + "description": "Infoblox - IP - @{items('For_each')?['InfobloxB1FeedName']}", + "expirationDateTime": "@addDays(utcNow(), 14)", + "externalId": "@{items('For_each')?['InfobloxInsightID']}", + "indicatorProvider": "Infoblox SOC Insights", + "lastReportedDateTime": "@items('For_each')?['LastSeen']", + "networkIPv4": "@{items('For_each')?['ThreatIndicator']}", + "tags": [ + "Feed: @{items('For_each')?['InfobloxB1FeedName']}", + "FirstSeen: @{items('For_each')?['FirstSeen']}", + "LastSeen: @{items('For_each')?['LastSeen']}", + "Threat Confidence: @{items('For_each')?['ThreatConfidence']}", + "Action: @{items('For_each')?['InfobloxB1PolicyAction']}", + "Actor: @{items('For_each')?['ThreatActor']}", + "Event Count: @{items('For_each')?['EventCount']}", + "Threat Level: @{items('For_each')?['ThreatLevel']}", + "IP" + ], + "targetProduct": "Azure Sentinel", + "threatType": "WatchList", + "tlpLevel": "white" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/beta/security/tiIndicators" + } + } + }, + "runAfter": { + "Parse_IPs": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Domain": { + "foreach": "@body('Parse_Domains')?['value']", + "actions": { + "Send_Domains_to_Sentinel": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "@parameters('Client ID')", + "secret": "@parameters('Entra ID Application Secret')", + "tenant": "@parameters('Tenant ID')", + "type": "ActiveDirectoryOAuth" + }, + "body": { + "action": "alert", + "additionalInformation": "Added via Infoblox SOC Insights", + "description": "Infoblox - HOST - @{items('For_each_Domain')?['InfobloxB1FeedName']}", + "domainName": "@{items('For_each_Domain')?['ThreatIndicator']}", + "expirationDateTime": "@addDays(utcNow(), 14)", + "externalId": "@{items('For_each_Domain')?['InfobloxInsightID']}", + "indicatorProvider": "Infoblox SOC Insights", + "lastReportedDateTime": "@items('For_each_Domain')?['LastSeen']", + "tags": [ + "Feed: @{items('For_each_Domain')?['InfobloxB1FeedName']}", + "FirstSeen: @{items('For_each_Domain')?['FirstSeen']}", + "LastSeen: @{items('For_each_Domain')?['LastSeen']}", + "Threat Confidence: @{items('For_each_Domain')?['ThreatConfidence']}", + "Action: @{items('For_each_Domain')?['InfobloxB1PolicyAction']}", + "Actor: @{items('For_each_Domain')?['ThreatActor']}", + "Event Count: @{items('For_each_Domain')?['EventCount']}", + "Threat Level: @{items('For_each_Domain')?['ThreatLevel']}", + "HOST" + ], + "targetProduct": "Azure Sentinel", + "threatType": "WatchList", + "tlpLevel": "white" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/beta/security/tiIndicators" + } + } + }, + "runAfter": { + "Parse_Domains": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Domains": { + "type": "ApiConnection", + "inputs": { + "body": { + "query": "InfobloxInsightIndicators\n| where InfobloxInsightID == \"@{items('For_each_InsightID')?['properties']?['objectGuid']}\"\n| where isIP == false\n| summarize arg_max(TimeGenerated, *) by ThreatIndicator", + "timerange": { + "relativeTimeRange": "Last 7 days" + }, + "timerangetype": "2" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryDataV2", + "queries": { + "resourcegroups": "TME-RG", + "resourcename": "TME-Workspace", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "be1e61b7-8dbe-4986-a9c2-d85f65524d6e" + } + } + }, + "Get_IPs": { + "type": "ApiConnection", + "inputs": { + "body": { + "query": "InfobloxInsightIndicators\n| where InfobloxInsightID == \"@{items('For_each_InsightID')?['properties']?['objectGuid']}\"\n| where isIP == true\n| summarize arg_max(TimeGenerated, *) by ThreatIndicator", + "timerange": { + "relativeTimeRange": "Last 7 days" + }, + "timerangetype": "2" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryDataV2", + "queries": { + "resourcegroups": "TME-RG", + "resourcename": "TME-Workspace", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "be1e61b7-8dbe-4986-a9c2-d85f65524d6e" + } + } + }, + "Parse_Domains": { + "runAfter": { + "Get_Domains": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Domains')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "Computer": { + "type": "string" + }, + "DestinationDnsDomain": { + "type": "string" + }, + "EventCount": { + "type": "integer" + }, + "FirstSeen": { + "type": "string" + }, + "InfobloxB1FeedName": { + "type": "string" + }, + "InfobloxB1PolicyAction": { + "type": "string" + }, + "InfobloxInsightID": { + "type": "string" + }, + "InfobloxInsightLogType": { + "type": "string" + }, + "LastSeen": { + "type": "string" + }, + "MG": { + "type": "string" + }, + "ManagementGroupName": { + "type": "string" + }, + "RawData": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + }, + "SourceSystem": { + "type": "string" + }, + "TenantId": { + "type": "string" + }, + "ThreatActor": { + "type": "string" + }, + "ThreatConfidence": { + "type": "string" + }, + "ThreatIndicator": { + "type": "string" + }, + "ThreatLevel": { + "type": "string" + }, + "TimeGenerated": { + "type": "string" + }, + "Type": { + "type": "string" + }, + "isIP": { + "type": "boolean" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_IPs": { + "runAfter": { + "Get_IPs": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_IPs')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "Computer": { + "type": "string" + }, + "DestinationDnsDomain": { + "type": "string" + }, + "EventCount": { + "type": "integer" + }, + "FirstSeen": { + "type": "string" + }, + "InfobloxB1FeedName": { + "type": "string" + }, + "InfobloxB1PolicyAction": { + "type": "string" + }, + "InfobloxInsightID": { + "type": "string" + }, + "InfobloxInsightLogType": { + "type": "string" + }, + "LastSeen": { + "type": "string" + }, + "MG": { + "type": "string" + }, + "ManagementGroupName": { + "type": "string" + }, + "RawData": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + }, + "SourceSystem": { + "type": "string" + }, + "TenantId": { + "type": "string" + }, + "ThreatActor": { + "type": "string" + }, + "ThreatConfidence": { + "type": "string" + }, + "ThreatIndicator": { + "type": "string" + }, + "ThreatLevel": { + "type": "string" + }, + "TimeGenerated": { + "type": "string" + }, + "Type": { + "type": "string" + }, + "isIP": { + "type": "boolean" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Filter_array_for_Object_GUID_Entity_(InsightID)": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_Entities_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "schema": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "friendlyName": { + "type": "string" + }, + "objectGuid": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": "[variables('TemplateEmptyArray')]", + "type": "object" + }, + "type": "array" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-SOC-Import-Indicators-TI", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzuremonitorlogsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzuremonitorlogsConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId12')]", + "contentId": "[variables('_playbookContentId12')]", + "kind": "Playbook", + "version": "[variables('playbookVersion12')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-SOC-Import-Indicators-TI", + "description": "Imports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into the ThreatIntelligenceIndicator table. You must run the Infoblox-SOC-Get-Insight-Details playbook on a SOC Insight Incident before running this playbook.", + "prerequisites": [ + "1. Entra ID Application Secret", + "2. Client ID", + "3. Tenant ID" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign role to this playbook**", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign" + ], + "entities": [ + "Security Group", + "SecurityGroup" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId12')]", + "contentKind": "Playbook", + "displayName": "Infoblox-SOC-Import-Indicators-TI", + "contentProductId": "[variables('_playbookcontentProductId12')]", + "id": "[variables('_playbookcontentProductId12')]", + "version": "[variables('playbookVersion12')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName13')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion13')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TIDE-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please keep the 'Playbook Name' parameter unchanged. Otherwise, you will need to manually adjust the 'Playbook Name' in the 'Infoblox Lookup Workbook' in edit mode" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "String", + "defaultValue": "https://csp.infoblox.com", + "minLength": 1, + "metadata": { + "description": "Enter Base URL for your infoblox account. (e.g. https://csp.infoblox.com)" + } + }, + "Workspace Name": { + "type": "String", + "metadata": { + "description": "Enter name of Log Analytics Workspace" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API Key": { + "type": "String", + "defaultValue": "[[trim(parameters('Infoblox API Key'))]" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "POST" + } + } + }, + "actions": { + "Condition_To_Check_If_All_Parameters_Are_Available": { + "actions": { + "Condition_To_Check_If_IOCs_Of_Provided_Type_and_Target_Are_Not_Available": { + "actions": { + "Condition_To_Check_Threat_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_Threat_Data_Available_Using_API": { + "actions": { + "For_Each_Threat": { + "foreach": "@variables('threat_data')", + "actions": { + "Condition_To_Check_If_Threat_Data_Is_Available": { + "actions": { + "Send_Data_To_Log_Table": { + "type": "ApiConnection", + "inputs": { + "body": "@{items('For_Each_Threat')}", + "headers": { + "Log-Type": "tide_lookup_data" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(items('For_Each_Threat'))", + 0 + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_Threat_Data": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 50 + } + } + }, + "Response_For_Successfully_Ingesting_Data": { + "runAfter": { + "For_Each_Threat": [ + "Succeeded" + ] + }, + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Successfully Ingested The TIDE Lookup Data For @{body('Parse_JSON_For_Query_Parameters')?['type']}-@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "status": "success" + }, + "statusCode": 200 + } + }, + "Set_Threat_Data": { + "type": "SetVariable", + "inputs": { + "name": "threat_data", + "value": "@chunk(body('Parse_JSON_For_Threat_Data')?['threat'],1000)" + } + } + }, + "runAfter": { + "Parse_JSON_For_Threat_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Response_To_Indicate_Success_If_No_Data_Found_For_Target": { + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "No Data Found For @{body('Parse_JSON_For_Query_Parameters')?['type']}-@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "status": "success" + }, + "statusCode": 200 + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_For_Threat_Data')?['record_count']", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Threat_Data": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Fetch_Threat_Data')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "batch_id": { + "type": "string" + }, + "class": { + "type": "string" + }, + "confidence": { + "type": "integer" + }, + "confidence_score": { + "type": "number" + }, + "confidence_score_rating": { + "type": "string" + }, + "confidence_score_vector": { + "type": "string" + }, + "detected": { + "type": "string" + }, + "dga": { + "type": [ + "string", + "boolean" + ] + }, + "domain": { + "type": "string" + }, + "email": { + "type": "string" + }, + "expiration": { + "type": "string" + }, + "extended": { + "properties": { + "attack_chain": { + "type": "string" + }, + "cyberint_guid": { + "type": "string" + }, + "notes": { + "type": "string" + }, + "protocol": { + "type": "string" + }, + "references": { + "type": "string" + }, + "sample_sha256": { + "type": "string" + } + }, + "type": "object" + }, + "hash": { + "type": "string" + }, + "hash_type": { + "type": "string" + }, + "host": { + "type": "string" + }, + "id": { + "type": "string" + }, + "imported": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "property": { + "type": "string" + }, + "received": { + "type": "string" + }, + "risk_score": { + "type": "number" + }, + "risk_score_rating": { + "type": "string" + }, + "risk_score_vector": { + "type": "string" + }, + "threat_level": { + "type": "integer" + }, + "threat_score": { + "type": "number" + }, + "threat_score_rating": { + "type": "string" + }, + "threat_score_vector": { + "type": "string" + }, + "tld": { + "type": "string" + }, + "type": { + "type": "string" + }, + "up": { + "type": [ + "string", + "boolean" + ] + }, + "url": { + "type": "string" + } + }, + "required": [ + "id", + "type" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Fetch_Threat_Data": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Response_To_Indicate_Failure_While_Fetching_Threat_Data": { + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Error Occurred While Fetching Threat Data With Status Code:@{outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']}", + "status": "failure" + }, + "statusCode": "@outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']" + } + }, + "Terminate_Due_To_Error_While_Fetching_Threat_Data": { + "runAfter": { + "Response_To_Indicate_Failure_While_Fetching_Threat_Data": [ + "Succeeded", + "Skipped" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']}", + "message": "Error Occurred While Fetching Threat Data With Status Code: @{outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']}\nError: @{body('HTTP_Request_To_Fetch_Threat_Data')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Fetch_Threat_Data": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "@{body('Parse_JSON_For_Query_Parameters')?['type']}": "@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "fields": "@variables('fields')", + "rlimit": "@{variables('rlimit')}", + "type": "@{body('Parse_JSON_For_Query_Parameters')?['type']}" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + } + }, + "runAfter": { + "Set_Response_Count": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Response_To_Indicate_Success_If_Threat_Data_Available_In_Log_Table": { + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Data already available of TIDE Lookup for @{body('Parse_JSON_For_Query_Parameters')?['type']}-@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "status": "success" + }, + "statusCode": 200 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('response_count')", + 0 + ] + } + ] + }, + "type": "If" + }, + "Run_Query_For_Caching_Mechanism": { + "type": "ApiConnection", + "inputs": { + "body": "let dummyschema = datatable(TimeGenerated:datetime, @{body('Parse_JSON_For_Query_Parameters')?['type']}_s:string, type_s:string, Count:int)[];\nunion isfuzzy=true dummyschema,\ntide_lookup_data_CL\n| where type_s =~ \"@{body('Parse_JSON_For_Query_Parameters')?['type']}\" and @{body('Parse_JSON_For_Query_Parameters')?['type']}_s == \"@{body('Parse_JSON_For_Query_Parameters')?['target']}\"\n| count ", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[[resourceGroup().name]", + "resourcename": "[[parameters('Workspace Name')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[subscription().subscriptionId]", + "timerange": "Last 24 hours" + } + } + }, + "Set_Response_Count": { + "runAfter": { + "Run_Query_For_Caching_Mechanism": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "response_count", + "value": "@body('Run_Query_For_Caching_Mechanism')?['value']?[0]?['Count']" + } + } + }, + "runAfter": { + "Initialize_Response_Count": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Response_To_Indicate_Failure_Due_To_Absence_Of_Parameters": { + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Target Type or Target Parameter Not Found.", + "status": "failure" + }, + "statusCode": 400 + } + }, + "Terminate_Due_To_Required_Query_Parameters_Not_Found": { + "runAfter": { + "Response_To_Indicate_Failure_Due_To_Absence_Of_Parameters": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "400", + "message": "Target Type or Target Parameter Not Found." + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Query_Parameters')?['type'])", + "@false" + ] + }, + { + "equals": [ + "@empty(body('Parse_JSON_For_Query_Parameters')?['target'])", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Initialize_Base_URL": { + "runAfter": { + "Parse_JSON_For_Query_Parameters": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Fields": { + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields", + "type": "string", + "value": "id,type,ip,url,tld,email,hash,hash_type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,extended" + } + ] + } + }, + "Initialize_Response_Count": { + "runAfter": { + "Initialize_Threat_Data": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "response_count", + "type": "integer" + } + ] + } + }, + "Initialize_Rlimit": { + "runAfter": { + "Initialize_Fields": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "rlimit", + "type": "integer", + "value": 90000 + } + ] + } + }, + "Initialize_Threat_Data": { + "runAfter": { + "Initialize_Rlimit": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "threat_data", + "type": "array" + } + ] + } + }, + "Parse_JSON_For_Query_Parameters": { + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()", + "schema": { + "properties": { + "target": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TIDE-Lookup", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzuremonitorlogsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzuremonitorlogsConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId13')]", + "contentId": "[variables('_playbookContentId13')]", + "kind": "Playbook", + "version": "[variables('playbookVersion13')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-TIDE-Lookup", + "description": "The playbook fetches TIDE lookup data for the provided entity type and value.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections" + ], + "entities": [ + "Host", + "IP", + "Hash", + "URL" + ], + "tags": [ + "Infoblox", + "TIDE", + "Lookup" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId13')]", + "contentKind": "Playbook", + "displayName": "Infoblox-TIDE-Lookup", + "contentProductId": "[variables('_playbookcontentProductId13')]", + "id": "[variables('_playbookcontentProductId13')]", + "version": "[variables('playbookVersion13')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName14')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion14')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TIDE-Lookup-Via-Incident", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please keep the 'Playbook Name' parameter unchanged. Otherwise, you will need to manually adjust the 'Playbook Name' in the 'Infoblox Lookup Workbook' in edit mode" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Check_TIDE_Lookup_Failure_For_All_Entities": { + "actions": { + "Terminate_If_Failure_For_All_Entities": { + "type": "Terminate", + "inputs": { + "runError": { + "message": "@{variables('error_message')}" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "For_Each_Hash": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('failure_count')", + "@length(triggerBody()?['object']?['properties']?['relatedEntities'])" + ] + } + ] + }, + "type": "If" + }, + "For_Each_Hash": { + "foreach": "@body('Get_FileHashes_From_Entities')?['Filehashes']", + "actions": { + "Condition_To_Verify_TIDE_Playbook_Called_Successfully_For_Hash": { + "runAfter": { + "Infoblox_TIDE_Lookup_For_Hash": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Hash": { + "runAfter": { + "Increment_Failure_Count_For_Hash": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_Hash')?['message']" + } + }, + "Increment_Failure_Count_For_Hash": { + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_Hash')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_Hash": { + "runAfter": { + "Set_Target_Type_As_Hash": [ + "Succeeded" + ] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_Hash": { + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_Hash')?['Value']" + } + }, + "Set_Target_Type_As_Hash": { + "runAfter": { + "Set_Target_Hash": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "hash" + } + } + }, + "runAfter": { + "Get_FileHashes_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_Host": { + "foreach": "@body('Get_Hosts_From_Entities')?['Hosts']", + "actions": { + "Condition_To_Verify_TIDE_Lookup_Playbook_Called_Successfully_For_Host": { + "runAfter": { + "Infoblox_TIDE_Lookup_For_Host": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Host": { + "runAfter": { + "Increment_Failure_Count_For_Host": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_Host')?['message']" + } + }, + "Increment_Failure_Count_For_Host": { + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_Host')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_Host": { + "runAfter": { + "Set_Target_Type_As_Host": [ + "Succeeded" + ] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_Host": { + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_Host')?['NetBiosName']" + } + }, + "Set_Target_Type_As_Host": { + "runAfter": { + "Set_Target_Host": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "host" + } + } + }, + "runAfter": { + "Get_Hosts_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_IP": { + "foreach": "@body('Get_IPs_From_Entities')?['IPs']", + "actions": { + "Condition_To_Verify_TIDE_Lookup_Playbook_Called_Successfully_For_IP": { + "runAfter": { + "Infoblox_TIDE_Lookup_For_IP": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_IP": { + "runAfter": { + "Increment_Failure_Count_For_IP": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_IP')?['message']" + } + }, + "Increment_Failure_Count_For_IP": { + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_IP')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_IP": { + "runAfter": { + "Set_Target_Type_As_IP": [ + "Succeeded" + ] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_IP": { + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_IP')?['Address']" + } + }, + "Set_Target_Type_As_IP": { + "runAfter": { + "Set_Target_IP": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "ip" + } + } + }, + "runAfter": { + "Get_IPs_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_URL": { + "foreach": "@body('Get_URLs_From_Entities')?['URLs']", + "actions": { + "Condition_To_Verify_TIDE_Lookup_Playbook_Called_Successfully_For_urls": { + "runAfter": { + "Infoblox_TIDE_Lookup_For_URL": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_URL": { + "runAfter": { + "Increment_Failure_Count_For_URL": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_URL')?['message']" + } + }, + "Increment_Failure_Count_For_URL": { + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_URL')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_URL": { + "runAfter": { + "Set_Target_Type_As_URL": [ + "Succeeded" + ] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_Type_As_URL": { + "runAfter": { + "Set_Target_URL": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "url" + } + }, + "Set_Target_URL": { + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_URL')?['Url']" + } + } + }, + "runAfter": { + "Get_URLs_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Get_FileHashes_From_Entities": { + "runAfter": { + "For_Each_Host": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + } + }, + "Get_Hosts_From_Entities": { + "runAfter": { + "For_Each_IP": [ + "Succeeded", + "Failed", + "TimedOut" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "Get_IPs_From_Entities": { + "runAfter": { + "For_Each_URL": [ + "Succeeded", + "Failed", + "TimedOut" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "Get_URLs_From_Entities": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Failure_Count": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "array" + } + ] + } + }, + "Initialize_Failure_Count": { + "runAfter": { + "Initialize_Target": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "failure_count", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Target": { + "runAfter": { + "Initialize_Target_Type": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "target", + "type": "string" + } + ] + } + }, + "Initialize_Target_Type": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "target_type", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TIDE-Lookup-Via-Incident", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId14')]", + "contentId": "[variables('_playbookContentId14')]", + "kind": "Playbook", + "version": "[variables('playbookVersion14')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-TIDE-Lookup-Via-Incident", + "description": "The playbook takes entity type and value from incident available in Workbook and ingests TIDE Lookup data for that entity into Log table.", + "prerequisites": [ + "1. Make sure that Infoblox-TIDE-Lookup playbook is deployed before deploying Infoblox-TIDE-Lookup-Via-Incident playbook." + ], + "postDeployment": [ + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping." + ], + "entities": [ + "Host", + "IP", + "Hash", + "URL" + ], + "tags": [ + "Infoblox", + "TIDE", + "Lookup", + "Incident" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId14')]", + "contentKind": "Playbook", + "displayName": "Infoblox-TIDE-Lookup-Via-Incident", + "contentProductId": "[variables('_playbookcontentProductId14')]", + "id": "[variables('_playbookcontentProductId14')]", + "version": "[variables('playbookVersion14')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName15')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion15')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TIDE-Lookup-Comment-Enrichment", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'PlaybookName' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "minLength": 1, + "metadata": { + "description": "Enter Base URL for your infoblox account. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API Key": { + "type": "string", + "defaultValue": "[[trim(parameters('Infoblox API Key'))]" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Check_If_Entity_Mapping_Is_Not_Available": { + "actions": { + "Add_Comment_To_Incident_If_Entity_Mapping_Not_Found": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No Entity Mapping found associated with incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "For_Each_Hash": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('entity_mapping')", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Indicate_Failure_For_All_Entities": { + "actions": { + "Terminate_If_Failure_For_All_Entities": { + "type": "Terminate", + "inputs": { + "runError": { + "message": "@{variables('error_message')}" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Condition_To_Check_If_Entity_Mapping_Is_Not_Available": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('failure_count')", + "@length(triggerBody()?['object']?['properties']?['relatedEntities'])" + ] + } + ] + }, + "type": "If" + }, + "For_Each_Hash": { + "foreach": "@body('Get_FileHashes_From_Entities')?['Filehashes']", + "actions": { + "Condition_To_Check_Hash_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_Hash": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Hash": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For Hash - @{items('For_Each_Hash')?['Value']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_Hash": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Hash": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_Hash": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_Hash": { + "foreach": "@body('Parse_TIDE_Data_For_Hash')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_Hash": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments_For_Hash": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_Hash": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Add_Hash_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_Hash_TIDE_Data_": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_Hash')?['Value']} - @{items('For_Each_Threat_IOC_Of_Type_Hash')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_Hash')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Hash": { + "runAfter": { + "Add_Hash_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_Hash_TIDE_Data_": { + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

IPAM Lookup For IP:@{items('For_Each_IP_Lookup_Result')?['address']}
Address@{items('For_Each_IP_Lookup_Result')?['address']}
DHCP Client HostName@{items('For_Each_IP_Lookup_Result')?['dhcp_info']?['client_hostname']}
DHCP Client Mac Address@{items('For_Each_IP_Lookup_Result')?['dhcp_info']?['client_hwaddr']}
DHCP Fingerprint@{items('For_Each_IP_Lookup_Result')?['dhcp_info']?['fingerprint']}
Host@{items('For_Each_IP_Lookup_Result')?['host']}
Tags@{variables('human_readable_tags')}
Comment@{items('For_Each_IP_Lookup_Result')?['comment']}
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_Hash')?['type']}
Hash@{items('For_Each_Threat_IOC_Of_Type_Hash')?['hash']} @{items('For_Each_Threat_IOC_Of_Type_Hash')?['hash_type']}
Class@{items('For_Each_Threat_IOC_Of_Type_Hash')?['class']}
Profile@{items('For_Each_Threat_IOC_Of_Type_Hash')?['profile']}
Property@{items('For_Each_Threat_IOC_Of_Type_Hash')?['property']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_Hash')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_Hash')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_Hash')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_Hash')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_Hash')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_Hash')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_Hash')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_Hash')?['hash']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_Hash')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_Hash": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "extended": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Hash": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For Hash - @{items('For_Each_Hash')?['Value']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash')['statusCode']}" + } + }, + "Increment_Failure_Count_For_Hash": { + "runAfter": { + "Add_Error_Message_For_Hash": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash": { + "runAfter": { + "Set_Entity_Mapping_True_For_Hash": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_hash')", + "hash": "@items('For_Each_Hash')?['Value']", + "type": "hash" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_Hash": { + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_FileHashes_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_Host": { + "foreach": "@body('Get_Hosts_From_Entities')?['Hosts']", + "actions": { + "Condition_To_Check_Host_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_Host": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Host": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For Host - @{items('For_Each_Host')?['NetBiosName']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_Host": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Host": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_Host": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_Host": { + "foreach": "@body('Parse_TIDE_Data_For_Host')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_Host": { + "actions": { + "Condition_To_Verify_Incident_Has_99_Comments_For_Host": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_Host": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Add_Host_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_Host_TIDE_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_Host')?['NetBiosName']} - @{items('For_Each_Threat_IOC_Of_Type_Host')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_Host')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Host": { + "runAfter": { + "Add_Host_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_Host_TIDE_Data": { + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_Host')?['type']}
Host@{items('For_Each_Threat_IOC_Of_Type_Host')?['host']}
Domain@{items('For_Each_Threat_IOC_Of_Type_Host')?['domain']}
URL@{items('For_Each_Threat_IOC_Of_Type_Host')?['url']}
IP@{items('For_Each_Threat_IOC_Of_Type_Host')?['ip']}
Profile@{items('For_Each_Threat_IOC_Of_Type_Host')?['profile']}
Property@{items('For_Each_Threat_IOC_Of_Type_Host')?['property']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_Host')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_Host')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_Host')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_Host')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_Host')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_Host')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_Host')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_Host')?['host']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_Host')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_Host": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_Host')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "extended": { + "properties": { + "notes": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Host": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Host": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For Host - @{items('For_Each_Host')?['NetBiosName']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Host')['statusCode']}" + } + }, + "Increment_Failure_Count_For_Host": { + "runAfter": { + "Add_Error_Message_For_Host": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Host')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Host": { + "runAfter": { + "Set_Entity_Mapping_True_For_Host": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_host')", + "host": "@items('For_Each_Host')?['NetBiosName']", + "type": "host" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_Host": { + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_Hosts_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_IP": { + "foreach": "@body('Get_IPs_From_Entities')?['IPs']", + "actions": { + "Condition_To_Check_IP_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_IP": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_IP": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For IP - @{items('For_Each_IP')?['Address']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_IP": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_IP": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_IP": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_IP": { + "foreach": "@body('Parse_TIDE_Data_For_IP')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_IP": { + "actions": { + "Condition_To_verify_Incident_Has_99_Comments_For_IP": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_IP": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Add_IP_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_IP_TIDE_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_IP')?['Address']} - @{items('For_Each_Threat_IOC_Of_Type_IP')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_IP')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_IP": { + "runAfter": { + "Add_IP_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_IP_TIDE_Data": { + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_IP')?['type']}
IP@{items('For_Each_Threat_IOC_Of_Type_IP')?['ip']}
Profile@{items('For_Each_Threat_IOC_Of_Type_IP')?['profile']}
Class@{items('For_Each_Threat_IOC_Of_Type_IP')?['class']}
Property@{items('For_Each_Threat_IOC_Of_Type_IP')?['profile']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_IP')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_IP')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_IP')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_IP')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_IP')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_IP')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_IP')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_IP')?['ip']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_IP')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_IP": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_IP')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "extended": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_IP": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_IP": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For IP - @{items('For_Each_IP')?['Address']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_IP')['statusCode']}" + } + }, + "Increment_Failure_Count_For_IP": { + "runAfter": { + "Add_Error_Message_For_IP": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_IP')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_IP": { + "runAfter": { + "Set_Entity_Mapping_True_For_IP": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_ip')", + "ip": "@items('For_Each_IP')?['Address']", + "type": "ip" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_IP": { + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_IPs_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_URL": { + "foreach": "@body('Get_URLs_From_Entities')?['URLs']", + "actions": { + "Condition_To_Check_URL_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_urls": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_URL": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For URL - @{items('For_Each_URL')?['Url']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_URL": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_URL": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_URL": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_URL": { + "foreach": "@body('Parse_TIDE_Data_For_URL')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_urls": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments_For_urls": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_URL": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Add_URL_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_URL_TIDE_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_URL')?['Url']} - @{items('For_Each_Threat_IOC_Of_Type_URL')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_URL')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_URL": { + "runAfter": { + "Add_URL_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_URL_TIDE_Data": { + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_URL')?['type']}
Host@{items('For_Each_Threat_IOC_Of_Type_URL')?['host']}
Domain@{items('For_Each_Threat_IOC_Of_Type_URL')?['domain']}
URL@{items('For_Each_Threat_IOC_Of_Type_URL')?['url']}
Class@{items('For_Each_Threat_IOC_Of_Type_URL')?['class']}
Profile@{items('For_Each_Threat_IOC_Of_Type_URL')?['profile']}
Property@{items('For_Each_Threat_IOC_Of_Type_URL')?['property']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_URL')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_URL')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_URL')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_URL')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_URL')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_URL')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_URL')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_URL')?['url']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_URL')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_URL": { + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_URL')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "extended": { + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_URL": [ + "Succeeded", + "Failed", + "TimedOut" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_URL": { + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For URL - @{items('For_Each_URL')?['Url']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_URL')['statusCode']}" + } + }, + "Increment_Failure_Count_For_URL": { + "runAfter": { + "Add_Error_Message_For_URL": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_URL')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_URL": { + "runAfter": { + "Set_Entity_Mapping_True_For_URL": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_url')", + "type": "url", + "url": "@items('For_Each_URL')?['Url']" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_URL": { + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_URLs_From_Entities": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Get_FileHashes_From_Entities": { + "runAfter": { + "For_Each_URL": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + } + }, + "Get_Hosts_From_Entities": { + "runAfter": { + "Initialize_Failure_Count": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "Get_IPs_From_Entities": { + "runAfter": { + "For_Each_Host": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "Get_URLs_From_Entities": { + "runAfter": { + "For_Each_IP": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + } + }, + "Initialize_Base_URL": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Comment_Count": { + "runAfter": { + "Initialize_Entity_Mapping_False": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "comment_count", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Entity_Mapping_False": { + "runAfter": { + "Initialize_HTML": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "entity_mapping", + "type": "boolean", + "value": "@false" + } + ] + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Comment_Count": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "array" + } + ] + } + }, + "Initialize_Failure_Count": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "failure_count", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Fields_For_Hash": { + "runAfter": { + "Initialize_Fields_For_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_hash", + "type": "string", + "value": "id,type,ip,url,tld,email,hash,hash_type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_Fields_For_Host": { + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_host", + "type": "string", + "value": "id,type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_Fields_For_IP": { + "runAfter": { + "Initialize_Fields_For_Host": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_ip", + "type": "string", + "value": "id,type,ip,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_Fields_For_URL": { + "runAfter": { + "Initialize_Fields_For_IP": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_url", + "type": "string", + "value": "id,type,url,tld,email,hash,hash_type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_HTML": { + "runAfter": { + "Initialize_Fields_For_Hash": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TIDE-Lookup-Comment-Enrichment", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId15'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId15')]", + "contentId": "[variables('_playbookContentId15')]", + "kind": "Playbook", + "version": "[variables('playbookVersion15')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-TIDE-Lookup-Comment-Enrichment", + "description": "The playbook enrich an incident by adding TIDE Lookup information as comment on an incident.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**b. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": [ + "Host", + "IP", + "Hash", + "URL" + ], + "tags": [ + "Infoblox", + "TIDE", + "Lookup", + "Comment", + "Enrichment" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId15')]", + "contentKind": "Playbook", + "displayName": "Infoblox-TIDE-Lookup-Comment-Enrichment", + "contentProductId": "[variables('_playbookcontentProductId15')]", + "id": "[variables('_playbookcontentProductId15')]", + "version": "[variables('playbookVersion15')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName16')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion16')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TimeRangeBased-DHCP-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Start Date": { + "type": "String", + "metadata": { + "description": "Enter start date from which you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd" + } + }, + "End Date": { + "type": "String", + "metadata": { + "description": "Enter end date till you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd" + } + }, + "Workspace Name": { + "type": "string", + "metadata": { + "description": "Enter name of Log Analytics Workspace where DHCP data is available" + } + } + }, + "variables": { + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "StartDate": { + "type": "String", + "defaultValue": "[[trim(parameters('Start Date'))]" + }, + "EndDate": { + "type": "String", + "defaultValue": "[[trim(parameters('End Date'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": { + "actions": { + "Terminate_As_No_IPs_Found": { + "type": "Terminate", + "inputs": { + "runError": { + "message": "No IPs found associated with incident." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Entities_-_Get_IPs')?['IPs'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Validate_StartDate_And_EndDate": { + "actions": { + "Terminate_Due_To_Invalid_StartDate_And_EndDate": { + "type": "Terminate", + "inputs": { + "runError": { + "message": "StartDate Should be Less than EndDate." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Initialize_Incident_Comment": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('StartDate')", + "@variables('EndDate')" + ] + } + ] + }, + "type": "If" + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Condition_To_Validate_StartDate_And_EndDate": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Verify_IP_Address_is_Empty_Or_Not": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Empty IP Address found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_IP_Address": { + "runAfter": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "else": { + "actions": { + "Condition_To_Check_That_Results_Are_Empty": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100_(2)": { + "actions": { + "Add_Comment__For_Empty_Results_Found_For_IP": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No Lookup Data Found For IP: @{items('For_Each_IP')?['Address']} From @{variables('StartDate')} To @{variables('EndDate')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_Results_For_IP": { + "runAfter": { + "Add_Comment__For_Empty_Results_Found_For_IP": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment_(2)": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit_(2)": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Records_Are_Remaining_To_Add_And_Count_Limit_is_Not_Exceeded": { + "actions": { + "Add_Comment_To_Incident_For_Remaining_Records": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Remaining_Records": { + "runAfter": { + "Add_Comment_To_Incident_For_Remaining_Records": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": { + "For_Each_Query_Result": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Check_That_Comment_Count_Reaches_to_99": { + "actions": { + "Add_Comment_To_Incident_For_Limit_Exceeded": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Limit_Exceeded": { + "runAfter": { + "Add_Comment_To_Incident_For_Limit_Exceeded": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_comment')", + "@null" + ] + } + }, + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Query_Result": { + "foreach": "@body('Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range')?['value']", + "actions": { + "Append_HTML_Table_Content_For_A_Record": { + "runAfter": { + "Parse_JSON_For_Query_Result_Data": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
DHCP Lookup For IP @{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source IP@{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source HostName@{body('Parse_JSON_For_Query_Result_Data')?['SourceHostName']}
Source Mac Address@{body('Parse_JSON_For_Query_Result_Data')?['SourceMACAddress']}
Device Name@{body('Parse_JSON_For_Query_Result_Data')?['DeviceName']}
Device Address@{body('Parse_JSON_For_Query_Result_Data')?['DeviceAddress']}
Device DNS Domain@{body('Parse_JSON_For_Query_Result_Data')?['DeviceDnsDomain']}
Infoblox Host@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxHost']}
Infoblox Subnet@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxSubnet']}
Infoblox Range Start@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeStart']}
Infoblox Range End@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeEnd']}
Infoblox Lease Op@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLeaseOp']}
Infoblox Client ID@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxClientID']}
Infoblox Lifetime@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLifetime']}
Infoblox Fingerprint Pr@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprintPr']}
Infoblox Fingerprint@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprint']}
Infoblox DHCP Options@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxDHCPOptions']}

" + } + }, + "Condition_To_Verify_Character_Limit_Does_Not_Exceeded": { + "actions": { + "Set_Incident_Comment": { + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@variables('html_table')" + } + } + }, + "runAfter": { + "Append_HTML_Table_Content_For_A_Record": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Comment_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_For_DHCP_Record_In_HTML_Table_Format_": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_HTML_Table": { + "runAfter": { + "Add_Comment_For_DHCP_Record_In_HTML_Table_Format_": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + }, + "Reset_HTML_Table": { + "runAfter": { + "Reset_Incident_Comment": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "@{null}" + } + }, + "Reset_Incident_Comment": { + "runAfter": { + "Increment_Comments_Count_For_HTML_Table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@{null}" + } + } + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(variables('html_table'))", + 30000 + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Query_Result_Data": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_Each_Query_Result')", + "schema": { + "properties": { + "Activity": { + "type": "string" + }, + "DeviceAddress": { + "type": "string" + }, + "DeviceDnsDomain": { + "type": "string" + }, + "DeviceName": { + "type": "string" + }, + "InfobloxClientID": { + "type": "string" + }, + "InfobloxDHCPOptions": { + "type": "string" + }, + "InfobloxDUID": { + "type": "string" + }, + "InfobloxFingerprint": { + "type": "string" + }, + "InfobloxFingerprintPr": { + "type": "string" + }, + "InfobloxHost": { + "type": "string" + }, + "InfobloxHostID": { + "type": "string" + }, + "InfobloxIPSpace": { + "type": "string" + }, + "InfobloxLeaseOp": { + "type": "string" + }, + "InfobloxLeaseUUID": { + "type": "string" + }, + "InfobloxLifetime": { + "type": "string" + }, + "InfobloxRangeEnd": { + "type": "string" + }, + "InfobloxRangeStart": { + "type": "string" + }, + "InfobloxSubnet": { + "type": "string" + }, + "SourceHostName": { + "type": "string" + }, + "SourceIP": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range')?['value'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range": { + "type": "ApiConnection", + "inputs": { + "body": { + "query": "let DHCP_VALUE = 'DHCP';\nlet IP = '@{items('For_each_IP')?['Address']}';\nCommonSecurityLog\n| where DeviceEventClassID contains DHCP_VALUE\n and SourceIP == IP\n| parse-kv AdditionalExtensions as (InfobloxHost : string,\nInfobloxHostID : string,\nInfobloxIPSpace : string,\nInfobloxSubnet : string,\nInfobloxRangeStart : string,\nInfobloxRangeEnd : string,\nInfobloxLeaseOp : string,\nInfobloxClientID : string,\nInfobloxDUID : string,\nInfobloxLifetime : string,\nInfobloxLeaseUUID : string,\nInfobloxFingerprintPr : string,\nInfobloxFingerprint : string,\nInfobloxDHCPOptions : string) with(kv_delimiter=\"=\", pair_delimiter=\";\")\n| project \nSourceIP,SourceHostName,SourceMACAddress, Activity, DeviceName,DeviceAddress,DeviceDnsDomain,\nInfobloxHost,\nInfobloxHostID,\nInfobloxIPSpace,\nInfobloxSubnet,\nInfobloxRangeStart,\nInfobloxRangeEnd,\nInfobloxLeaseOp,\nInfobloxClientID,\nInfobloxDUID,\nInfobloxLifetime,\nInfobloxLeaseUUID,\nInfobloxFingerprintPr,\nInfobloxFingerprint,\nInfobloxDHCPOptions\n", + "timerange": { + "exactTimeRangeFrom": "@variables('StartDate')", + "exactTimeRangeTo": "@variables('EndDate')" + }, + "timerangetype": "Exact" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryDataV2", + "queries": { + "resourcegroups": "[[resourceGroup().name]", + "resourcename": "[[parameters('Workspace Name')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[[subscription().subscriptionId]" + } + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_IP')?['Address'])", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_Data_Variable": { + "runAfter": { + "Initialize_Length_of_Data": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "dhcp_data", + "type": "array" + } + ] + } + }, + "Initialize_End_Date": { + "runAfter": { + "Initialize_Start_Date": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "EndDate", + "type": "string", + "value": "@parameters('EndDate')" + } + ] + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Number_Of_Comments": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table", + "type": "string" + } + ] + } + }, + "Initialize_Incident_Comment": { + "runAfter": { + "Initialize_Data_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_comment", + "type": "string" + } + ] + } + }, + "Initialize_Length_of_Data": { + "runAfter": { + "Initialize_End_Date": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "length_of_data", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Number_Of_Comments": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "number_of_comments", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Start_Date": { + "runAfter": { + "Initialize_HTML_Table": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "StartDate", + "type": "string", + "value": "@parameters('StartDate')" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[[variables('AzuremonitorlogsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TimeRangeBased-DHCP-Lookup", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzuremonitorlogsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzuremonitorlogsConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId16'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId16')]", + "contentId": "[variables('_playbookContentId16')]", + "kind": "Playbook", + "version": "[variables('playbookVersion16')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-TimeRangeBased-DHCP-Lookup", + "description": "The playbook will retrieve IP entities from an incident, search for related DHCP data in a table for a apecified time range, and if found, add the DHCP lookup data as a comment on the incident.", + "prerequisites": [ + "1. CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel." + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**c. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": [ + "IP" + ], + "tags": [ + "Infoblox", + "DHCP", + "IP", + "Lookup", + "TimeBased" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId16')]", + "contentKind": "Playbook", + "displayName": "Infoblox-TimeRangeBased-DHCP-Lookup", + "contentProductId": "[variables('_playbookcontentProductId16')]", + "id": "[variables('_playbookcontentProductId16')]", + "version": "[variables('playbookVersion16')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName17')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion17')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Get-Host-Name", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "API Key": { + "defaultValue": "[[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Initialize_Base_URL": { + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Break_Loop": { + "inputs": { + "variables": [ + { + "name": "Break_Loop", + "type": "boolean", + "value": "@false" + } + ] + }, + "runAfter": { + "Initialize_Limit": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Limit": { + "inputs": { + "variables": [ + { + "name": "limit", + "type": "integer", + "value": 25 + } + ] + }, + "runAfter": { + "Initialize_Offset": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Offset": { + "inputs": { + "variables": [ + { + "name": "offset", + "type": "integer", + "value": 0 + } + ] + }, + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Retry_Count": { + "inputs": { + "variables": [ + { + "name": "Retry Count", + "type": "integer", + "value": 3 + } + ] + }, + "runAfter": { + "Initialize_Table_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Table_Name": { + "inputs": { + "variables": [ + { + "name": "Table Name", + "type": "string", + "value": "Host_Name_Info" + } + ] + }, + "runAfter": { + "Initialize_Break_Loop": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Until_Loop_For_Fetching_Host_Endpoint_Data_With_Pagination": { + "actions": { + "Condition_To_Verify_API_Call_Is_Success_Or_Not": { + "actions": { + "Condition_For_Host_Result_Is_Available_Or_Not": { + "actions": { + "Set_Break_Loop_True_Because_Of_Empty_Results": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Data_Is_Sent_To_Workspace": { + "actions": { + "Condition_For_Length_Of_Data_is_Less_Than_Limit_": { + "actions": { + "Set_Break_Loop_True_Because_Of_Data_Is_Less_Than_Limit": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(body('Parse_JSON_For_Host_Data')?['results'])", + "@variables('limit')" + ] + } + ] + }, + "runAfter": { + "Increment_Offset_By_Limit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Increment_Offset_By_Limit": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Retry_Count": { + "actions": { + "Increment_Offset_And_Skip_The_One_Page": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_New_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_New_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Retry Count')", + 0 + ] + } + ] + }, + "runAfter": { + "Decrement_Retry_Count": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Decrement_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 1 + }, + "type": "DecrementVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Send_Data_Into_Log_Analytics_Workspace')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "Send_Data_Into_Log_Analytics_Workspace": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Send_Data_Into_Log_Analytics_Workspace": { + "inputs": { + "body": "@{body('Parse_JSON_For_Host_Data')?['results']}", + "headers": { + "Log-Type": "@variables('Table Name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_1']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Host_Data')?['results'])", + "@true" + ] + } + ] + }, + "runAfter": { + "Parse_JSON_For_Host_Data": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Parse_JSON_For_Host_Data": { + "inputs": { + "content": "@body('HTTP_Request_To_Host_Endpoint')", + "schema": { + "results": [ + { + "configs": [ + { + "id": "string", + "service_id": "string", + "service_type": "string", + "upgraded_at": "string" + } + ], + "created_at": "string", + "display_name": "string", + "host_type": "string", + "id": "string", + "ip_address": "string", + "legacy_id": "string", + "mac_address": "string", + "maintenance_mode": "string", + "ophid": "string", + "pool_id": "string", + "timezone": "string", + "updated_at": "string" + } + ] + } + }, + "type": "ParseJson" + } + }, + "else": { + "actions": { + "Set_Break_Loop_True_Because_Of_Status_Code_Is_Not_200": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "type": "SetVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Host_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "HTTP_Request_To_Host_Endpoint": [ + "Succeeded" + ] + }, + "type": "If" + }, + "HTTP_Request_To_Host_Endpoint": { + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_limit": "@{variables('limit')}", + "_offset": "@{variables('offset')}" + }, + "uri": "@{variables('base_url')}/api/infra/v1/hosts" + }, + "type": "Http" + } + }, + "expression": "@equals(variables('Break_Loop'), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Retry_Count": [ + "Succeeded" + ] + }, + "type": "Until" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Get-Host-Name", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId17'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId17')]", + "contentId": "[variables('_playbookContentId17')]", + "kind": "Playbook", + "version": "[variables('playbookVersion17')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } + } + } + ], + "metadata": { + "title": "Infoblox-Get-Host-Name", + "description": "The playbook will fetch the data from 'Hosts' API and ingest it into custom table", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "entities": [ + "Host" + ], + "tags": [ + "Infoblox", + "Host Name" + ], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId17')]", + "contentKind": "Playbook", + "displayName": "Infoblox-Get-Host-Name", + "contentProductId": "[variables('_playbookcontentProductId17')]", + "id": "[variables('_playbookcontentProductId17')]", + "version": "[variables('playbookVersion17')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Infoblox", + "publisherDisplayName": "Infoblox", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Infoblox Solution for Microsoft Sentinel is designed to enhance the capabilities of Security Operations Centers (SOC) by integrating actionable intelligence and contextual network data derived from DNS data into Microsoft Sentinel. This integration provides SOC analysts with the tools they need to quickly identify and respond to potential threats such as malware and data exfiltration, improving overall security posture. With seamless configuration and intuitive dashboards, the solution ensures that critical security events are monitored and correlated, offering actionable insights that streamline threat detection and response.\nSOC analysts will benefit from the app’s ability to provide contextual network data, including user and device attribution, through various lookups and visualizations. By leveraging unique DNS-based threat intelligence, audit logs and other data sources, analysts can conduct faster and more effective investigations. The solution’s functionalities, such as SOC Insights Overview and DNS Events, empower analysts to reduce alert fatigue by focusing on correlated events, ultimately leading to improved efficiency and protection against emerging threats.

\n

Benefits

\n
    \n
  1. Reduce alert fatigue with actionable insights through SOC Insights: Focus on the most critical alerts and insights to streamline threat detection and response.
    2. \n
  2. Faster investigations with contextual network data: Quickly correlate network activities with potential threats using detailed lookups and visualizations.
    3. \n
  3. Unique DNS-based Infoblox Threat Intel: Access unparalleled DNS-based threat intelligence to enhance security decision-making and threat mitigation.
    4. \n
\n

Data Connectors: 5, Parsers: 6, Workbooks: 2, Analytic Rules: 2, Playbooks: 17

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Infoblox", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Infoblox" + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId3')]", + "version": "[variables('dataConnectorVersion3')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId4')]", + "version": "[variables('dataConnectorVersion4')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId5')]", + "version": "[variables('dataConnectorVersion5')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId2')]", + "version": "[variables('workbookVersion2')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject2').parserContentId2]", + "version": "[variables('parserObject2').parserVersion2]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject3').parserContentId3]", + "version": "[variables('parserObject3').parserVersion3]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject4').parserContentId4]", + "version": "[variables('parserObject4').parserVersion4]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject6').parserContentId6]", + "version": "[variables('parserObject6').parserVersion6]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox Block Allow IP Domain')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox Block Allow IP Domain Incident Based')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_InfoBlox Config Insight Details')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox Config Insights')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox Data Connector Trigger Sync')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox DHCP Lookup')]", + "version": "[variables('playbookVersion6')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox Get IP Space Data')]", + "version": "[variables('playbookVersion7')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox Get Service Name')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox IPAM Lookup')]", + "version": "[variables('playbookVersion9')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox SOC Get Insight Details')]", + "version": "[variables('playbookVersion10')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox SOC Get Open Insights API')]", + "version": "[variables('playbookVersion11')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox SOC Import Indicators TI')]", + "version": "[variables('playbookVersion12')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox TIDE Lookup')]", + "version": "[variables('playbookVersion13')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox TIDE Lookup Incident Based')]", + "version": "[variables('playbookVersion14')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox TIDE Lookup Incident Comment Based')]", + "version": "[variables('playbookVersion15')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox TimeRangeBased DHCP Lookup')]", + "version": "[variables('playbookVersion16')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Infoblox Get Host Name')]", + "version": "[variables('playbookVersion17')]" + } + ] + }, + "firstPublishDate": "2024-07-15", + "lastPublishDate": "2024-07-15", + "providers": [ + "Infoblox" + ], + "categories": { + "domains": [ + "Networking", + "Security - Threat Intelligence", + "Security - Threat Protection", + "Security - Network" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Infoblox/Package/testParameters.json b/Solutions/Infoblox/Package/testParameters.json new file mode 100644 index 00000000000..f47c73b961f --- /dev/null +++ b/Solutions/Infoblox/Package/testParameters.json @@ -0,0 +1,40 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Infoblox Lookup Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Infoblox Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Infoblox/Parsers/InfobloxCDC_SOCInsights.yaml b/Solutions/Infoblox/Parsers/InfobloxCDC_SOCInsights.yaml new file mode 100644 index 00000000000..4f6bd91d214 --- /dev/null +++ b/Solutions/Infoblox/Parsers/InfobloxCDC_SOCInsights.yaml @@ -0,0 +1,43 @@ +id: f18321d5-f146-4df5-81c3-f0ba660efc48 +Function: + Title: Parser for InfobloxCDC_SOCInsights + Version: '1.0.0' + LastUpdated: '2024-03-06' +Category: Microsoft Sentinel Parser +FunctionName: InfobloxCDC_SOCInsights +FunctionAlias: InfobloxCDC_SOCInsights +FunctionQuery: | + CommonSecurityLog + | where DeviceVendor == "Infoblox" and DeviceProduct == "Data Connector" and DeviceEventClassID == "BloxOne-InsightsNotification-Log" + | extend AdditionalExtensions = strcat(AdditionalExtensions, ";") + | extend + // SOC Insights + BlockedCount = toint(extract("InfobloxEventsBlockedCount=(.*?);", 1, AdditionalExtensions)), + NotBlockedCount = toint(extract("InfobloxEventsNotBlockedCount=(.*?);", 1, AdditionalExtensions)), + InfobloxInsightID = extract("InfobloxInsightId=(.*?);", 1, AdditionalExtensions), + ThreatType = extract("InfobloxInsightThreatType=(.*?);", 1, AdditionalExtensions), + ThreatClass = extract("InfobloxThreatClass=(.*?);", 1, AdditionalExtensions), + ThreatProperty = extract("InfobloxThreatFamily=(.*?);", 1, AdditionalExtensions), + ThreatFamily = extract("InfobloxThreatFamily=(.*?);", 1, AdditionalExtensions), + Status = extract("status=(.*?);", 1, AdditionalExtensions), + FeedSource = extract("InfobloxInsightFeedSource=(.*?);", 1, AdditionalExtensions), + Comment = extract("InfobloxInsightUserComment=(.*?);", 1, AdditionalExtensions), + Description = extract("InfobloxInsightDescription=(.*?);", 1, AdditionalExtensions), + InfobloxInsightLogType = "Insight", + ThreatConfidence_Score = toint(extract("InfobloxThreatConfidence=(.*?);", 1, AdditionalExtensions)) + | extend ThreatConfidence= case(ThreatConfidence_Score==3, "High", + ThreatConfidence_Score==2, "Medium", + ThreatConfidence_Score==1, "Low", + ThreatConfidence_Score == 0,"Info", + "N/A" ), + ThreatLevel_Score = toint(extract("InfobloxThreatLevel=(.*?);", 1, AdditionalExtensions)) + | extend ThreatLevel= case(ThreatLevel_Score==3, "High", + ThreatLevel_Score==2, "Medium", + ThreatLevel_Score==1, "Low", + ThreatLevel_Score == 0,"Info", + "N/A" ) + | extend IncidentSeverity= case(ThreatLevel_Score==3, "High", + ThreatLevel_Score==2, "Medium", + ThreatLevel_Score==1, "Low", + ThreatLevel_Score == 0,"Informational", + "N/A" ) \ No newline at end of file diff --git a/Solutions/Infoblox/Parsers/InfobloxInsight.yaml b/Solutions/Infoblox/Parsers/InfobloxInsight.yaml new file mode 100644 index 00000000000..d4eb63b1304 --- /dev/null +++ b/Solutions/Infoblox/Parsers/InfobloxInsight.yaml @@ -0,0 +1,41 @@ +id: 4d8838cb-cdf6-4a38-b30f-fdd2fd50b50b +Function: + Title: Parser for InfobloxInsight + Version: '1.0.0' + LastUpdated: '2024-03-06' +Category: Microsoft Sentinel Parser +FunctionName: InfobloxInsight +FunctionAlias: InfobloxInsight +FunctionQuery: | + InfobloxInsight_CL + | where InfobloxInsightLogType_s == "Insight" + | extend + InfobloxInsightID=column_ifexists('insightId_g', ''), + InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''), + BlockedCount=toint(column_ifexists('eventsBlockedCount_s', '')), + FeedSource=column_ifexists('feedSource_s', ''), + Status=column_ifexists('status_s', ''), + LastSeen=column_ifexists('mostRecentAt_t', ''), + NotBlockedCount=toint(column_ifexists('eventsNotBlockedCount_s', '')), + EventsCount=toint(column_ifexists('numEvents_s', '')), + Persistent=column_ifexists('persistent_b', ''), + PersistentDate=column_ifexists('persistentDate_t', ''), + Spreading=column_ifexists('spreading_b', ''), + SpreadingDate=column_ifexists('spreadingDate_t', ''), + FirstSeen=column_ifexists('startedAt_t', ''), + ThreatClass=column_ifexists('tClass_s', ''), + ThreatProperty=column_ifexists('tFamily_s', ''), + ThreatFamily=column_ifexists('tFamily_s', ''), + ThreatType=column_ifexists('threatType_s', ''), + Priority=column_ifexists('priorityText_s', ''), + DateChanged=column_ifexists('dateChanged_t ', ''), + CommentChanger=column_ifexists('changer_s', ''), + Comment=column_ifexists('userComment_s', '') + | extend IncidentSeverity = case(Priority=="CRITICAL", "High", + Priority=="HIGH", "High", + Priority=="MEDIUM", "Medium", + Priority =="LOW","Low", + Priority =="INFO","Informational", + "N/A" ) + | project-away + *_* \ No newline at end of file diff --git a/Solutions/Infoblox/Parsers/InfobloxInsightAssets.yaml b/Solutions/Infoblox/Parsers/InfobloxInsightAssets.yaml new file mode 100644 index 00000000000..4d13f0362f2 --- /dev/null +++ b/Solutions/Infoblox/Parsers/InfobloxInsightAssets.yaml @@ -0,0 +1,39 @@ +id: 30f0087f-6c91-48ce-89a4-fd59b1dde95a +Function: + Title: Parser for InfobloxInsightAssets + Version: '1.0.0' + LastUpdated: '2024-03-06' +Category: Microsoft Sentinel Parser +FunctionName: InfobloxInsightAssets +FunctionAlias: InfobloxInsightAssets +FunctionQuery: | + InfobloxInsightAssets_CL + | where InfobloxInsightLogType_s == "Asset" + | extend + InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''), + InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''), + AssetID=column_ifexists('cid_s', ''), + SourceMACAddress=column_ifexists('cmac_s', ''), + EventCount=column_ifexists('count_d', ''), + InfobloxB1SrcOSVersion=column_ifexists('os_version_s', ''), + SourceIP=column_ifexists('qip_s', ''), + SourceIPDistinctCount=column_ifexists('qipDistinctCount_d', ''), + IndicatorDistinctCount=column_ifexists('threatIndicatorDistinctCount_s', ''), + LastSeen=column_ifexists('timeMax_t', ''), + FirstSeen=column_ifexists('timeMin_t', ''), + SourceUserName=column_ifexists('user_s', ''), + Location=column_ifexists('location_s', '') + | extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', '')) + | extend ThreatLevel= case(ThreatLevel_Score==3, "High", + ThreatLevel_Score==2, "Medium", + ThreatLevel_Score==1, "Low", + ThreatLevel_Score == 0,"Info", + "N/A" ) + | extend ThreatConfidence_Score=toint(column_ifexists('confidenceLevelMax_d', '')) + | extend ThreatConfidence= case(ThreatConfidence_Score==3, "High", + ThreatConfidence_Score==2, "Medium", + ThreatConfidence_Score==1, "Low", + ThreatConfidence_Score == 0,"Info", + "N/A" ) + | project-away + *_* \ No newline at end of file diff --git a/Solutions/Infoblox/Parsers/InfobloxInsightComments.yaml b/Solutions/Infoblox/Parsers/InfobloxInsightComments.yaml new file mode 100644 index 00000000000..c0266a018fe --- /dev/null +++ b/Solutions/Infoblox/Parsers/InfobloxInsightComments.yaml @@ -0,0 +1,19 @@ +id: e62fa1e8-d157-4ee5-bb43-4fe6ea504f2d +Function: + Title: Parser for InfobloxInsightComments + Version: '1.0.0' + LastUpdated: '2024-03-06' +Category: Microsoft Sentinel Parser +FunctionName: InfobloxInsightComments +FunctionAlias: InfobloxInsightComments +FunctionQuery: | + InfobloxInsightComments_CL + | where InfobloxInsightLogType_s == "Comment" + | extend + InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''), + CommentChanger=column_ifexists('commentsChanger_s', ''), + Comment=column_ifexists('newComment_s', ''), + DateChanged=column_ifexists('dateChanged_t', ''), + Status=column_ifexists('status_s', '') + | project-away + *_* \ No newline at end of file diff --git a/Solutions/Infoblox/Parsers/InfobloxInsightEvents.yaml b/Solutions/Infoblox/Parsers/InfobloxInsightEvents.yaml new file mode 100644 index 00000000000..9f73effe664 --- /dev/null +++ b/Solutions/Infoblox/Parsers/InfobloxInsightEvents.yaml @@ -0,0 +1,40 @@ +id: 3bf27a0c-7335-42d5-bc41-330456b4eec2 +Function: + Title: Parser for InfobloxInsightEvents + Version: '1.0.0' + LastUpdated: '2024-03-06' +Category: Microsoft Sentinel Parser +FunctionName: InfobloxInsightEvents +FunctionAlias: InfobloxInsightEvents +FunctionQuery: | + InfobloxInsightEvents_CL + | where InfobloxInsightLogType_s == "Event" + | extend + InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''), + InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''), + ThreatConfidence=column_ifexists('confidenceLevel_s', ''), + DeviceName=column_ifexists('deviceName_s', ''), + SourceMACAddress=column_ifexists('macAddress_s', ''), + InfobloxB1Network=column_ifexists('source_s', ''), + InfobloxB1SrcOSVersion=column_ifexists('osVersion_s', ''), + InfobloxB1PolicyAction=column_ifexists('action_s', ''), + InfobloxB1PolicyName=column_ifexists('policy_s', ''), + SourceIP=column_ifexists('deviceIp_s', ''), + DestinationDnsDomain=column_ifexists('query_s', ''), + InfobloxDNSQType=column_ifexists('queryType_s', ''), + ThreatClass=column_ifexists('class_s', ''), + ThreatProperty=column_ifexists('threatFamily_s', ''), + Detected = todatetime(trim_end(@"\+(.*?)", column_ifexists('detected_s', ''))), + ThreatIndicator=iff(isnotempty(column_ifexists('threatIndicator_s', '')), column_ifexists('threatIndicator_s', ''), column_ifexists('query_s', '')), + SourceUserName=column_ifexists('user_s', ''), + DNSResponse=column_ifexists('response_s', ''), + DNSView=column_ifexists('dnsView_s', ''), + DeviceRegion=column_ifexists('deviceRegion_s', ''), + DeviceCountry=column_ifexists('deviceCountry_s', ''), + ResponseRegion=column_ifexists('responseRegion_s', ''), + ResponseCountry=column_ifexists('responseCountry_s', ''), + InfobloxB1FeedName=column_ifexists('feed_s', ''), + InfobloxB1DHCPFingerprint=column_ifexists('dhcpFingerprint_s', ''), + ThreatLevel=column_ifexists('threatLevel_s', '') + | project-away + *_* \ No newline at end of file diff --git a/Solutions/Infoblox/Parsers/InfobloxInsightIndicators.yaml b/Solutions/Infoblox/Parsers/InfobloxInsightIndicators.yaml new file mode 100644 index 00000000000..3145dcbe88d --- /dev/null +++ b/Solutions/Infoblox/Parsers/InfobloxInsightIndicators.yaml @@ -0,0 +1,39 @@ +id: f58f77a5-c803-444a-a836-fae65880ec5e +Function: + Title: Parser for InfobloxInsightIndicators + Version: '1.0.0' + LastUpdated: '2024-03-06' +Category: Microsoft Sentinel Parser +FunctionName: InfobloxInsightIndicators +FunctionAlias: InfobloxInsightIndicators +FunctionQuery: | + let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; + InfobloxInsightIndicators_CL + | where InfobloxInsightLogType_s == "Indicator" + | extend + InfobloxInsightID=column_ifexists('InfobloxInsightID_g', ''), + InfobloxInsightLogType=column_ifexists('InfobloxInsightLogType_s', ''), + InfobloxB1PolicyAction=column_ifexists('action_s', ''), + SourceMACAddress=column_ifexists('cmac_s', ''), + EventCount=column_ifexists('count_d', ''), + ThreatIndicator=column_ifexists('indicator_s', ''), + DestinationDnsDomain=column_ifexists('indicator_s', ''), + InfobloxB1FeedName=column_ifexists('feedName_s', ''), + LastSeen=column_ifexists('timeMax_t', ''), + FirstSeen=column_ifexists('timeMin_t', ''), + ThreatActor=column_ifexists('actor_s', '') + | extend isIP = isnotempty(extract(IPRegex, 0, ThreatIndicator)) + | extend ThreatLevel_Score=toint(column_ifexists('threatLevelMax_s', '')) + | extend ThreatLevel= case(ThreatLevel_Score==3, "High", + ThreatLevel_Score==2, "Medium", + ThreatLevel_Score==1, "Low", + ThreatLevel_Score == 0,"Info", + "N/A" ) + | extend ThreatConfidence_Score=toint(column_ifexists('confidence_s', '')) + | extend ThreatConfidence= case(ThreatConfidence_Score==3, "High", + ThreatConfidence_Score==2, "Medium", + ThreatConfidence_Score==1, "Low", + ThreatConfidence_Score == 0,"Info", + "N/A" ) + | project-away + *_* \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/Images/Infoblox-Config-Insight-Details.png b/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/Images/Infoblox-Config-Insight-Details.png new file mode 100644 index 00000000000..56f3643ec19 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/Images/Infoblox-Config-Insight-Details.png differ diff --git a/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/README.md b/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/README.md new file mode 100644 index 00000000000..43d921af4c8 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/README.md @@ -0,0 +1,35 @@ +# Infoblox Config Insight Details + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook fetches Config Insight Details Data and Ingest it in custom table of Log Analytics Workspace on demand bases from Workbook. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + - Playbook Name: Please keep the 'Playbook Name' parameter unchanged. Otherwise, you will need to manually adjust the 'Playbook Name' in the 'Infoblox Workbook - Infoblox Config Insights' Panel in edit mode + - Infoblox API Key: Enter valid value for API Key + - Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Config%20Insight%20Details%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Config%20Insight%20Details%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +1. Go to your logic app -> API connections -> Select connection resource +2. Go to General -> edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections diff --git a/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/azuredeploy.json b/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/azuredeploy.json new file mode 100644 index 00000000000..0cbfdeef501 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/InfoBlox Config Insight Details/azuredeploy.json @@ -0,0 +1,299 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Config-Insight-Details", + "description": "The playbook retrieves Config Insight Details Data and ingests it into a custom table within the Log Analytics Workspace on an on-demand basis from the Workbook.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Authorize azuremonitorlogs connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save" + ], + "entities": [], + "tags": ["Infoblox","Insights"], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Config-Insight-Details", + "metadata": { + "description": "Please keep the 'PlaybookName' parameter unchanged. Otherwise, you will need to manually adjust the 'PlaybookName' in the 'Infoblox Workbook - Infoblox Config Insights' Panel in edit mode" + }, + "type": "string" + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "InfobloxAPIKey": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "InfobloxBaseUrl": { + "defaultValue": "[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "POST" + } + } + }, + "actions": { + "Condition": { + "actions": { + "Parse_Config_Insight_Details_Response": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('GET_Config_Insight_Details')", + "schema": { + "properties": { + "result": { + "properties": { + "analyticInsightId": { + "type": "string" + }, + "feeds": { + "items": { + "properties": { + "currentAction": { + "type": "string" + }, + "feedName": { + "type": "string" + }, + "id": { + "type": "string" + }, + "recommendedAction": { + "type": "string" + }, + "ruleName": { + "type": "string" + }, + "ruleType": { + "type": "string" + }, + "status": { + "type": "string" + } + }, + "required": [ + "id", + "ruleType", + "ruleName", + "feedName", + "currentAction" + ], + "type": "object" + }, + "type": "array" + }, + "insightType": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Send_Data_to_Sentinel": { + "runAfter": { + "Parse_Config_Insight_Details_Response": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{body('Parse_Config_Insight_Details_Response')?['result']}", + "headers": { + "Log-Type": "@variables('config_insight_details_table_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_11']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "GET_Config_Insight_Details": ["Succeeded"] + }, + "else": { + "actions": { + "Terminate": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('GET_Config_Insight_Details')['statusCode']}", + "message": "There was an error fetching config insights details. Error: @{body('GET_Config_Insight_Details')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('GET_Config_Insight_Details')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "GET_Config_Insight_Details": { + "runAfter": { + "Initialize_Config_Insight_Details_Table_Name": ["Succeeded"] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('InfobloxAPIKey')}" + }, + "method": "GET", + "uri": "@variables('config_insight_details_url')" + } + }, + "Initialize_Config_Insight_Details_Table_Name": { + "runAfter": { + "Initialize_Config_Insights_Details_URL": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insight_details_table_name", + "type": "string", + "value": "Infoblox_Config_Insight_Details" + } + ] + } + }, + "Initialize_Config_Insights_Details_URL": { + "runAfter": { + "Parse_Request_JSON": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insight_details_url", + "type": "string", + "value": "@{parameters('InfobloxBaseUrl')}/api/v1/config-insights/analytics/@{body('Parse_Request_JSON')?['config_insight_id']}" + } + ] + } + }, + "Parse_Request_JSON": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()", + "schema": { + "properties": { + "config_insight_id": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_11": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Config-Insight-Details", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/Images/Block-Allow-IP-Domain-Incident-Based.png b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/Images/Block-Allow-IP-Domain-Incident-Based.png new file mode 100644 index 00000000000..ed86a8872fd Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/Images/Block-Allow-IP-Domain-Incident-Based.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/README.md b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/README.md new file mode 100644 index 00000000000..d780b823fe8 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/README.md @@ -0,0 +1,43 @@ +# Infoblox Block and Allow IP Domain Incident Based + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will add / remove IP or Domain values in Named List that available in incidents of Infoblox. + +### Prerequisites + +1. User must have a valid Infoblox API Key. +2. Obtain Teams GroupId and ChannelId + * Create a Team with public channel. + * Click on three dots (...) present on right side of the your newly created teams channel and Get link to the channel. + * Copy the text from the link between /channel and /, decode it using online url decoder and copy it to use as channelId. + * Copy the text of groupId parameter from link to use as groupId. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance (e.g. https://csp.infoblox.com) + * TeamsGroupId: Enter Id of the Teams Group where the adaptive card will be posted + * TeamsChannelId: Enter Id of the Teams Channel where the adaptive card will be posted + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Block%20Allow%20IP%20Domain%20Incident%20Based%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Block%20Allow%20IP%20Domain%20Incident%20Based%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize connection. + +1. Go to your logic app → API connections → Select teams connection resource +2. Go to General → edit API connection +3. Click Authorize +4. Sign in +5. Click Save \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/azuredeploy.json new file mode 100644 index 00000000000..11a2c8ff481 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain Incident Based/azuredeploy.json @@ -0,0 +1,956 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Block-Allow-IP-Domain-Incident-Based", + "description": "The playbook will add / remove IP or Domain values in Named List that available in incidents of Infoblox.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key", + "2. Obtain Teams GroupId and ChannelId", + "a. Create a Team with public channel.", + "b. Click on three dots (...) present on right side of the your newly created teams channel and Get link to the channel.", + "c. Copy the text from the link between /channel and /, decode it using online url decoder and copy it to use as channelId.", + "d. Copy the text of groupId parameter from link to use as groupId. " + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app → API connections → Select teams connection resource", + "2. Go to General → edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save" + ], + "entities": ["IP", "Domain"], + "tags": ["Infoblox", "IP", "Domain", "Incident"], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Block-Allow-IP-Domain-Incident-Based", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "minLength": 1, + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + }, + "Teams Group Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Group where the adaptive card will be posted" + } + }, + "Teams Channel Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Channel where the adaptive card will be posted" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[concat('Teams-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "API_Token": { + "type": "String", + "defaultValue": "[trim(parameters('Infoblox API Key'))]" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[trim(parameters('Infoblox Base Url'))]" + }, + "TeamsChannelId": { + "type": "String", + "defaultValue": "[trim(parameters('Teams Channel Id'))]" + }, + "TeamsGroupId": { + "type": "String", + "defaultValue": "[trim(parameters('Teams Group Id'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_2']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_For_Base_URL_is_Empty_or_Not": { + "actions": { + "Set_Default_Value_For_Base_URL": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "base_url", + "value": "https://csp.infoblox.com" + } + } + }, + "runAfter": { + "Initialize_IP_or_Domain_String_Variable": ["Succeeded"] + }, + "expression": { + "and": [ + { + "equals": ["@empty(variables('base_url'))", "@true"] + } + ] + }, + "type": "If" + }, + "Condition_For_No_Entity_is_Available_in_Incident": { + "actions": { + "Condition_For_Continue_Execution_of_Logic_App": { + "actions": { + "Terminate_When_User_Terminated_The_Logic__App": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "message": "User Terminated The Logic App" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Set_Cancel_Variable_For_Selection_of_Execution": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_For_Response_is_Success_or_Not": { + "actions": { + "Condition_To_Check_If_There_is_Named_List_is_Available_in_Response": { + "actions": { + "Append_Add_to_List_Action_Variable": { + "runAfter": { + "For_Each_Lists_in_Result": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Add", + "value": "inserted" + } + } + }, + "Append_Remove_to_List_Action_Variable": { + "runAfter": { + "Append_Add_to_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Remove", + "value": "deleted" + } + } + }, + "Condition_For_Response_is_Success_or_Not_For_PATCH_Call": { + "actions": { + "Terminate_If_Successfully_Added_to_Named_List": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + }, + "runAfter": { + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_If_Not_Added_In_Named_List": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']}", + "message": "Error Response : @{body('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']", + 201 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Lists_in_Result": { + "foreach": "@body('Parse_JSON_API_Call_Response')?['results']", + "actions": { + "Condition": { + "actions": { + "Append_Input_List_For_Adaptive_Card_DropDown": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Lists", + "value": { + "title": "@{items('For_Each_Lists_in_Result')?['name']}", + "value": "@{items('For_Each_Lists_in_Result')?['id']}" + } + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "not": { + "startsWith": [ + "@items('For_Each_Lists_in_Result')?['name']", + "Threat Insight" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": { + "runAfter": { + "Set_Request_Body_For_PATCH_Call": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "@variables('req_body')", + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "PATCH", + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists/@{variables('list_id')}/items" + } + }, + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": { + "runAfter": { + "Append_Remove_to_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"actions\": [\n {\n \"title\": \"Submit\",\n \"type\": \"Action.Submit\",\n \"style\": \"positive\",\n \"id\": \"Submit\",\n\"value\":\"Submit\"\n }\n ],\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"horizontalAlignment\": \"center\",\n \"style\": \"heading\",\n \"color\": \"accent\",\n \"fontType\": \"Default\",\n \"wrap\": true,\n \"id\": \"heading\",\n \"text\": \"Block and Allow IP / Domain\"\n },\n {\n \"id\": \"group-choice\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('Lists')},\n \"isRequired\": true,\n \"separator\": true,\n \"weight\": \"bolder\",\n \"label\": \"Select Named list to add/remove IP or Domain\",\n \"errorMessage\": \"Select one Named list first.\"\n }, {\n \"id\": \"group-choice-1\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('List_action')},\n \"isRequired\": true,\n \"weight\": \"bolder\",\n \"label\": \"Select Named list action\",\n \"errorMessage\": \"Select one Named list action.\"\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"weight\": \"bolder\",\n \"text\": \"List of IP / Domain to perform selected action for Named list\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"spacing\": \"None\",\n \"text\": \"@{variables('ip_domain_string')}\" ,\n \"isSubtle\": true,\n \"wrap\": true\n }\n ],\n \"width\": \"stretch\"\n }\n ]\n }\n ],\n \"type\": \"AdaptiveCard\",\n \"version\": \"1.3\"\n}", + "recipient": { + "channelId": "@{parameters('TeamsChannelId')}", + "groupId": "@{parameters('TeamsGroupId')}" + }, + "updateMessage": "Thanks for your response!" + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Set_ID_From_Named_List_DropDown": { + "runAfter": { + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "list_id", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice']}" + } + }, + "Set_Named_List_Action_Variable": { + "runAfter": { + "Set_ID_From_Named_List_DropDown": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "named_list_action", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice-1']}" + } + }, + "Set_Request_Body_For_PATCH_Call": { + "runAfter": { + "Set_Named_List_Action_Variable": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "req_body", + "value": { + "@{variables('named_list_action')}_items_described": "@variables('ip_domain_req_body')" + } + } + } + }, + "runAfter": { + "Parse_JSON_API_Call_Response": ["Succeeded"] + }, + "else": { + "actions": { + "Terminate_When_No_Named_List_Found": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "No Any Named List Available. " + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(body('Parse_JSON_API_Call_Response')?['results'])", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_API_Call_Response": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "required": ["id", "name"], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Terminate_When_Request_Call_Get_Failed": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "@{body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": { + "runAfter": {}, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "GET", + "queries": { + "_fields": "name,id" + }, + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('cancel_adaptive_card')", + "Cancel" + ] + } + ] + }, + "type": "If" + }, + "Post_Adaptive_Card_and_Wait_if_User_Want_To_Perform_Further_Action_or_Not": { + "runAfter": { + "Set_IP_or_Domain_String_Variable": ["Succeeded"] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"actions\": [\n {\n \"title\": \"Yes\",\n \"type\": \"Action.Submit\",\n \"style\": \"positive\",\n \"id\": \"Submit\"\n },\n {\n \"title\": \"No\",\n \"type\": \"Action.Submit\",\n \"style\": \"destructive\",\n \"id\": \"Cancel\"\n }\n ],\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"horizontalAlignment\": \"center\",\n \"style\": \"heading\",\n \"color\": \"accent\",\n \"fontType\": \"Default\",\n \"wrap\": true,\n \"id\": \"heading\",\n \"text\": \"Block and Allow IP / Domain\"\n },\n {\n \"type\": \"TextBlock\",\n \"weight\": \"Bolder\",\n \"separator\": true,\n \"text\": \"List of IP / Domain to be added in Named list\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"spacing\": \"None\",\n \"text\": \"@{variables('ip_domain_string')}\" ,\n \"isSubtle\": true,\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Want to add or remove above IP or Domain in Named list?\"\n }\n ],\n \"type\": \"AdaptiveCard\",\n \"version\": \"1.3\"\n}", + "recipient": { + "channelId": "@parameters('TeamsChannelId')", + "groupId": "@parameters('TeamsGroupId')" + }, + "updateMessage": "Thanks for your response!" + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Set_Cancel_Variable_For_Selection_of_Execution": { + "runAfter": { + "Post_Adaptive_Card_and_Wait_if_User_Want_To_Perform_Further_Action_or_Not": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "cancel_adaptive_card", + "value": "@{body('Post_Adaptive_Card_and_Wait_if_User_Want_To_Perform_Further_Action_or_Not')?['submitActionId']}" + } + }, + "Set_IP_or_Domain_String_Variable": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "ip_domain_string", + "value": "@{substring(variables('ip_domain_list'),0,sub(length(variables('ip_domain_list')),2))}" + } + } + }, + "runAfter": { + "For_Each_IP": ["Succeeded"] + }, + "else": { + "actions": { + "Terminate_When_No_Entity_Mapping_Found": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "404", + "message": "No Entity Mapping Found For IP or Host" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@empty(variables('ip_domain_req_body'))", + "@true" + ] + } + } + ] + }, + "type": "If" + }, + "Entities_-_Get_Hosts": { + "runAfter": { + "Condition_For_Base_URL_is_Empty_or_Not": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_2']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "Entities_-_Get_IPs": { + "runAfter": { + "For_Each_Domain": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_2']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_Domain": { + "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", + "actions": { + "Condition_To_Check_If_Host_Name_Empty_Found": { + "actions": { + "Append_Domain_in_IP_or_Domain_list_For_Request_Body_": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "ip_domain_req_body", + "value": { + "item": "@items('For_Each_Domain')?['NetBiosName']" + } + } + }, + "Append_Domain_in_IP_or_Domain_list_variable": { + "runAfter": { + "Append_Domain_in_IP_or_Domain_list_For_Request_Body_": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_domain_list", + "value": "@{items('For_Each_Domain')?['NetBiosName']}, " + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_Each_Domain')?['NetBiosName']", + "@true" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Entities_-_Get_Hosts": ["Succeeded"] + }, + "type": "Foreach" + }, + "For_Each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Check_If_IP_Name_Empty_Found": { + "actions": { + "Append_IP_in_IP_or_Domain_String_Variable": { + "runAfter": { + "Append_IP_in_IP_or_Domain_list_For_Request_Body_": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "ip_domain_list", + "value": "@{items('For_Each_IP')?['Address']}, " + } + }, + "Append_IP_in_IP_or_Domain_list_For_Request_Body_": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "ip_domain_req_body", + "value": { + "item": "@items('For_Each_IP')?['Address']" + } + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@empty(items('For_Each_IP')?['Address'])", + "@true" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Entities_-_Get_IPs": ["Succeeded"] + }, + "type": "Foreach" + }, + "Initialize_Cancel_Adaptive_Card_Variable": { + "runAfter": { + "Initialize_IP_or_Domain_list_for_Request_Body": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "cancel_adaptive_card", + "type": "string" + } + ] + } + }, + "Initialize_Description_For_Adaptive_Card_": { + "runAfter": { + "Initialize_Value_For_Adaptive_Card": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_description", + "type": "string" + } + ] + } + }, + "Initialize_IP_or_Domain_String_Variable": { + "runAfter": { + "Initialize_Named_List_Action": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_domain_string", + "type": "string" + } + ] + } + }, + "Initialize_IP_or_Domain_list_for_Request_Body": { + "runAfter": { + "Initialize_IP_or_Domain_list_in_Incidents": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_domain_req_body", + "type": "array" + } + ] + } + }, + "Initialize_IP_or_Domain_list_in_Incidents": { + "runAfter": { + "Initialize_Request_Body_For_PATCH_Call": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_domain_list", + "type": "string" + } + ] + } + }, + "Initialize_Id_For_Named_List_DropDown": { + "runAfter": { + "Initialize_Input_List_For_Adaptive_Card_DropDown": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "list_id", + "type": "string" + } + ] + } + }, + "Initialize_Input_List_For_Adaptive_Card_DropDown": { + "runAfter": { + "Initialize_Variable_Comment_Count": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Lists", + "type": "array" + } + ] + } + }, + "Initialize_List_For_Action": { + "runAfter": { + "Initialize_Selected_Choice_Value": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "List_action", + "type": "array" + } + ] + } + }, + "Initialize_Named_List_Action": { + "runAfter": { + "Initialize_List_For_Action": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "named_list_action", + "type": "string" + } + ] + } + }, + "Initialize_Request_Body_For_PATCH_Call": { + "runAfter": { + "Initialize_Description_For_Adaptive_Card_": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "req_body", + "type": "object" + } + ] + } + }, + "Initialize_Selected_Choice_Value": { + "runAfter": { + "Initialize_Cancel_Adaptive_Card_Variable": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "selected_name_list", + "type": "string" + } + ] + } + }, + "Initialize_Value_For_Adaptive_Card": { + "runAfter": { + "Initialize_Id_For_Named_List_DropDown": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_value", + "type": "string" + } + ] + } + }, + "Initialize_Variable_Base_Url": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Variable_Comment_Count": { + "runAfter": { + "Initialize_Variable_Base_Url": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "comment_limit", + "type": "integer", + "value": "@triggerBody()?['object']?['properties']?['additionalData']?['commentsCount']" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_2": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "teams": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[variables('TeamsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Block-Allow-IP-Domain-Incident-Based", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('TeamsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('TeamsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/Images/Block-Allow-IP-Domain.png b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/Images/Block-Allow-IP-Domain.png new file mode 100644 index 00000000000..1d04e00b753 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/Images/Block-Allow-IP-Domain.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/README.md b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/README.md new file mode 100644 index 00000000000..d016d648a53 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/README.md @@ -0,0 +1,52 @@ +# Infoblox Block and Allow IP Domain + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will add/remove IP or Domain value in Named List of Infoblox. + +### Prerequisites + +1. User must have a valid Infoblox API Key. +2. Obtain Teams GroupId and ChannelId + * Create a Team with public channel. + * Click on three dots (...) present on right side of the your newly created teams channel and Get link to the channel. + * Copy the text from the link between /channel and /, decode it using online url decoder and copy it to use as channelId. + * Copy the text of groupId parameter from link to use as groupId. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance (e.g. https://csp.infoblox.com) + * TeamsGroupId: Enter Id of the Teams Group where the adaptive card will be posted + * TeamsChannelId: Enter Id of the Teams Channel where the adaptive card will be posted + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Block%20Allow%20IP%20Domain%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Block%20Allow%20IP%20Domain%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize connection. + +1. Go to your logic app → API connections → Select teams connection resource +2. Go to General → edit API connection +3. Click Authorize +4. Sign in +5. Click Save + +#### b. Get Workflow URL for the playbook + +Once deployment is complete, get Workflow URL + +1. Go to your logic app → Overview +2. Copy Workflow URL + +This URL can be use to trigger the Logic App directly \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/azuredeploy.json new file mode 100644 index 00000000000..472b5d250b2 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Block Allow IP Domain/azuredeploy.json @@ -0,0 +1,618 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Block-Allow-IP-Domain", + "description": "The playbook will add/remove IP or Domain value in Named List of Infoblox.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key", + "2. Obtain Teams GroupId and ChannelId", + "a. Create a Team with public channel.", + "b. Click on three dots (...) present on right side of the your newly created teams channel and Get link to the channel.", + "c. Copy the text from the link between /channel and /, decode it using online url decoder and copy it to use as channelId.", + "d. Copy the text of groupId parameter from link to use as groupId. " + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app → API connections → Select teams connection resource", + "2. Go to General → edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "**b. Get Workflow URL**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app → Overview", + "2. Copy Workflow URL", + "This URL can be use to trigger the Logic App directly" + ], + "entities": ["IP", "Domain"], + "tags": ["Infoblox", "IP", "Domain"], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Block-Allow-IP-Domain", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "minLength": 1, + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + }, + "Teams Group Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Group where the adaptive card will be posted" + } + }, + "Teams Channel Id": { + "type": "string", + "metadata": { + "description": "Enter Id of the Teams Channel where the adaptive card will be posted" + } + } + }, + "variables": { + "TeamsConnectionName": "[concat('Teams-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "API_Token": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[trim(parameters('Infoblox Base Url'))]", + "type": "String" + }, + "TeamsChannelId": { + "defaultValue": "[trim(parameters('Teams Channel Id'))]", + "type": "String" + }, + "TeamsGroupId": { + "defaultValue": "[trim(parameters('Teams Group Id'))]", + "type": "String" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "GET", + "schema": {} + } + } + }, + "actions": { + "Condition_For_Base_URL_is_Empty_or_Not": { + "actions": { + "Set_Default_Value_For_Base_URL": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "base_url", + "value": "https://csp.infoblox.com" + } + } + }, + "runAfter": { + "Initialize_Named_List_Action": ["Succeeded"] + }, + "expression": { + "and": [ + { + "equals": ["@empty(variables('base_url'))", "@true"] + } + ] + }, + "type": "If" + }, + "Condition_For_Response_is_Success_or_Not": { + "actions": { + "Condition_To_Check_If_There_is_Named_List_is_Available_in_Response": { + "actions": { + "Append_Add_to_List_Action_Variable": { + "runAfter": { + "For_Each_Lists_in_Result": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Add", + "value": "inserted" + } + } + }, + "Append_Remove_to_List_Action_Variable": { + "runAfter": { + "Append_Add_to_List_Action_Variable": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "List_action", + "value": { + "title": "Remove", + "value": "deleted" + } + } + }, + "Condition_For_Response_is_Success_or_Not_For_PATCH_Call": { + "actions": { + "Terminate_If_Successfully_Added_to_Named_List": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + }, + "runAfter": { + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": [ + "Succeeded", + "Failed", + "TimedOut" + ] + }, + "else": { + "actions": { + "Terminate_If_Not_Added_In_Named_List": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']}", + "message": "@{body('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List')['statusCode']", + 201 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Lists_in_Result": { + "foreach": "@body('Parse_JSON_API_Call_Response')?['results']", + "actions": { + "Condition": { + "actions": { + "Append_Input_List_For_Adaptive_Card_DropDown": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "Lists", + "value": { + "title": "@{items('For_Each_Lists_in_Result')?['name']}", + "value": "@{items('For_Each_Lists_in_Result')?['id']}" + } + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "not": { + "startsWith": [ + "@items('For_Each_Lists_in_Result')?['name']", + "Threat Insight" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + }, + "HTTP_Call_To_Add_Remove_IP_or_Domain_in_Selected_Name_List": { + "runAfter": { + "Set_Request_Body_For_PATCH_Call": ["Succeeded"] + }, + "type": "Http", + "inputs": { + "body": "@variables('req_body')", + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "PATCH", + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists/@{variables('list_id')}/items" + } + }, + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": { + "runAfter": { + "Append_Remove_to_List_Action_Variable": ["Succeeded"] + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"actions\": [\n {\n \"title\": \"Submit Answer\",\n \"type\": \"Action.Submit\",\n \"style\": \"positive\",\n \"id\": \"Submit\"\n }\n ],\n \"body\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"horizontalAlignment\": \"center\",\n \"style\": \"heading\",\n \"color\": \"accent\",\n \"fontType\": \"Default\",\n \"wrap\": true,\n \"id\": \"heading\",\n \"text\": \"Block and Allow IP / Domain\"\n },\n {\n \"id\": \"group-choice\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('Lists')},\n \"isRequired\": true,\n \"separator\": true,\n \"label\": \"Select Named list to add/remove IP or Domain\",\n \"errorMessage\": \"Please select one Named list first.\"\n },\n{\n \"id\": \"group-choice-1\",\n \"type\": \"Input.ChoiceSet\",\n \"choices\": @{variables('List_action')},\n \"isRequired\": true,\n \"weight\": \"bolder\",\n \"label\": \"Select Named list action\",\n \"errorMessage\": \"Please select one Named list action.\"\n },\n {\n \"id\": \"member-input-1\",\n \"type\": \"Input.Text\",\n \"separator\": true,\n \"placeholder\": \"Provide IP / Domain value\",\n \"isRequired\": true,\n \"label\": \"Provide IP or Domain value to add/remove into Named list\",\n \"errorMessage\": \"Please enter one IP or Domain.\"\n },\n {\n \"id\": \"member-input-2\",\n \"type\": \"Input.Text\",\n \"separator\": true,\n \"placeholder\": \"Provide IP / Domain description\",\n \"label\": \"Provide IP or Domain description\"\n }\n ],\n \"type\": \"AdaptiveCard\",\n \"version\": \"1.3\"\n}", + "recipient": { + "channelId": "@parameters('TeamsChannelId')", + "groupId": "@parameters('TeamsGroupId')" + }, + "updateMessage": "Thanks for your response!" + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Set_ID_From_Named_List_DropDown": { + "runAfter": { + "Set_Value_From_Adaptive_Card_Description": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "list_id", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice']}" + } + }, + "Set_Named_List_Action_Variable": { + "runAfter": { + "Set_ID_From_Named_List_DropDown": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "named_list_action", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['group-choice-1']}" + } + }, + "Set_Request_Body_For_PATCH_Call": { + "runAfter": { + "Set_Named_List_Action_Variable": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "req_body", + "value": { + "@{variables('named_list_action')}_items_described": [ + { + "description": "@{variables('block_allow_description')}", + "item": "@{variables('block_allow_value')}" + } + ] + } + } + }, + "Set_Value_From_Adaptive_Card": { + "runAfter": { + "Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "block_allow_value", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['member-input-1']}" + } + }, + "Set_Value_From_Adaptive_Card_Description": { + "runAfter": { + "Set_Value_From_Adaptive_Card": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "block_allow_description", + "value": "@{body('Post_Adaptive_Card_For_Take_Input_For_Block_And_Allow_IP_Or_Domain')?['data']?['member-input-2']}" + } + } + }, + "runAfter": { + "Parse_JSON_API_Call_Response": ["Succeeded"] + }, + "else": { + "actions": { + "Terminate_When_List_is_Empty": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "No Any Named List Available. " + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(body('Parse_JSON_API_Call_Response')?['results'])", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_API_Call_Response": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "required": ["id", "name"], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": ["Succeeded"] + }, + "else": { + "actions": { + "Terminate_When_not_Getting_Named_List": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']}", + "message": "@{body('HTTP_Call_For_Get_List_For_Named_List_Endpoint')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Call_For_Get_List_For_Named_List_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Call_For_Get_List_For_Named_List_Endpoint": { + "runAfter": { + "Condition_For_Base_URL_is_Empty_or_Not": ["Succeeded"] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API_Token')}" + }, + "method": "GET", + "queries": { + "_fields": "name,id" + }, + "uri": "@{variables('base_url')}/api/atcfw/v1/named_lists" + } + }, + "Initialize_Description_For_Adaptive_Card_": { + "runAfter": { + "Initialize_Value_For_Adaptive_Card": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_description", + "type": "string" + } + ] + } + }, + "Initialize_Id_For_Named_List_DropDown": { + "runAfter": { + "Initialize_Input_List_For_Adaptive_Card_DropDown": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "list_id", + "type": "string" + } + ] + } + }, + "Initialize_Input_List_For_Adaptive_Card_DropDown": { + "runAfter": { + "Initialize_Variable_Base_URL": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Lists", + "type": "array" + } + ] + } + }, + "Initialize_List_For_Action": { + "runAfter": { + "Initialize_Request_Body_For_PATCH_Call": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "List_action", + "type": "array" + } + ] + } + }, + "Initialize_Named_List_Action": { + "runAfter": { + "Initialize_List_For_Action": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "named_list_action", + "type": "string" + } + ] + } + }, + "Initialize_Request_Body_For_PATCH_Call": { + "runAfter": { + "Initialize_Description_For_Adaptive_Card_": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "req_body", + "type": "object" + } + ] + } + }, + "Initialize_Value_For_Adaptive_Card": { + "runAfter": { + "Initialize_Id_For_Named_List_DropDown": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "block_allow_value", + "type": "string" + } + ] + } + }, + "Initialize_Variable_Base_URL": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "teams": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[variables('TeamsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Block-Allow-IP-Domain", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('TeamsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('TeamsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Teams')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox Config Insights/Images/Infoblox-Config-Insights.png b/Solutions/Infoblox/Playbooks/Infoblox Config Insights/Images/Infoblox-Config-Insights.png new file mode 100644 index 00000000000..23b750c1baf Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox Config Insights/Images/Infoblox-Config-Insights.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox Config Insights/README.md b/Solutions/Infoblox/Playbooks/Infoblox Config Insights/README.md new file mode 100644 index 00000000000..92e6edf87c4 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Config Insights/README.md @@ -0,0 +1,37 @@ +# Infoblox Config Insights + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + - [a. Authorize connections](#a-authorize-connections) + +## Summary + +The playbook fetches Config Insight Data and Ingest it in custom table of Log Analytics Workspace on schedule base. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Please keep the 'Playbook Name' parameter unchanged. Otherwise, you will need to manually adjust the 'Playbook Name' in the 'Infoblox Workbook - Infoblox Config Insights' Panel in edit mode + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + * Workspace Name : Enter name of Log Analytics Workspace where Infoblox Workbook is available + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Config%20Insights%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Config%20Insights%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +1. Go to your logic app -> API connections -> Select connection resource +2. Go to General -> edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox Config Insights/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox Config Insights/azuredeploy.json new file mode 100644 index 00000000000..78c472efd0d --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Config Insights/azuredeploy.json @@ -0,0 +1,390 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Config-Insights", + "description": "The playbook retrieves Config Insight Data and ingests it into a custom table within the Log Analytics Workspace on a scheduled basis.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Authorize azuremonitorlogs connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Authorize azureloganalyticsdatacollector connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "entities": [], + "tags": ["Infoblox", "Insights"], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Config-Insights", + "type": "string" + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + }, + "Workspace Name": { + "type": "String", + "metadata": { + "description": "Enter name of Log Analytics Workspace where Infoblox Workbook is available" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "InfobloxAPIKey": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "InfobloxBaseUrl": { + "defaultValue": "[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Check_if_Status_code_200_or_not": { + "actions": { + "Fetch_Existing_Data": { + "runAfter": { + "Parse_Config_Insight_List_ID": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "body": "let dummyschema = datatable(TimeGenerated:datetime, policyAnalyticsId_g:string, insightType_s:string, type_s:string)[];\nunion isfuzzy=true dummyschema,\n@{variables('config_insights_table_name')}\n| where TimeGenerated>ago(365d)\n| project policyAnalyticsId_g", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[resourceGroup().name]", + "resourcename": "[trim(parameters('Workspace Name'))]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[subscription().subscriptionId]", + "timerange": "Last 24 hours" + } + } + }, + "For_Each_to_Append_Existing_Ids": { + "foreach": "@body('Fetch_Existing_Data')?['value']", + "actions": { + "Append_to_Existing_Ids": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "existing_ids", + "value": "@items('For_Each_to_Append_Existing_Ids')?['policyAnalyticsId_g']" + } + } + }, + "runAfter": { + "Fetch_Existing_Data": ["Succeeded"] + }, + "type": "Foreach" + }, + "For_Each_to_ingest_data_to_Sentinel": { + "foreach": "@body('Parse_Config_Insight_List_ID')?['policyAnalyticsList']", + "actions": { + "Check_whether_Config_Insight_ID_already_in_Sentinel": { + "actions": {}, + "runAfter": {}, + "else": { + "actions": { + "Send_Data": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@{items('For_Each_to_ingest_data_to_Sentinel')}", + "headers": { + "Log-Type": "@variables('config_insights_table_name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@contains(variables('existing_ids'), items('For_each_to_ingest_data_to_Sentinel')['policyAnalyticsId'])", + true + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_Each_to_Append_Existing_Ids": ["Succeeded"] + }, + "type": "Foreach" + }, + "Parse_Config_Insight_List_ID": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP')", + "schema": { + "properties": { + "policyAnalyticsList": { + "items": { + "properties": { + "insightType": { + "type": "string" + }, + "policyAnalyticsId": { + "type": "string" + } + }, + "required": ["policyAnalyticsId", "insightType"], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP": ["Succeeded"] + }, + "else": { + "actions": { + "Terminate": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP')['statusCode']}", + "message": "API request call failed. Kindly Run again after checking credentials. Error: @{body('HTTP')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": ["@outputs('HTTP')['statusCode']", 200] + } + ] + }, + "type": "If" + }, + "HTTP": { + "runAfter": { + "Initialize_Config_Insights_Table_Name": ["Succeeded"] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('InfobloxAPIKey')}" + }, + "method": "GET", + "uri": "@variables('config_insight_list_url')" + } + }, + "Initialize_Config_Ids": { + "runAfter": { + "Initialize_Config_Insights_List_URL": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_ids", + "type": "array" + } + ] + } + }, + "Initialize_Config_Insights_List_URL": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insight_list_url", + "type": "string", + "value": "@{parameters('InfobloxBaseUrl')}/api/v1/config-insights/analytics" + } + ] + } + }, + "Initialize_Config_Insights_Table_Name": { + "runAfter": { + "Initialize_Data_To_Send": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "config_insights_table_name", + "type": "string", + "value": "Infoblox_Config_Insights_CL" + } + ] + } + }, + "Initialize_Data_To_Send": { + "runAfter": { + "Initialize_Existing_Ids": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "data_to_send", + "type": "array" + } + ] + } + }, + "Initialize_Existing_Ids": { + "runAfter": { + "Initialize_Config_Ids": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "existing_ids", + "type": "array" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuremonitorlogs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[variables('AzuremonitorlogsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Config-Insights", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzuremonitorlogsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzuremonitorlogsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/Images/InfobloxDHCPLookup.png b/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/Images/InfobloxDHCPLookup.png new file mode 100644 index 00000000000..1651c65e98d Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/Images/InfobloxDHCPLookup.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/README.md b/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/README.md new file mode 100644 index 00000000000..8183d714e64 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/README.md @@ -0,0 +1,57 @@ +# Infoblox DHCP Lookup + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will extract IP entities from an incident, search for corresponding latest DHCP data in a table, and if successful, append the latest DHCP lookup results as a comment on the incident. + +### Prerequisites + +1. CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Workspace Name: Enter name of Log Analytics Workspace where DHCP data is available + * Lookup Time: Enter time period(in days) in which you want to search for DHCP lookup data + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20DHCP%20Lookup%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20DHCP%20Lookup%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource +2. Go to General -> edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections + +#### b. Assign Role to add comment in incident + +Assign role to this playbook. + +1. Go to Log Analytics Workspace → → Access Control → Add +2. Add role assignment +3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role +4. Members: select managed identity for assigned access to and add your logic app as member +5. Click on review+assign + +#### c. Configurations in Microsoft Sentinel + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP +2. To manually run the playbook on a particular incident follow the below steps: +a. Go to Microsoft Sentinel -> -> Incidents +b. Select an incident +c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option +d. Click on the Run button beside this playbook + diff --git a/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/azuredeploy.json new file mode 100644 index 00000000000..2336003e567 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox DHCP Lookup/azuredeploy.json @@ -0,0 +1,793 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-DHCP-Lookup", + "description": "The playbook will retrieve IP entities from an incident, search for related DHCP data in a table, and if found, add the DHCP lookup data as a comment on the incident.", + "prerequisites": [ + "1. CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel." + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add","2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**c. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": [ "IP" ], + "tags": [ "Infoblox", "DHCP", "IP", "Lookup" ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-DHCP-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Workspace Name": { + "type": "string", + "metadata": { + "description": "Enter name of Log Analytics Workspace where DHCP data is available" + } + }, + "Lookup Time": { + "type": "string", + "defaultValue": "14d", + "metadata": { + "description": "Enter time period (in days) in which you want to search for DHCP lookup data" + } + } + }, + "variables": { + "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": { + "actions": { + "Terminate_As_No_IPs_Found": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "message": "No IPs found associated with incident." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Entities_-_Get_IPs')?['IPs'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Initialize_Number_Of_Comments": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Verify_IP_Address_is_Empty_Or_Not": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Empty IP Address found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_IP_Address": { + "runAfter": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_No_Empty_Results": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": { + "actions": { + "Add_Comment__For_Empty_Results_Found_For_IP": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No Latest DHCP Lookup Data Found For IP: @{items('For_Each_IP')?['Address']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_Results_For_IP": { + "runAfter": { + "Add_Comment__For_Empty_Results_Found_For_IP": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Count_Reach_To_99": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_To_100": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "For_Each_Query_Result": { + "foreach": "@body('Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period')?['value']", + "actions": { + "Condition_To_Verify_That_Comment_Limit_Does_Not_Exceeded": { + "actions": { + "Condition_To_Verify_Character_Limit_Does_Not_Exceeded": { + "actions": { + "Comment_For_HTML_Table": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Latest DCHP Lookup Detail For IP :-  @{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
\n@{variables('html_table')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_HTML_Table": { + "runAfter": { + "Comment_For_HTML_Table": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Comment_For_Characters_Limit": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Query contains more than 30000 characters for IP: @{items('For_Each_IP')?['Address']} Latest DHCP lookup data.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Characters_Limit": { + "runAfter": { + "Comment_For_Characters_Limit": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "lessOrEquals": [ + "@length(variables('html_table'))", + 30000 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_HTML_Table_Content_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Query_Result_Data": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@items('For_Each_Query_Result')", + "schema": { + "properties": { + "Activity": { + "type": "string" + }, + "DeviceAddress": { + "type": "string" + }, + "DeviceDnsDomain": { + "type": "string" + }, + "DeviceName": { + "type": "string" + }, + "InfobloxClientID": { + "type": "string" + }, + "InfobloxDHCPOptions": { + "type": "string" + }, + "InfobloxDUID": { + "type": "string" + }, + "InfobloxFingerprint": { + "type": "string" + }, + "InfobloxFingerprintPr": { + "type": "string" + }, + "InfobloxHost": { + "type": "string" + }, + "InfobloxHostID": { + "type": "string" + }, + "InfobloxIPSpace": { + "type": "string" + }, + "InfobloxLeaseOp": { + "type": "string" + }, + "InfobloxLeaseUUID": { + "type": "string" + }, + "InfobloxLifetime": { + "type": "string" + }, + "InfobloxRangeEnd": { + "type": "string" + }, + "InfobloxRangeStart": { + "type": "string" + }, + "InfobloxSubnet": { + "type": "string" + }, + "SourceHostName": { + "type": "string" + }, + "SourceIP": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Set_HTML_Table_Content_Data": { + "runAfter": { + "Parse_JSON_For_Query_Result_Data": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
DHCP Lookup For IP @{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source IP@{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source HostName@{body('Parse_JSON_For_Query_Result_Data')?['SourceHostName']}
Source Mac Address@{body('Parse_JSON_For_Query_Result_Data')?['SourceMACAddress']}
Device Name@{body('Parse_JSON_For_Query_Result_Data')?['DeviceName']}
Device Address@{body('Parse_JSON_For_Query_Result_Data')?['DeviceAddress']}
Device DNS Domain@{body('Parse_JSON_For_Query_Result_Data')?['DeviceDnsDomain']}
Infoblox Host@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxHost']}
Infoblox Subnet@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxSubnet']}
Infoblox Range Start@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeStart']}
Infoblox Range End@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeEnd']}
Infoblox Lease Op@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLeaseOp']}
Infoblox Client ID@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxClientID']}
Infoblox Lifetime@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLifetime']}
Infoblox Fingerprint Pr@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprintPr']}
Infoblox Fingerprint@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprint']}
Infoblox DHCP Options@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxDHCPOptions']}

" + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period')?['value'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Run_Query_And_Fetch_Latest_DHCP_Lookup_Data_For_Selected_Time_Period": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "let DHCP_VALUE = 'DHCP';\nlet IP = '@{items('For_each_IP')?['Address']}';\nCommonSecurityLog\n| where TimeGenerated >= ago(@{variables('lookup_time')})\n| where DeviceEventClassID contains DHCP_VALUE\n and SourceIP == IP\n| top 1 by TimeGenerated desc\n| parse-kv AdditionalExtensions as (InfobloxHost : string,\nInfobloxHostID : string,\nInfobloxIPSpace : string,\nInfobloxSubnet : string,\nInfobloxRangeStart : string,\nInfobloxRangeEnd : string,\nInfobloxLeaseOp : string,\nInfobloxClientID : string,\nInfobloxDUID : string,\nInfobloxLifetime : string,\nInfobloxLeaseUUID : string,\nInfobloxFingerprintPr : string,\nInfobloxFingerprint : string,\nInfobloxDHCPOptions : string) with(kv_delimiter=\"=\", pair_delimiter=\";\")\n| project \nSourceIP,SourceHostName,SourceMACAddress, Activity, DeviceName,DeviceAddress,DeviceDnsDomain,\nInfobloxHost,\nInfobloxHostID,\nInfobloxIPSpace,\nInfobloxSubnet,\nInfobloxRangeStart,\nInfobloxRangeEnd,\nInfobloxLeaseOp,\nInfobloxClientID,\nInfobloxDUID,\nInfobloxLifetime,\nInfobloxLeaseUUID,\nInfobloxFingerprintPr,\nInfobloxFingerprint,\nInfobloxDHCPOptions\n", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[resourceGroup().name]", + "resourcename": "[trim(parameters('Workspace Name'))]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[subscription().subscriptionId]", + "timerange": "Set in query" + } + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_IP')?['Address'])", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Lookup_Back_Time_Period": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table", + "type": "string" + } + ] + } + }, + "Initialize_Lookup_Back_Time_Period": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "lookup_time", + "type": "string", + "value": "[trim(parameters('Lookup Time'))]" + } + ] + } + }, + "Initialize_Number_Of_Comments": { + "runAfter": { + "Initialize_HTML_Table": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "no_of_comments", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[variables('AzuremonitorlogsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-DHCP-Lookup", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzuremonitorlogsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzuremonitorlogsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/Images/Infoblox Data Connector Trigger Sync.png b/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/Images/Infoblox Data Connector Trigger Sync.png new file mode 100644 index 00000000000..bc476ac6ab5 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/Images/Infoblox Data Connector Trigger Sync.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/README.md b/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/README.md new file mode 100644 index 00000000000..fb9bf45102e --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/README.md @@ -0,0 +1,39 @@ +# Infoblox Data Connectors Trigger Sync + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + + +## Summary + +Playbook to sync timer trigger of all Infoblox data connectors. + +### Prerequisites + +* Users must have a below Microsoft Azure credentials: + * Tenant ID + * Client ID + * Client Secret + * Resource Group Name + * Subscription ID + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Subscription : Select Subscription in which you want to deploy the Logic App. + * Resource Group: Select Resource Group name in which you want to deploy the Logic App. + * Playbook Name: Enter the playbook name + * Tenant ID : Enter the Azure Tenant ID. + * Client ID : Enter the Azure Client ID. + * Client Secret : Enter the Azure Client Secret. + * Resource Group Name : Enter the Azure Resource Group Name in which your Infoblox data connectors are available. + * Subscription ID : Enter the Azure Subscription ID in which your Infoblox data connectors are available. + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Data%20Connector%20Trigger%20Sync%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Data%20Connectors%20Trigger%20Sync%2Fazuredeploy.json) + +### Post-Deployment instructions + +a. Run the playbook to sync timer trigger of all Infoblox Data connectors diff --git a/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/azuredeploy.json new file mode 100644 index 00000000000..43446739642 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Data Connector Trigger Sync/azuredeploy.json @@ -0,0 +1,790 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Data-Connector-Trigger-Sync", + "description": "Playbook to sync timer trigger of all Infoblox data connectors.", + "prerequisites": ["Users must have a below Microsoft credentials:", + "1.Tenant ID", + "2.Client ID", + "3.Client Secret", + "4.Resource Group Name", + "5.Subscription ID"], + "postDeployment": ["Run the playbook to sync timer trigger of all Infoblox data connectors."], + "entities": [], + "tags": [ + "Infoblox", + "Sync", + "Timer", + "Trigger" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Data-Connector-Trigger-Sync", + "type": "string", + "metadata": { + "description": "Enter the playbook name" + } + }, + "Tenant ID": { + "type": "string", + "metadata": { + "description": "Enter the Azure Tenant ID" + } + }, + "Client ID": { + "type": "string", + "metadata": { + "description": "Enter the Azure Client ID" + } + }, + "Client Secret": { + "type": "securestring", + "metadata": { + "description": "Enter the Azure Client Secret" + } + }, + "Resource Group Name": { + "type": "string", + "metadata": { + "description": "Enter the Azure Resource Group Name in which your Infoblox data connectors are available" + } + }, + "Subscription ID": { + "type": "string", + "metadata": { + "description": "Enter the Azure Subscription ID in which your Infoblox data connectors are available, make sure that the subscription id is as per the Azure portal at all places" + } + } + }, + "variables": {}, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": {} + } + }, + "actions": { + "For_each_app": { + "foreach": "@body('Get_all_Infoblox_Function_apps')", + "actions": { + "Sync_timer_trigger_request": { + "runAfter": {}, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "POST", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites/@{items('For_each_app')?['name']}/syncfunctiontriggers?api-version=2022-03-01" + } + } + }, + "runAfter": { + "Get_all_Infoblox_Function_apps": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Auth_token": { + "runAfter": { + "Initialize_Management_variable": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "client_id=@{variables('Client Id')}&\nclient_secret=@{variables('Client Secret')}&\ngrant_type=client_credentials&\nscope=https://@{variables('Manage')}.azure.com/.default", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "https://login.@{variables('MicrosoftOnline')}.com/@{variables('Tenant Id')}/oauth2/v2.0/token" + } + }, + "Get_all_Infoblox_Function_apps": { + "runAfter": { + "Get_all_running_function_app": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Get_all_running_function_app')", + "where": "@or(startsWith(item()?['name'], 'Curr'), startsWith(item()?['name'], 'Hist'),startsWith(item()?['name'], 'Jparsehist'),startsWith(item()?['name'], 'Jparsecurr'),startsWith(item()?['name'], 'indhist'),startsWith(item()?['name'], 'indcurr'),startsWith(item()?['name'], 'dossierlook'))" + } + }, + "Get_all_running_function_app": { + "runAfter": { + "Parse_function_app_list": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_function_app_list')?['value']", + "where": "@equals(item()?['properties']?['state'], 'Running')" + } + }, + "Get_function_app_list": { + "runAfter": { + "Parse_Auth_token": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "GET", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites?api-version=2022-03-01" + } + }, + "Initialize_Client_Id": { + "runAfter": { + "Initialize_Tenant_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Id", + "type": "string", + "value": "[trim(parameters('Client ID'))]" + } + ] + } + }, + "Initialize_Client_Secret": { + "runAfter": { + "Initialize_Client_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Secret", + "type": "string", + "value": "[trim(parameters('Client Secret'))]" + } + ] + } + }, + "Initialize_Management_variable": { + "runAfter": { + "Initialize_Microsoftonline_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Manage", + "type": "string", + "value": "management" + } + ] + } + }, + "Initialize_Microsoftonline_variable": { + "runAfter": { + "Subscription_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MicrosoftOnline", + "type": "string", + "value": "microsoftonline" + } + ] + } + }, + "Initialize_Resource_Group": { + "runAfter": { + "Initialize_Client_Secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Resource Group Name", + "type": "string", + "value": "[trim(parameters('Resource Group Name'))]" + } + ] + } + }, + "Initialize_Tenant_Id": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Tenant Id", + "type": "string", + "value": "[trim(parameters('Tenant ID'))]" + } + ] + } + }, + "Parse_Auth_token": { + "runAfter": { + "Get_Auth_token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Auth_token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "ext_expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_function_app_list": { + "runAfter": { + "Get_function_app_list": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_function_app_list')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "identity": { + "properties": { + "principalId": { + "type": "string" + }, + "tenantId": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "kind": { + "type": "string" + }, + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "adminEnabled": { + "type": "boolean" + }, + "afdEnabled": { + "type": "boolean" + }, + "availabilityState": { + "type": "string" + }, + "buildVersion": {}, + "cers": {}, + "clientAffinityEnabled": { + "type": "boolean" + }, + "clientCertEnabled": { + "type": "boolean" + }, + "clientCertExclusionPaths": {}, + "clientCertMode": { + "type": "string" + }, + "cloningInfo": {}, + "computeMode": {}, + "containerAllocationSubnet": {}, + "containerSize": { + "type": "integer" + }, + "contentAvailabilityState": { + "type": "string" + }, + "csrs": { + "type": "array" + }, + "customDomainVerificationId": { + "type": "string" + }, + "dailyMemoryTimeQuota": { + "type": "integer" + }, + "daprConfig": {}, + "defaultHostName": { + "type": "string" + }, + "defaultHostNameScope": { + "type": "string" + }, + "deploymentId": { + "type": "string" + }, + "dnsConfiguration": { + "properties": {}, + "type": "object" + }, + "domainVerificationIdentifiers": {}, + "eligibleLogCategories": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "enabledHostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "endToEndEncryptionEnabled": { + "type": "boolean" + }, + "ftpUsername": { + "type": "string" + }, + "ftpsHostName": { + "type": "string" + }, + "functionExecutionUnitsCache": {}, + "functionsRuntimeAdminIsolationEnabled": { + "type": "boolean" + }, + "geoDistributions": {}, + "homeStamp": { + "type": "string" + }, + "hostNameSslStates": { + "items": { + "properties": { + "certificateResourceId": {}, + "hostType": { + "type": "string" + }, + "ipBasedSslResult": {}, + "ipBasedSslState": { + "type": "string" + }, + "name": { + "type": "string" + }, + "sslState": { + "type": "string" + }, + "thumbprint": {}, + "toUpdate": {}, + "toUpdateIpBasedSsl": {}, + "virtualIP": {}, + "virtualIPv6": {} + }, + "required": [ + "name", + "sslState", + "ipBasedSslResult", + "virtualIP", + "virtualIPv6", + "thumbprint", + "certificateResourceId", + "toUpdate", + "toUpdateIpBasedSsl", + "ipBasedSslState", + "hostType" + ], + "type": "object" + }, + "type": "array" + }, + "hostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostNamesDisabled": { + "type": "boolean" + }, + "hostingEnvironment": {}, + "hostingEnvironmentId": {}, + "hostingEnvironmentProfile": {}, + "httpsOnly": { + "type": "boolean" + }, + "hyperV": { + "type": "boolean" + }, + "inFlightFeatures": {}, + "inProgressOperationId": {}, + "inboundIpAddress": { + "type": "string" + }, + "ipMode": { + "type": "string" + }, + "isXenon": { + "type": "boolean" + }, + "keyVaultReferenceIdentity": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "lastModifiedTimeUtc": { + "type": "string" + }, + "managedEnvironmentId": {}, + "maxNumberOfWorkers": {}, + "migrationState": {}, + "name": { + "type": "string" + }, + "outboundIpAddresses": { + "type": "string" + }, + "owner": {}, + "possibleInboundIpAddresses": { + "type": "string" + }, + "possibleOutboundIpAddresses": { + "type": "string" + }, + "privateEndpointConnections": {}, + "privateLinkIdentifiers": {}, + "publicNetworkAccess": {}, + "redundancyMode": { + "type": "string" + }, + "repositorySiteName": { + "type": "string" + }, + "reserved": { + "type": "boolean" + }, + "resourceConfig": {}, + "resourceGroup": { + "type": "string" + }, + "runtimeAvailabilityState": { + "type": "string" + }, + "scmSiteAlsoStopped": { + "type": "boolean" + }, + "secretsCollection": { + "type": "array" + }, + "selfLink": { + "type": "string" + }, + "serverFarm": {}, + "serverFarmId": { + "type": "string" + }, + "siteConfig": { + "properties": { + "acrUseManagedIdentityCreds": { + "type": "boolean" + }, + "acrUserManagedIdentityID": {}, + "alwaysOn": { + "type": "boolean" + }, + "antivirusScanEnabled": {}, + "apiDefinition": {}, + "apiManagementConfig": {}, + "appCommandLine": {}, + "appSettings": {}, + "autoHealEnabled": {}, + "autoHealRules": {}, + "autoSwapSlotName": {}, + "azureMonitorLogCategories": {}, + "azureStorageAccounts": {}, + "connectionStrings": {}, + "cors": {}, + "customAppPoolIdentityAdminState": {}, + "customAppPoolIdentityTenantState": {}, + "defaultDocuments": {}, + "detailedErrorLoggingEnabled": {}, + "documentRoot": {}, + "elasticWebAppScaleLimit": {}, + "experiments": {}, + "fileChangeAuditEnabled": {}, + "ftpsState": {}, + "functionAppScaleLimit": { + "type": "integer" + }, + "functionsRuntimeScaleMonitoringEnabled": {}, + "handlerMappings": {}, + "healthCheckPath": {}, + "http20Enabled": { + "type": "boolean" + }, + "http20ProxyFlag": {}, + "httpLoggingEnabled": {}, + "ipSecurityRestrictions": {}, + "ipSecurityRestrictionsDefaultAction": {}, + "javaContainer": {}, + "javaContainerVersion": {}, + "javaVersion": {}, + "keyVaultReferenceIdentity": {}, + "limits": {}, + "linuxFxVersion": { + "type": "string" + }, + "loadBalancing": {}, + "localMySqlEnabled": {}, + "logsDirectorySizeLimit": {}, + "machineKey": {}, + "managedPipelineMode": {}, + "managedServiceIdentityId": {}, + "metadata": {}, + "minTlsCipherSuite": {}, + "minTlsVersion": {}, + "minimumElasticInstanceCount": { + "type": "integer" + }, + "netFrameworkVersion": {}, + "nodeVersion": {}, + "numberOfWorkers": { + "type": "integer" + }, + "phpVersion": {}, + "powerShellVersion": {}, + "preWarmedInstanceCount": {}, + "publicNetworkAccess": {}, + "publishingPassword": {}, + "publishingUsername": {}, + "push": {}, + "pythonVersion": {}, + "remoteDebuggingEnabled": {}, + "remoteDebuggingVersion": {}, + "requestTracingEnabled": {}, + "routingRules": {}, + "runtimeADUser": {}, + "runtimeADUserPassword": {}, + "scmIpSecurityRestrictions": {}, + "scmIpSecurityRestrictionsDefaultAction": {}, + "scmIpSecurityRestrictionsUseMain": {}, + "scmMinTlsVersion": {}, + "scmType": {}, + "sitePort": {}, + "sitePrivateLinkHostEnabled": {}, + "storageType": {}, + "supportedTlsCipherSuites": {}, + "tracingOptions": {}, + "use32BitWorkerProcess": {}, + "virtualApplications": {}, + "vnetName": {}, + "vnetPrivatePortsCount": {}, + "vnetRouteAllEnabled": {}, + "webSocketsEnabled": {}, + "websiteTimeZone": {}, + "winAuthAdminState": {}, + "winAuthTenantState": {}, + "windowsConfiguredStacks": {}, + "windowsFxVersion": {}, + "xManagedServiceIdentityId": {} + }, + "type": "object" + }, + "siteDisabledReason": { + "type": "integer" + }, + "siteMode": {}, + "siteProperties": { + "properties": { + "appSettings": {}, + "metadata": {}, + "properties": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "sku": { + "type": "string" + }, + "slotName": {}, + "slotSwapStatus": {}, + "sshEnabled": {}, + "sslCertificates": {}, + "state": { + "type": "string" + }, + "storageAccountRequired": { + "type": "boolean" + }, + "storageRecoveryDefaultState": { + "type": "string" + }, + "suspendedTill": {}, + "tags": {}, + "targetBuildVersion": {}, + "targetSwapSlot": {}, + "trafficManagerHostNames": {}, + "usageState": { + "type": "string" + }, + "useContainerLocalhostBindings": {}, + "virtualNetworkSubnetId": {}, + "vnetBackupRestoreEnabled": { + "type": "boolean" + }, + "vnetContentShareEnabled": { + "type": "boolean" + }, + "vnetImagePullEnabled": { + "type": "boolean" + }, + "vnetRouteAllEnabled": { + "type": "boolean" + }, + "webSpace": { + "type": "string" + }, + "workloadProfileName": {} + }, + "type": "object" + }, + "tags": { + "properties": { + "Jira": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "type", + "kind", + "location", + "properties" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Subscription_Id": { + "runAfter": { + "Initialize_Resource_Group": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Subscription Id", + "type": "string", + "value": "[trim(parameters('Subscription ID'))]" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": {} + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Data-Connector-Trigger-Sync", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [] + } + ] +} \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/Images/InfobloxGetHostName.png b/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/Images/InfobloxGetHostName.png new file mode 100644 index 00000000000..fc204da4eb4 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/Images/InfobloxGetHostName.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/README.md b/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/README.md new file mode 100644 index 00000000000..2e376c934d4 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/README.md @@ -0,0 +1,35 @@ +# Infoblox Get Host Name + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will retrieve data from the 'Hosts' API and import it into a custom table within the Azure Log Analytics Workspace. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Get%20Host%20Name%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Get%20Host%20Name%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select connection resource +2. Go to General -> edit API connection +3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created +4. Click Save \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/azuredeploy.json new file mode 100644 index 00000000000..63c103a0fd0 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Get Host Name/azuredeploy.json @@ -0,0 +1,503 @@ + { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Get-Host-Name", + "description": "The playbook will fetch the data from 'Hosts' API and ingest it into custom table", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "entities": [ "Host" ], + "tags": [ "Infoblox", "Host Name" ], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Get-Host-Name", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + }, + "API Key": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Initialize_Base_URL": { + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + }, + "runAfter": {}, + "type": "InitializeVariable" + }, + "Initialize_Break_Loop": { + "inputs": { + "variables": [ + { + "name": "Break_Loop", + "type": "boolean", + "value": "@false" + } + ] + }, + "runAfter": { + "Initialize_Limit": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Limit": { + "inputs": { + "variables": [ + { + "name": "limit", + "type": "integer", + "value": 25 + } + ] + }, + "runAfter": { + "Initialize_Offset": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Offset": { + "inputs": { + "variables": [ + { + "name": "offset", + "type": "integer", + "value": 0 + } + ] + }, + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Retry_Count": { + "inputs": { + "variables": [ + { + "name": "Retry Count", + "type": "integer", + "value": 3 + } + ] + }, + "runAfter": { + "Initialize_Table_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Table_Name": { + "inputs": { + "variables": [ + { + "name": "Table Name", + "type": "string", + "value": "Host_Name_Info" + } + ] + }, + "runAfter": { + "Initialize_Break_Loop": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Until_Loop_For_Fetching_Host_Endpoint_Data_With_Pagination": { + "actions": { + "Condition_To_Verify_API_Call_Is_Success_Or_Not": { + "actions": { + "Condition_For_Host_Result_Is_Available_Or_Not": { + "actions": { + "Set_Break_Loop_True_Because_Of_Empty_Results": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Data_Is_Sent_To_Workspace": { + "actions": { + "Condition_For_Length_Of_Data_is_Less_Than_Limit_": { + "actions": { + "Set_Break_Loop_True_Because_Of_Data_Is_Less_Than_Limit": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(body('Parse_JSON_For_Host_Data')?['results'])", + "@variables('limit')" + ] + } + ] + }, + "runAfter": { + "Increment_Offset_By_Limit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Increment_Offset_By_Limit": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Retry_Count": { + "actions": { + "Increment_Offset_And_Skip_The_One_Page": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_New_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_New_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Retry Count')", + 0 + ] + } + ] + }, + "runAfter": { + "Decrement_Retry_Count": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Decrement_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 1 + }, + "runAfter": {}, + "type": "DecrementVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Send_Data_Into_Log_Analytics_Workspace')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "Send_Data_Into_Log_Analytics_Workspace": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Send_Data_Into_Log_Analytics_Workspace": { + "inputs": { + "body": "@{body('Parse_JSON_For_Host_Data')?['results']}", + "headers": { + "Log-Type": "@variables('Table Name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_1']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "runAfter": {}, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Host_Data')?['results'])", + "@true" + ] + } + ] + }, + "runAfter": { + "Parse_JSON_For_Host_Data": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Parse_JSON_For_Host_Data": { + "inputs": { + "content": "@body('HTTP_Request_To_Host_Endpoint')", + "schema": { + "results": [ + { + "configs": [ + { + "id": "string", + "service_id": "string", + "service_type": "string", + "upgraded_at": "string" + } + ], + "created_at": "string", + "display_name": "string", + "host_type": "string", + "id": "string", + "ip_address": "string", + "legacy_id": "string", + "mac_address": "string", + "maintenance_mode": "string", + "ophid": "string", + "pool_id": "string", + "tags": {}, + "timezone": "string", + "updated_at": "string" + } + ] + } + }, + "runAfter": {}, + "type": "ParseJson" + } + }, + "else": { + "actions": { + "Set_Break_Loop_True_Because_Of_Status_Code_Is_Not_200": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Host_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "HTTP_Request_To_Host_Endpoint": [ + "Succeeded" + ] + }, + "type": "If" + }, + "HTTP_Request_To_Host_Endpoint": { + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_limit": "@{variables('limit')}", + "_offset": "@{variables('offset')}" + }, + "uri": "@{variables('base_url')}/api/infra/v1/hosts" + }, + "runAfter": {}, + "type": "Http" + } + }, + "expression": "@equals(variables('Break_Loop'), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Retry_Count": [ + "Succeeded" + ] + }, + "type": "Until" + } + }, + "outputs": { + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Get-Host-Name", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + ] + } diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/Images/InfobloxGetIPSpaceData.png b/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/Images/InfobloxGetIPSpaceData.png new file mode 100644 index 00000000000..f3e9276a712 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/Images/InfobloxGetIPSpaceData.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/README.md b/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/README.md new file mode 100644 index 00000000000..769770fcac3 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/README.md @@ -0,0 +1,35 @@ +# Infoblox Get IP Space Data + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will retrieve data from the 'IP Space' API and import it into a custom table within the Azure Log Analytics Workspace. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Get%20IP%20Space%20Data%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Get%20IP%20Space%20Data%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select connection resource +2. Go to General -> edit API connection +3. Provide Workspace ID and Workspace key of Log Analytics Workspace where table will be created +4. Click Save \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/azuredeploy.json new file mode 100644 index 00000000000..f82e8a3b22a --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Get IP Space Data/azuredeploy.json @@ -0,0 +1,854 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Get-IP-Space-Data", + "description": "The playbook will fetch the data from 'IP Space' API and ingest it into custom table", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "entities": [ "IP" ], + "tags": [ "Infoblox", "IP Space Name" ], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Get-IP-Space-Data", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter value for API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base Url for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + }, + "API Key": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[trim(parameters('Infoblox Base Url'))]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Initialize_Base_URL": { + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + }, + "runAfter": {}, + "type": "InitializeVariable" + }, + "Initialize_Break_Loop": { + "inputs": { + "variables": [ + { + "name": "Break_Loop", + "type": "boolean", + "value": "@false" + } + ] + }, + "runAfter": { + "Initialize_Limit": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Limit": { + "inputs": { + "variables": [ + { + "name": "limit", + "type": "integer", + "value": 25 + } + ] + }, + "runAfter": { + "Initialize_Offset": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Offset": { + "inputs": { + "variables": [ + { + "name": "offset", + "type": "integer", + "value": 0 + } + ] + }, + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Retry_Count": { + "inputs": { + "variables": [ + { + "name": "Retry Count", + "type": "integer", + "value": 3 + } + ] + }, + "runAfter": { + "Initialize_Table_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Table_Name": { + "inputs": { + "variables": [ + { + "name": "Table Name", + "type": "string", + "value": "IP_Space_Info" + } + ] + }, + "runAfter": { + "Initialize_Break_Loop": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Until_Loop_For_Fetching_IP_Space_Endpoint_Data_With_Pagination": { + "actions": { + "Condition_To_Verify_API_Call_Is_Success_Or_Not": { + "actions": { + "Condition_For_IP_Space_Result_Is_Available_Or_Not": { + "actions": { + "Set_Break_Loop_True_Because_Of_Empty_Results": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Data_Is_Sent_To_Workspace": { + "actions": { + "Condition_For_Length_Of_Data_is_Less_Than_Limit_": { + "actions": { + "Set_Break_Loop_True_Because_Of_Data_Is_Less_Than_Limit": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(body('Parse_JSON_For_IP_Space_Data')?['results'])", + "@variables('limit')" + ] + } + ] + }, + "runAfter": { + "Increment_Offset_By_Limit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Increment_Offset_By_Limit": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Retry_Count": { + "actions": { + "Increment_Offset_And_Skip_The_One_Page": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_New_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_New_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Retry Count')", + 0 + ] + } + ] + }, + "runAfter": { + "Decrement_Retry_Count": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Decrement_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 1 + }, + "runAfter": {}, + "type": "DecrementVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Send_Data_Into_Log_Analytics_Workspace')?['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "Send_Data_Into_Log_Analytics_Workspace": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Send_Data_Into_Log_Analytics_Workspace": { + "inputs": { + "body": "@{body('Parse_JSON_For_IP_Space_Data')?['results']}", + "headers": { + "Log-Type": "@variables('Table Name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_3']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "runAfter": {}, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_IP_Space_Data')?['results'])", + "@true" + ] + } + ] + }, + "runAfter": { + "Parse_JSON_For_IP_Space_Data": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Parse_JSON_For_IP_Space_Data": { + "inputs": { + "content": "@body('HTTP_Request_To_IP_Space_Endpoint')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "asm_config": { + "properties": { + "asm_threshold": { + "type": "integer" + }, + "enable": { + "type": "boolean" + }, + "enable_notification": { + "type": "boolean" + }, + "forecast_period": { + "type": "integer" + }, + "growth_factor": { + "type": "integer" + }, + "growth_type": { + "type": "string" + }, + "history": { + "type": "integer" + }, + "min_total": { + "type": "integer" + }, + "min_unused": { + "type": "integer" + }, + "reenable_date": { + "format": "date-time", + "type": "string" + } + }, + "required": [ + "asm_threshold", + "enable", + "enable_notification", + "forecast_period", + "growth_factor", + "growth_type", + "history", + "min_total", + "min_unused", + "reenable_date" + ], + "type": "object" + }, + "asm_scope_flag": { + "type": "integer" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "format": "date-time", + "type": "string" + }, + "ddns_client_update": { + "type": "string" + }, + "ddns_conflict_resolution_mode": { + "type": "string" + }, + "ddns_domain": { + "type": "string" + }, + "ddns_generate_name": { + "type": "boolean" + }, + "ddns_generated_prefix": { + "type": "string" + }, + "ddns_send_updates": { + "type": "boolean" + }, + "ddns_ttl_percent": { + "type": "integer" + }, + "ddns_update_on_renew": { + "type": "boolean" + }, + "ddns_use_conflict_resolution": { + "type": "boolean" + }, + "default_realms": { + "items": { + "type": "string" + }, + "type": "array" + }, + "dhcp_config": { + "properties": { + "abandoned_reclaim_time": { + "type": "integer" + }, + "abandoned_reclaim_time_v6": { + "type": "integer" + }, + "allow_unknown": { + "type": "boolean" + }, + "allow_unknown_v6": { + "type": "boolean" + }, + "echo_client_id": { + "type": "boolean" + }, + "filters": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters_large_selection": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters_v6": { + "items": { + "type": "string" + }, + "type": "array" + }, + "ignore_client_uid": { + "type": "boolean" + }, + "ignore_list": { + "items": { + "type": "string" + }, + "type": "array" + }, + "lease_time": { + "type": "integer" + }, + "lease_time_v6": { + "type": "integer" + } + }, + "required": [ + "abandoned_reclaim_time", + "abandoned_reclaim_time_v6", + "allow_unknown", + "allow_unknown_v6", + "echo_client_id", + "filters", + "filters_large_selection", + "filters_v6", + "ignore_client_uid", + "ignore_list", + "lease_time", + "lease_time_v6" + ], + "type": "object" + }, + "dhcp_options": { + "items": { + "properties": { + "group": { + "type": [ + "string", + "null" + ] + }, + "option_code": { + "type": "string" + }, + "option_value": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "group", + "option_code", + "option_value", + "type" + ], + "type": "object" + }, + "type": "array" + }, + "dhcp_options_v6": { + "items": { + "type": "object" + }, + "type": "array" + }, + "header_option_filename": { + "type": "string" + }, + "header_option_server_address": { + "type": "string" + }, + "header_option_server_name": { + "type": "string" + }, + "hostname_rewrite_char": { + "type": "string" + }, + "hostname_rewrite_enabled": { + "type": "boolean" + }, + "hostname_rewrite_regex": { + "type": "string" + }, + "id": { + "type": "string" + }, + "inheritance_sources": { + "type": [ + "object", + "null" + ] + }, + "name": { + "type": "string" + }, + "tags": { + "type": [ + "object", + "null" + ] + }, + "threshold": { + "properties": { + "enabled": { + "type": "boolean" + }, + "high": { + "type": "integer" + }, + "low": { + "type": "integer" + } + }, + "required": [ + "enabled", + "high", + "low" + ], + "type": "object" + }, + "updated_at": { + "format": "date-time", + "type": "string" + }, + "utilization": { + "properties": { + "abandon_utilization": { + "type": "integer" + }, + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "free": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + }, + "utilization": { + "type": "integer" + } + }, + "required": [ + "abandon_utilization", + "abandoned", + "dynamic", + "free", + "static", + "total", + "used", + "utilization" + ], + "type": "object" + }, + "utilization_v6": { + "properties": { + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + } + }, + "required": [ + "abandoned", + "dynamic", + "static", + "total", + "used" + ], + "type": "object" + }, + "vendor_specific_option_option_space": { + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "asm_config", + "asm_scope_flag", + "comment", + "compartment_id", + "created_at", + "ddns_client_update", + "ddns_conflict_resolution_mode", + "ddns_domain", + "ddns_generate_name", + "ddns_generated_prefix", + "ddns_send_updates", + "ddns_ttl_percent", + "ddns_update_on_renew", + "ddns_use_conflict_resolution", + "default_realms", + "dhcp_config", + "dhcp_options", + "dhcp_options_v6", + "header_option_filename", + "header_option_server_address", + "header_option_server_name", + "hostname_rewrite_char", + "hostname_rewrite_enabled", + "hostname_rewrite_regex", + "id", + "inheritance_sources", + "name", + "tags", + "threshold", + "updated_at", + "utilization", + "utilization_v6", + "vendor_specific_option_option_space" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "results" + ], + "type": "object" + } + }, + "runAfter": {}, + "type": "ParseJson" + } + }, + "else": { + "actions": { + "Set_Break_Loop_True_Because_Of_Status_Code_Is_Not_200": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_IP_Space_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "HTTP_Request_To_IP_Space_Endpoint": [ + "Succeeded" + ] + }, + "type": "If" + }, + "HTTP_Request_To_IP_Space_Endpoint": { + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_limit": "@{variables('limit')}", + "_offset": "@{variables('offset')}" + }, + "uri": "@{variables('base_url')}/api/ddi/v1/ipam/ip_space" + }, + "runAfter": {}, + "type": "Http" + } + }, + "expression": "@equals(variables('Break_Loop'), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Retry_Count": [ + "Succeeded" + ] + }, + "type": "Until" + } + }, + "outputs": { + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_3": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Get-IP-Space-Data", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/Images/InfobloxGetServiceName.png b/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/Images/InfobloxGetServiceName.png new file mode 100644 index 00000000000..d086e80895e Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/Images/InfobloxGetServiceName.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/README.md b/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/README.md new file mode 100644 index 00000000000..1c07a8ebf5a --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/README.md @@ -0,0 +1,35 @@ +# Infoblox Get Service Name + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will retrieve data from the 'Services' API and import it into a custom table within the Azure Log Analytics Workspace. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Get%20Service%20Name%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20Get%20Service%20Name%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select connection resource +2. Go to General -> edit API connection +3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created +4. Click Save \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/azuredeploy.json new file mode 100644 index 00000000000..7347ff69490 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox Get Service Name/azuredeploy.json @@ -0,0 +1,501 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-Get-Service-Name", + "description": "This playbook will fetch the data from 'Services' API and ingest it into custom table", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "3. Click Save" + ], + "entities": [], + "tags": [ "Infoblox", "Service Name" ], + "lastUpdateTime": "2024-08-09T15:24:09.773Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-Get-Service-Name", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'PlaybookName' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + }, + "API Key": { + "defaultValue": "[parameters('Infoblox API Key')]", + "type": "String" + }, + "BaseUrl": { + "defaultValue": "[parameters('Infoblox Base Url')]", + "type": "String" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "Initialize_Base_URL": { + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + }, + "runAfter": {}, + "type": "InitializeVariable" + }, + "Initialize_Break_Loop": { + "inputs": { + "variables": [ + { + "name": "Break_Loop", + "type": "boolean", + "value": "@false" + } + ] + }, + "runAfter": { + "Initialize_Limit": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Limit": { + "inputs": { + "variables": [ + { + "name": "limit", + "type": "integer", + "value": 25 + } + ] + }, + "runAfter": { + "Initialize_Offset": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Offset": { + "inputs": { + "variables": [ + { + "name": "offset", + "type": "integer", + "value": 0 + } + ] + }, + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Retry_Count": { + "inputs": { + "variables": [ + { + "name": "Retry Count", + "type": "integer", + "value": 3 + } + ] + }, + "runAfter": { + "Initialize_Table_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Initialize_Table_Name": { + "inputs": { + "variables": [ + { + "name": "Table Name", + "type": "string", + "value": "Service_Name_Info" + } + ] + }, + "runAfter": { + "Initialize_Break_Loop": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Until_Loop_For_Fetching_Service_Endpoint_Data_With_Pagination": { + "actions": { + "Condition_To_Verify_API_Call_Is_Success_Or_Not": { + "actions": { + "Condition_For_Services_Result_Is_Available_Or_Not": { + "actions": { + "Set_Break_Loop_True_Because_Of_Empty_Results": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Data_Is_Sent_To_Workspace": { + "actions": { + "Condition_For_Length_Of_Data_is_Less_Than_Limit_": { + "actions": { + "Set_Break_Loop_True_Because_Of_Data_Is_Less_Than_Limit": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(body('Parse_JSON_For_Services_Data')?['results'])", + "@variables('limit')" + ] + } + ] + }, + "runAfter": { + "Increment_Offset_By_Limit": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Increment_Offset_By_Limit": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "else": { + "actions": { + "Condition_To_Check_Retry_Count": { + "actions": { + "Increment_Offset_And_Skip_The_One_Page": { + "inputs": { + "name": "offset", + "value": "@variables('limit')" + }, + "runAfter": { + "Set_New_Retry_Count": [ + "Succeeded" + ] + }, + "type": "IncrementVariable" + }, + "Set_New_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 3 + }, + "runAfter": {}, + "type": "SetVariable" + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('Retry Count')", + 0 + ] + } + ] + }, + "runAfter": { + "Decrement_Retry_Count": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Decrement_Retry_Count": { + "inputs": { + "name": "Retry Count", + "value": 1 + }, + "runAfter": {}, + "type": "DecrementVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('Send_Data_Into_Log_Analytics_Workspace')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "Send_Data_Into_Log_Analytics_Workspace": [ + "Succeeded", + "Failed" + ] + }, + "type": "If" + }, + "Send_Data_Into_Log_Analytics_Workspace": { + "inputs": { + "body": "@{body('Parse_JSON_For_Services_Data')?['results']}", + "headers": { + "Log-Type": "@variables('Table Name')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + }, + "runAfter": {}, + "type": "ApiConnection" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Services_Data')?['results'])", + "@true" + ] + } + ] + }, + "runAfter": { + "Parse_JSON_For_Services_Data": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Parse_JSON_For_Services_Data": { + "inputs": { + "content": "@body('HTTP_Request_To_Services_Endpoint')", + "schema": { + "results": [ + { + "configs": [ + { + "current_version": "string", + "host_id": "string", + "id": "string", + "service_id": "string", + "upgraded_at": "string" + } + ], + "created_at": "string", + "desired_state": "string", + "destinations": [], + "id": "string", + "name": "string", + "pool_id": "string", + "service_type": "string", + "source_interfaces": [], + "tags": {}, + "updated_at": "string" + } + ] + } + }, + "runAfter": {}, + "type": "ParseJson" + } + }, + "else": { + "actions": { + "Set_Break_Loop_True_Because_Of_Status_Code_Is_Not_200": { + "inputs": { + "name": "Break_Loop", + "value": "@true" + }, + "runAfter": {}, + "type": "SetVariable" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Services_Endpoint')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "HTTP_Request_To_Services_Endpoint": [ + "Succeeded" + ] + }, + "type": "If" + }, + "HTTP_Request_To_Services_Endpoint": { + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_limit": "@{variables('limit')}", + "_offset": "@{variables('offset')}" + }, + "uri": "@{variables('base_url')}/api/infra/v1/services" + }, + "runAfter": {}, + "type": "Http" + } + }, + "expression": "@equals(variables('Break_Loop'), true)", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "runAfter": { + "Initialize_Retry_Count": [ + "Succeeded" + ] + }, + "type": "Until" + } + }, + "outputs": { + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-Get-Service-Name", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/Images/InfobloxIPAMLookup.png b/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/Images/InfobloxIPAMLookup.png new file mode 100644 index 00000000000..79ebd22043c Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/Images/InfobloxIPAMLookup.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/README.md b/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/README.md new file mode 100644 index 00000000000..30a507884c6 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/README.md @@ -0,0 +1,46 @@ +# Infoblox IPAM Lookup + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will retrieve IP entities from an incident, call an API to obtain IPAM lookup data, and add this data, along with IP space and subnet information, as a comment on the incident. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20IPAM%20Lookup%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20IPAM%20Lookup%2Fazuredeploy.json) + +### Post-Deployment instructions + + +#### a. Assign Role to add comment in incident + +Assign role to this playbook. + +1. Go to Log Analytics Workspace → → Access Control → Add +2. Add role assignment +3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role +4. Members: select managed identity for assigned access to and add your logic app as member +5. Click on review+assign + +#### b. Configurations in Microsoft Sentinel + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP +2. To manually run the playbook on a particular incident follow the below steps: +a. Go to Microsoft Sentinel -> -> Incidents +b. Select an incident +c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option +d. Click on the Run button beside this playbook diff --git a/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/azuredeploy.json new file mode 100644 index 00000000000..136a8d830c2 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox IPAM Lookup/azuredeploy.json @@ -0,0 +1,2024 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-IPAM-Lookup", + "description": "The playbook will retrieve IP entities from an incident, call an API to obtain IPAM lookup data, and add this data, along with IP space and subnet information, as a comment on the incident.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key." + ], + "postDeployment": [ + "**a. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add","2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**b. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": ["IP"], + "tags": ["Infoblox", "IPAM", "IP", "Lookup"], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-IPAM-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "metadata": { + "description": "Enter Base URL for your Infoblox instance. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "API Key": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "String" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[trim(parameters('Infoblox Base Url'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Terminate_Execution_If_Error_Occurred_While_Fetching_IPs_Data": { + "actions": { + "Terminate_Due_To_Error_Occured_While_API_Failure": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "message": "@variables('error_message')" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "For_Each_IP_Address": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('api_failure_error')", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Terminate_Execution_If_No_IPs_Found": { + "actions": { + "Add_Comment_To_Incident_No_IPs_Found": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No IPs found associated with incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Terminate_Due_To_No_IPs_Found_Associated_With_Incident_Entities": { + "runAfter": { + "Add_Comment_To_Incident_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "message": "No IPs found associated with incident." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@length(body('Entities_-_Get_IPs')?['IPs'])", + 0 + ] + } + ] + }, + "type": "If" + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Initialize_Error_False_While_Fetching_IP_Details_From_API": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_IP_Address": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Verify_If_IP_Address_is_Empty": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Empty IP Address found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_IP_Address": { + "runAfter": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_If_IP_Lookup_Information_Fetched_Successfully": { + "actions": { + "Condition_To_Verify_IP_Lookup_Results_Are_Empty": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Does_Not_Reach_Limit": { + "actions": { + "Add_Comment_To_Incident_For_No_Results_Found_For_IP_Address": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No IPAM Lookup Results Found For IP: @{items('For_Each_IP_Address')?['Address']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count": { + "runAfter": { + "Add_Comment_To_Incident_For_No_Results_Found_For_IP_Address": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Comment_Count_Reach_To_99": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_To_100": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_JSON_For_IP_Lookup_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Comment_For_Whole_API_Response_Of_One_IP": { + "actions": { + "Add_Comment_To_Incident_For_Whole_API_Response_Of_One_IP_Traversed_(V3)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Whole_API_Response_Of_One_IP": { + "runAfter": { + "Add_Comment_To_Incident_For_Whole_API_Response_Of_One_IP_Traversed_(V3)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + }, + "Reset_HTML_Table_For_Whole_API_Response_Of_One_IP": { + "runAfter": { + "Reset_Incident_Comment_For_Whole_API_Response_Of_One_IP": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "@{null}" + } + }, + "Reset_Incident_Comment_For_Whole_API_Response_Of_One_IP": { + "runAfter": { + "Increment_Number_Of_Comments_For_Whole_API_Response_Of_One_IP": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@{null}" + } + } + }, + "runAfter": { + "For_Each_IP_Lookup_Result": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + }, + { + "not": { + "equals": [ + "@variables('incident_comment')", + "@null" + ] + } + } + ] + }, + "type": "If" + }, + "For_Each_IP_Lookup_Result": { + "foreach": "@body('Parse_JSON_For_IP_Lookup_Data')?['results']", + "actions": { + "Append_End_String_Of_HTML_Table": { + "runAfter": { + "Condition_To_Verify_Subnet_Id_Empty": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table", + "value": "

" + } + }, + "Append_HTML_Table_Record_To_HTML_Table": { + "runAfter": { + "Append_End_String_Of_HTML_Table": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table", + "value": "@variables('html_table_record')" + } + }, + "Append_to_Human_Readable_Tags": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "Human_Readable_Tags", + "value": "@replace(replace(replace(replace(replace(string(items('For_Each_IP_Lookup_Result')?['tags']),'\"',''),'{',''),'}',''),':',' : '),',',variables('new_line'))" + } + }, + "Condition_To_Verify_Comment_Exceeded_More_Than_30000_Characters_Limit": { + "actions": { + "Set_Incident_Comment": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@variables('html_table')" + } + } + }, + "runAfter": { + "Append_HTML_Table_Record_To_HTML_Table": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Comment_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comment": { + "runAfter": { + "Add_Comment_To_Incident": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + }, + "Reset_HTML_Table": { + "runAfter": { + "Reset_Incident_Comment": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "@{null}" + } + }, + "Reset_Incident_Comment": { + "runAfter": { + "Increment_Number_Of_Comment": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@{null}" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(3)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Incident_Comment": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(3)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "no_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('no_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(variables('html_table'))", + 30000 + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_IP_Space_Id_Is_Empty": { + "actions": {}, + "runAfter": { + "Set_IP_Space": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_IP_Space_Lookup_Is_Success_Or_Not": { + "actions": { + "Condition_To_Verify_That_IP_Space_Lookup_Result_is_Empty": { + "actions": {}, + "runAfter": { + "Parse_JSON_For_IP_Space_Lookup_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_IP_Space_Name_To_HTML_Table": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table_record", + "value": "IP Space@{body('Parse_JSON_For_IP_Space_Lookup_Data')?['result']?['name']}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_IP_Space_Lookup_Data')?['result'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_IP_Space_Lookup_Data": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')", + "schema": { + "properties": { + "result": { + "properties": { + "asm_config": { + "properties": { + "asm_threshold": { + "type": "integer" + }, + "enable": { + "type": "boolean" + }, + "enable_notification": { + "type": "boolean" + }, + "forecast_period": { + "type": "integer" + }, + "growth_factor": { + "type": "integer" + }, + "growth_type": { + "type": "string" + }, + "history": { + "type": "integer" + }, + "min_total": { + "type": "integer" + }, + "min_unused": { + "type": "integer" + }, + "reenable_date": { + "type": "string" + } + }, + "type": "object" + }, + "asm_scope_flag": { + "type": "integer" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "type": "string" + }, + "ddns_client_update": { + "type": "string" + }, + "ddns_conflict_resolution_mode": { + "type": "string" + }, + "ddns_domain": { + "type": "string" + }, + "ddns_generate_name": { + "type": "boolean" + }, + "ddns_generated_prefix": { + "type": "string" + }, + "ddns_send_updates": { + "type": "boolean" + }, + "ddns_ttl_percent": { + "type": "integer" + }, + "ddns_update_on_renew": { + "type": "boolean" + }, + "ddns_use_conflict_resolution": { + "type": "boolean" + }, + "default_realms": { + "type": "array" + }, + "dhcp_config": { + "properties": { + "abandoned_reclaim_time": { + "type": "integer" + }, + "abandoned_reclaim_time_v6": { + "type": "integer" + }, + "allow_unknown": { + "type": "boolean" + }, + "allow_unknown_v6": { + "type": "boolean" + }, + "echo_client_id": { + "type": "boolean" + }, + "filters": { + "type": "array" + }, + "filters_large_selection": { + "type": "array" + }, + "filters_v6": { + "type": "array" + }, + "ignore_client_uid": { + "type": "boolean" + }, + "ignore_list": { + "type": "array" + }, + "lease_time": { + "type": "integer" + }, + "lease_time_v6": { + "type": "integer" + } + }, + "type": "object" + }, + "dhcp_options": { + "items": { + "properties": { + "group": {}, + "option_code": { + "type": "string" + }, + "option_value": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "dhcp_options_v6": { + "type": "array" + }, + "header_option_filename": { + "type": "string" + }, + "header_option_server_address": { + "type": "string" + }, + "header_option_server_name": { + "type": "string" + }, + "hostname_rewrite_char": { + "type": "string" + }, + "hostname_rewrite_enabled": { + "type": "boolean" + }, + "hostname_rewrite_regex": { + "type": "string" + }, + "id": { + "type": "string" + }, + "inheritance_sources": {}, + "name": { + "type": "string" + }, + "tags": {}, + "threshold": { + "properties": { + "enabled": { + "type": "boolean" + }, + "high": { + "type": "integer" + }, + "low": { + "type": "integer" + } + }, + "type": "object" + }, + "updated_at": { + "type": "string" + }, + "utilization": { + "properties": { + "abandon_utilization": { + "type": "integer" + }, + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "free": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + }, + "utilization": { + "type": "integer" + } + }, + "type": "object" + }, + "utilization_v6": { + "properties": { + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + } + }, + "type": "object" + }, + "vendor_specific_option_option_space": {} + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Lookup_Information_For_An_IP_Space_": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_Error_Message_For_IP_Space_API_Failure": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "error_message_ip_space", + "value": "IP Space API request failed with status code:@{outputs('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')['statusCode']} and error message: @{body('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Lookup_Information_For_An_IP_Space_')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Lookup_Information_For_An_IP_Space_": { + "runAfter": {}, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "uri": "@{variables('base_url')}/api/ddi/v1/@{variables('ip_space_id')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('ip_space_id'))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Verify_Subnet_Id_Empty": { + "actions": {}, + "runAfter": { + "Set_Subnet": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Subnet_Lookup_Is_Success_Or_Not": { + "actions": { + "Condition_For_Subnet_Lookup_Result_is_Empty": { + "actions": {}, + "runAfter": { + "Parse_JSON_For_Subnet_Lookup_Data": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Append_Subnet_Name_To_HTML_Table": { + "runAfter": {}, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table_record", + "value": "Subnet Name@{body('Parse_JSON_For_Subnet_Lookup_Data')?['result']?['name']}\nSubnet@{body('Parse_JSON_For_Subnet_Lookup_Data')?['result']?['address']}/@{body('Parse_JSON_For_Subnet_Lookup_Data')?['result']?['cidr']}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Subnet_Lookup_Data')?['result'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Subnet_Lookup_Data": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Lookup_Information_For_Subnet')", + "schema": { + "properties": { + "result": { + "properties": { + "address": { + "type": "string" + }, + "asm_config": { + "properties": { + "asm_threshold": { + "type": "integer" + }, + "enable": { + "type": "boolean" + }, + "enable_notification": { + "type": "boolean" + }, + "forecast_period": { + "type": "integer" + }, + "growth_factor": { + "type": "integer" + }, + "growth_type": { + "type": "string" + }, + "history": { + "type": "integer" + }, + "min_total": { + "type": "integer" + }, + "min_unused": { + "type": "integer" + }, + "reenable_date": { + "type": "string" + } + }, + "type": "object" + }, + "asm_scope_flag": { + "type": "integer" + }, + "cidr": { + "type": "integer" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "type": "string" + }, + "ddns_client_update": { + "type": "string" + }, + "ddns_conflict_resolution_mode": { + "type": "string" + }, + "ddns_domain": { + "type": "string" + }, + "ddns_generate_name": { + "type": "boolean" + }, + "ddns_generated_prefix": { + "type": "string" + }, + "ddns_send_updates": { + "type": "boolean" + }, + "ddns_ttl_percent": { + "type": "integer" + }, + "ddns_update_on_renew": { + "type": "boolean" + }, + "ddns_use_conflict_resolution": { + "type": "boolean" + }, + "dhcp_config": { + "properties": { + "abandoned_reclaim_time": { + "type": "integer" + }, + "abandoned_reclaim_time_v6": { + "type": "integer" + }, + "allow_unknown": { + "type": "boolean" + }, + "allow_unknown_v6": { + "type": "boolean" + }, + "echo_client_id": { + "type": "boolean" + }, + "filters": { + "type": "array" + }, + "filters_large_selection": { + "type": "array" + }, + "filters_v6": { + "type": "array" + }, + "ignore_client_uid": { + "type": "boolean" + }, + "ignore_list": { + "type": "array" + }, + "lease_time": { + "type": "integer" + }, + "lease_time_v6": { + "type": "integer" + } + }, + "type": "object" + }, + "dhcp_host": {}, + "dhcp_options": { + "type": "array" + }, + "dhcp_utilization": { + "properties": { + "dhcp_free": { + "type": "string" + }, + "dhcp_total": { + "type": "string" + }, + "dhcp_used": { + "type": "string" + }, + "dhcp_utilization": { + "type": "integer" + } + }, + "type": "object" + }, + "disable_dhcp": { + "type": "boolean" + }, + "discovery_attrs": {}, + "discovery_metadata": {}, + "federated_realms": { + "type": "array" + }, + "federation": { + "type": "string" + }, + "header_option_filename": { + "type": "string" + }, + "header_option_server_address": { + "type": "string" + }, + "header_option_server_name": { + "type": "string" + }, + "hostname_rewrite_char": { + "type": "string" + }, + "hostname_rewrite_enabled": { + "type": "boolean" + }, + "hostname_rewrite_regex": { + "type": "string" + }, + "id": { + "type": "string" + }, + "inheritance_assigned_hosts": { + "type": "array" + }, + "inheritance_parent": {}, + "inheritance_sources": {}, + "name": { + "type": "string" + }, + "parent": {}, + "protocol": { + "type": "string" + }, + "rebind_time": { + "type": "integer" + }, + "renew_time": { + "type": "integer" + }, + "space": { + "type": "string" + }, + "tags": {}, + "threshold": { + "properties": { + "enabled": { + "type": "boolean" + }, + "high": { + "type": "integer" + }, + "low": { + "type": "integer" + } + }, + "type": "object" + }, + "updated_at": { + "type": "string" + }, + "usage": { + "items": { + "type": "string" + }, + "type": "array" + }, + "utilization": { + "properties": { + "abandon_utilization": { + "type": "integer" + }, + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "free": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + }, + "utilization": { + "type": "integer" + } + }, + "type": "object" + }, + "utilization_v6": { + "properties": { + "abandoned": { + "type": "string" + }, + "dynamic": { + "type": "string" + }, + "static": { + "type": "string" + }, + "total": { + "type": "string" + }, + "used": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Lookup_Information_For_Subnet": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_Error_Message_For_Subnet_API_Failure": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "error_message_subnet", + "value": "IP Space API request failed with status code:@{outputs('HTTP_Request_To_Lookup_Information_For_Subnet')['statusCode']} and error message:@{body('HTTP_Request_To_Lookup_Information_For_Subnet')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Lookup_Information_For_Subnet')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Lookup_Information_For_Subnet": { + "runAfter": {}, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "uri": "@{variables('base_url')}/api/ddi/v1/@{variables('subnet_id')}" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(variables('subnet_id'))", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Set_HTML_Table": { + "runAfter": { + "Append_to_Human_Readable_Tags": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table_record", + "value": "

\n\n\n\n\n\n\n\n" + } + }, + "Set_IP_Space": { + "runAfter": { + "Set_HTML_Table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "ip_space_id", + "value": "@items('For_Each_IP_Lookup_Result')?['space']" + } + }, + "Set_Subnet": { + "runAfter": { + "Condition_To_Verify_IP_Space_Id_Is_Empty": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "subnet_id", + "value": "@items('For_Each_IP_Lookup_Result')?['parent']" + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_IP_Lookup_Data')?['results'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_IP_Lookup_Data": { + "runAfter": { + "Set_Error_False_For_API_Failure": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Lookup_Information_About_An_IP_Address')", + "schema": { + "properties": { + "results": { + "items": { + "properties": { + "address": { + "type": "string" + }, + "comment": { + "type": "string" + }, + "compartment_id": { + "type": "string" + }, + "created_at": { + "type": "string" + }, + "dhcp_info": { + "properties": { + "client_hostname": { + "type": "string" + }, + "client_hwaddr": { + "type": "string" + }, + "client_id": { + "type": "string" + }, + "end": { + "type": "string" + }, + "fingerprint": { + "type": "string" + }, + "iaid": { + "type": "integer" + }, + "lease_type": { + "type": "string" + }, + "preferred_lifetime": { + "type": "string" + }, + "remain": { + "type": "integer" + }, + "start": { + "type": "string" + }, + "state": { + "type": "string" + }, + "state_ts": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "disable_dhcp": { + "type": "boolean" + }, + "discovery_attrs": { + "properties": { + "ip_address": { + "type": "string" + }, + "network": { + "type": "string" + }, + "os": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "discovery_metadata": { + "properties": { + "first_discovered_timestamp": { + "type": "string" + }, + "last_discovered_timestamp": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "host": { + "type": [ + "string", + "null" + ] + }, + "hwaddr": { + "type": "string" + }, + "id": { + "type": "string" + }, + "interface": { + "type": "string" + }, + "names": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "name", + "type" + ], + "type": "object" + }, + "type": "array" + }, + "parent": { + "type": "string" + }, + "protocol": { + "type": "string" + }, + "range": { + "type": [ + "string", + "null" + ] + }, + "space": { + "type": "string" + }, + "state": { + "type": "string" + }, + "tags": { + "properties": { + "nios/grid_name": { + "type": "string" + }, + "nios/import_timestamp": { + "type": "string" + }, + "nios/imported": { + "type": "string" + } + }, + "type": [ + "object", + "null" + ] + }, + "updated_at": { + "type": "string" + }, + "usage": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "address", + "comment", + "compartment_id", + "created_at", + "dhcp_info", + "disable_dhcp", + "discovery_attrs", + "discovery_metadata", + "host", + "hwaddr", + "id", + "interface", + "names", + "parent", + "protocol", + "range", + "space", + "state", + "tags", + "updated_at", + "usage" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Set_Error_False_For_API_Failure": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "api_failure_error", + "value": "@false" + } + } + }, + "runAfter": { + "HTTP_Request_To_Lookup_Information_About_An_IP_Address": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Set_Error_Message_For_IPAM_API_Failure": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "error_message", + "value": "IPAM API request failed with status code:@{outputs('HTTP_Request_To_Lookup_Information_About_An_IP_Address')['statusCode']} and error message: for ip @{items('For_Each_IP_Address')?['Address']}" + } + }, + "Set_Error_True_For_API_Failure": { + "runAfter": { + "Set_Error_Message_For_IPAM_API_Failure": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "api_failure_error", + "value": "@true" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Lookup_Information_About_An_IP_Address')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Lookup_Information_About_An_IP_Address": { + "runAfter": {}, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "_filter": "address=='@{items('For_Each_IP_Address')?['Address']}'" + }, + "uri": "@{variables('base_url')}/api/ddi/v1/ipam/address" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_IP_Address')?['Address'])", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_Base_URL": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Error_False_While_Fetching_IP_Details_From_API": { + "runAfter": { + "Initialize_Error_Message_For_Subnet_ID": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "api_failure_error", + "type": "boolean", + "value": "@false" + } + ] + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_New_Line": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "string" + } + ] + } + }, + "Initialize_Error_Message_For_IP_Space_Name": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message_ip_space", + "type": "string" + } + ] + } + }, + "Initialize_Error_Message_For_Subnet_ID": { + "runAfter": { + "Initialize_Error_Message_For_IP_Space_Name": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message_subnet", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table": { + "runAfter": { + "Initialize_Number_Of_Comments": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table_Record": { + "runAfter": { + "Initialize_HTML_Table": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table_record", + "type": "string" + } + ] + } + }, + "Initialize_Human_Readable_Tags": { + "runAfter": { + "Initialize_Subnet_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "human_readable_tags", + "type": "string" + } + ] + } + }, + "Initialize_IP_Space_Id": { + "runAfter": { + "Initialize_Incident_Comment": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "ip_space_id", + "type": "string" + } + ] + } + }, + "Initialize_Incident_Comment": { + "runAfter": { + "Initialize_HTML_Table_Record": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_comment", + "type": "string" + } + ] + } + }, + "Initialize_New_Line": { + "runAfter": { + "Initialize_Human_Readable_Tags": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "new_line", + "type": "string", + "value": "\n" + } + ] + } + }, + "Initialize_Number_Of_Comments": { + "runAfter": { + "Initialize_Base_URL": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "no_of_comments", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Subnet_Id": { + "runAfter": { + "Initialize_IP_Space_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "subnet_id", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-IPAM-Lookup", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/Images/InfobloxSOCGetInsightDetails.png b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/Images/InfobloxSOCGetInsightDetails.png new file mode 100644 index 00000000000..4fe0775ab41 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/Images/InfobloxSOCGetInsightDetails.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/README.md b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/README.md new file mode 100644 index 00000000000..d92bf992344 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/README.md @@ -0,0 +1,55 @@ +# Infoblox SOC Get Insight Details + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +This playbook uses the Infoblox SOC Insights API to **get all the details** about an SOC Insight Incident. These Incidents are triggered by the **Infoblox - SOC Insight Detected** analytic queries packaged as part of this solution. These queries will read your data for insights and create an Incident when one is found, hereby known as a **SOC Insight Incident**. + +Then, you can run this playbook on those incidents to **ingest many details about the Insight**, placed in several custom tables prefixed with ```InfobloxInsight```. This data also builds the **Infoblox SOC Insight Workbook** you can use to richly visualize and drilldown your Insights. + +It will also add **several tags** to the SOC Insight Incident. + +This playbook can be configured to run automatically when a SOC Insight Incident occurs or run on demand. + +### Prerequisites + +1. User must have a valid Infoblox API Key. +2. User must have a valid Workspace ID. +3. User must have a valid Workspace Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Workspace ID: Enter value for Workspace ID,use same Workspace ID for Authorization + * Workspace Key: Enter value for Workspace Key,use same Workspace Key for Authorization + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20SOC%20Get%20Insight%20Details%2Fazuredeploy.json)[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20SOC%20Get%20Insight%20Details%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource +2. Go to General -> edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections + +#### b. Assign Role to Update in incident + +Assign role to this playbook + +1. Go to Log Analytics Workspace → → Access Control → Add","2. Add role assignment +3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role +4. Members: select managed identity for assigned access to and add your logic app as member +5. Click on review+assign \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/azuredeploy.json new file mode 100644 index 00000000000..89c88dd9843 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Insight Details/azuredeploy.json @@ -0,0 +1,916 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-SOC-Get-Insight-Details", + "description": "Leverages the Infoblox SOC Insights API to enrich a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight & ingest Insight details into custom InfobloxInsight tables. The tables are used to build the Infoblox SOC Insights Workbook. This playbook can be configured to run automatically when an incident occurs (recommended) or run on demand.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key", + "2. User must have a valid Workspace ID", + "3. User must have a valid Workspace Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign Role to Update in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add","2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign" + ], + "prerequisitesDeployTemplateFile": "", + "entities": [ "Security Group", "SecurityGroup", "Malware" + ], + "tags": [ "Enrichment" + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-SOC-Get-Insight-Details", + "type": "string" + }, + "Infoblox API Key": { + "type": "string", + "metadata": { + "description": "Enter value for Infoblox API Key" + } + }, + "Workspace ID": { + "type": "string", + "metadata": { + "description": "Enter value for Workspace ID,use same Workspace ID for Authorization" + } + }, + "Workspace Key": { + "type": "string", + "metadata": { + "description": "Enter value for Workspace Key,use same Workspace Key for Authorization" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + }, + "Infoblox API Key": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "string" + }, + "Workspace ID": { + "defaultValue": "[trim(parameters('Workspace ID'))]", + "type": "string" + }, + "Workspace Key": { + "defaultValue": "[trim(parameters('Workspace Key'))]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Filter_array_for_Malware_Entity": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_Entities_JSON')", + "where": "@equals(item()['kind'], 'Malware')" + } + }, + "Filter_array_for_Object_GUID_Entity": { + "runAfter": { + "Parse_Entities_JSON": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_Entities_JSON')", + "where": "@equals(item()?['kind'], 'SecurityGroup')" + } + }, + "For_each": { + "foreach": "@body('Filter_array_for_Object_GUID_Entity')", + "actions": { + "Test_Connection_to_Infoblox_CSP": { + "runAfter": { + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each')?['properties']?['objectGuid']}" + } + } + }, + "runAfter": { + "Filter_array_for_Object_GUID_Entity": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Insight_ID": { + "foreach": "@body('Filter_array_for_Object_GUID_Entity')", + "actions": { + "Add_InfobloxInsightID_Tag": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "InfobloxInsightID: @{items('For_each_Insight_ID')?['properties']?['objectGuid']}" + } + ] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + }, + "Add_Summary_data_if_observed_via_CDC": { + "actions": { + "Get_Summary_Data": { + "runAfter": { + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}" + } + }, + "Parse_Summary_JSON": { + "runAfter": { + "Get_Summary_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Summary_Data')", + "schema": { + "properties": { + "insight": { + "properties": { + "changer": { + "type": "string" + }, + "dateChanged": { + "type": "string" + }, + "description": { + "type": "string" + }, + "eventsBlockedCount": { + "type": "string" + }, + "eventsNotBlockedCount": { + "type": "string" + }, + "feedSource": { + "type": "string" + }, + "insightId": { + "type": "string" + }, + "mostRecentAt": { + "type": "string" + }, + "numEvents": { + "type": "string" + }, + "persistent": { + "type": "string" + }, + "persistentDate": { + "type": "string" + }, + "priorityText": { + "type": "string" + }, + "spreading": { + "type": "string" + }, + "spreadingDate": { + "type": "string" + }, + "startedAt": { + "type": "string" + }, + "status": { + "type": "string" + }, + "tClass": { + "type": "string" + }, + "tFamily": { + "type": "string" + }, + "threatType": { + "type": "string" + }, + "userComment": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + } + }, + "Send_Summary_(Insight)_Data": { + "runAfter": { + "Parse_Summary_JSON": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(body('Parse_Summary_JSON')?['insight'], 'InfobloxInsightLogType', 'Insight')}", + "headers": { + "Log-Type": "InfobloxInsight" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "contains": [ + "@body('Add_InfobloxInsightID_Tag')?['properties']?['description']", + "Observed via CDC" + ] + } + ] + }, + "type": "If" + }, + "For_each_Asset": { + "foreach": "@body('Parse_Assets_JSON')?['assets']", + "actions": { + "Send_Asset_Data": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Asset'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Asset')}", + "headers": { + "Log-Type": "InfobloxInsightAssets" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Assets_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Comment": { + "foreach": "@body('Parse_Comment_JSON')?['comments']", + "actions": { + "Send_Comment_Data": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Comment'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Comment')}", + "headers": { + "Log-Type": "InfobloxInsightComments" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Comment_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Event": { + "foreach": "@body('Parse_Event_JSON')?['events']", + "actions": { + "Send_Event_Data": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Event'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Event')}", + "headers": { + "Log-Type": "InfobloxInsightEvents" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Event_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Indicator": { + "foreach": "@body('Parse_Indicator_JSON')?['indicators']", + "actions": { + "Send_Indicator_Data": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": "@{addProperty(addProperty(items('For_Each_Indicator'), 'InfobloxInsightID', items('For_each_Insight_ID')?['properties']?['objectGuid']), 'InfobloxInsightLogType', 'Indicator')\r\n}", + "headers": { + "Log-Type": "InfobloxInsightIndicators" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_Indicator_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Asset_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/assets" + } + }, + "Get_Comment_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/comments" + } + }, + "Get_Event_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/events" + } + }, + "Get_Indicator_Data": { + "runAfter": { + "Add_InfobloxInsightID_Tag": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights/@{items('For_each_Insight_ID')?['properties']?['objectGuid']}/indicators" + } + }, + "Parse_Assets_JSON": { + "runAfter": { + "Get_Asset_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Asset_Data')", + "schema": { + "properties": { + "assets": { + "items": { + "properties": { + "cid": { + "type": "string" + }, + "cmac": { + "type": "string" + }, + "count": { + "type": "integer" + }, + "location": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "qip": { + "type": "string" + }, + "threat_indicator_distinct_count": { + "type": "string" + }, + "threat_level_max": { + "type": "string" + }, + "time_max": { + "type": "string" + }, + "time_min": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_Comment_JSON": { + "runAfter": { + "Get_Comment_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Comment_Data')", + "schema": { + "properties": { + "comments": { + "items": { + "properties": { + "commentsChanger": { + "type": "string" + }, + "dateChanged": { + "type": "string" + }, + "newComment": { + "type": "string" + }, + "status": { + "type": "string" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_Event_JSON": { + "runAfter": { + "Get_Event_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Event_Data')", + "schema": { + "properties": { + "events": { + "items": { + "properties": { + "action": { + "type": "string" + }, + "class": { + "type": "string" + }, + "confidence_level": { + "type": "string" + }, + "detected": { + "type": "string" + }, + "deviceIp": { + "type": "string" + }, + "device_country": { + "type": "string" + }, + "device_name": { + "type": "string" + }, + "device_region": { + "type": "string" + }, + "dhcp_fingerprint": { + "type": "string" + }, + "dns_view": { + "type": "string" + }, + "feed": { + "type": "string" + }, + "mac_address": { + "type": "string" + }, + "os_version": { + "type": "string" + }, + "policy": { + "type": "string" + }, + "property": { + "type": "string" + }, + "query": { + "type": "string" + }, + "query_type": { + "type": "string" + }, + "response": { + "type": "string" + }, + "response_country": { + "type": "string" + }, + "response_region": { + "type": "string" + }, + "source": { + "type": "string" + }, + "threat_family": { + "type": "string" + }, + "threat_indicator": { + "type": "string" + }, + "threat_level": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_Indicator_JSON": { + "runAfter": { + "Get_Indicator_Data": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Indicator_Data')", + "schema": { + "properties": { + "indicators": { + "items": { + "properties": { + "action": { + "type": "string" + }, + "actor": { + "type": "string" + }, + "confidence": { + "type": "string" + }, + "count": { + "type": "integer" + }, + "feed_name": { + "type": "string" + }, + "indicator": { + "type": "string" + }, + "threat_level_max": { + "type": "string" + }, + "time_max": { + "type": "string" + }, + "time_min": { + "type": "string" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "For_each_Malware_Entity": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Malware_Entity": { + "foreach": "@body('Filter_array_for_Malware_Entity')", + "actions": { + "Update_Incident_Tags": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "tagsToAdd": { + "TagsToAdd": [ + { + "Tag": "@items('For_each_Malware_Entity')?['kind']" + }, + { + "Tag": "@items('For_each_Malware_Entity')?['properties']?['malwareName']" + }, + { + "Tag": "@items('For_each_Malware_Entity')?['properties']?['category']" + }, + { + "Tag": "Insight" + } + ] + } + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents" + } + } + }, + "runAfter": { + "Filter_array_for_Malware_Entity": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_Entities_JSON": { + "runAfter": { + }, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "schema": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "friendlyName": { + "type": "string" + }, + "objectGuid": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + } + } + }, + "outputs": { + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-SOC-Get-Insight-Details", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": { + }, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/Images/InfobloxSOCGetOpenInsightsAPI.png b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/Images/InfobloxSOCGetOpenInsightsAPI.png new file mode 100644 index 00000000000..43bfce11455 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/Images/InfobloxSOCGetOpenInsightsAPI.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/README.md b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/README.md new file mode 100644 index 00000000000..6f95559db72 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/README.md @@ -0,0 +1,46 @@ +# Infoblox-SOC-Get-Open-Insights-API + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +This playbook uses the Infoblox SOC Insights REST API to ingest all Open/Active SOC Insights at time of run into the custom ```InfobloxInsight``` table. + +This playbook is an alternative to using the **Infoblox SOC Insight Data Connectors via the Microsoft forwarding agent**, which require the **Infoblox Cloud Data Connector (CDC)**. Instead, this playbook **ingests the same type of data via REST API**. This way, you do not need to set up and deploy and Infoblox CDC in your environment. + +You can use both methods in the same workspace, but **beware of duplicate data**. + +Simply input your **Infoblox API Key** into the playbook parameters and it will ingest every open SOC Insight at runtime. + +The Analytic Query **Infoblox - SOC Insight Detected - API Source** will read this data for insights and create an Incident when one is found. It is OK to run the playbook multiple times, as the Analytic Queries will group SOC Insight Incidents into one that have the same Infoblox Insight ID in the underlying data tables. + +This playbook is scheduled to run on a daily basis. You can increase or decrease recurrence. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Workspace ID: Enter value for Workspace ID,use same Workspace ID for Authorization + * Workspace Key: Enter value for Workspace Key,use same Workspace Key for Authorization + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20SOC%20Get%20Open%20Insights%20API%2Fazuredeploy.json)[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20SOC%20Get%20Open%20Insights%20API%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select connection resource +2. Go to General -> edit API connection +3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created +4. Click Save diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/azuredeploy.json new file mode 100644 index 00000000000..c1cd57fb9c5 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox SOC Get Open Insights API/azuredeploy.json @@ -0,0 +1,261 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-SOC-Get-Open-Insights-API", + "description": "Leverages the Infoblox SOC Insights API to ingest all Open/Active SOC Insights at time of run into the custom InfobloxInsight table. This playbook is scheduled to run on a daily basis.", + "prerequisites": [ + "1. User must have a valid Infoblox API Key" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize connection.", + "1. Go to your logic app -> API connections -> Select connection resource", + "2. Go to General -> edit API connection", + "3. Provide Workspace Id and Workspace Key of Log Analytics Workspace where Table will be created", + "4. Click Save" + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "entities": [ + ], + "tags": [ + ], + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-SOC-Get-Open-Insights-API", + "type": "string" + }, + "Infoblox API Key": { + "type": "string", + "metadata": { + "description": "Enter value for Infoblox API Key" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + }, + "Infoblox API Key": { + "defaultValue": "[trim(parameters('Infoblox API Key'))]", + "type": "string" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Day", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Day", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each_Insight": { + "foreach": "@body('Parse_JSON')?['insightList']", + "actions": { + "Send_Data": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": "@{union(variables('Extra Cols'), items('For_Each_Insight'))}", + "headers": { + "Log-Type": "InfobloxInsight" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector_1']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_All_Insights": { + "runAfter": { + "Initialize_Extra_Cols": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('Infoblox API Key')}" + }, + "method": "GET", + "uri": "https://csp.infoblox.com/api/v1/insights" + } + }, + "Initialize_Extra_Cols": { + "runAfter": { + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Extra Cols", + "type": "object", + "value": { + "InfobloxInsightLogType": "Insight" + } + } + ] + } + }, + "Parse_JSON": { + "runAfter": { + "Get_All_Insights": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_All_Insights')", + "schema": { + "properties": { + "insightList": { + "items": { + "properties": { + "changer": { + "type": "string" + }, + "dateChanged": { + "type": "string" + }, + "eventsBlockedCount": { + "type": "string" + }, + "eventsNotBlockedCount": { + "type": "string" + }, + "feedSource": { + "type": "string" + }, + "insightId": { + "type": "string" + }, + "mostRecentAt": { + "type": "string" + }, + "numEvents": { + "type": "string" + }, + "persistentDate": { + "type": "string" + }, + "priorityText": { + "type": "string" + }, + "startedAt": { + "type": "string" + }, + "status": { + "type": "string" + }, + "tClass": { + "type": "string" + }, + "tFamily": { + "type": "string" + }, + "threatType": { + "type": "string" + }, + "userComment": { + "type": "string" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "outputs": { + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-SOC-Get-Open-Insights-API", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/Images/InfobloxSOCImportIndicatorsTI.png b/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/Images/InfobloxSOCImportIndicatorsTI.png new file mode 100644 index 00000000000..194c84b1486 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/Images/InfobloxSOCImportIndicatorsTI.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/README.md b/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/README.md new file mode 100644 index 00000000000..9da1dc259e7 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/README.md @@ -0,0 +1,53 @@ +# Infoblox-SOC-Import-Indicators-TI + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +This playbook imports each Indicator of an SOC Insight Incident into the ```ThreatIntelligenceIndicator``` table you can use as **threat intelligence**. + +*You must run the **Infoblox-SOC-Get-Insight-Details** playbook on the SOC Insight Incident before running this playbook.* + +This playbook can be configured to run automatically when a SOC Insight Incident occurs or run on demand. + +### Prerequisites + +1. Entra ID Application Secret +2. Client ID +3. Tenant ID + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Workspace ID: Enter value for Workspace ID,use same Workspace ID for Authorization + * Workspace Key: Enter value for Workspace Key,use same Workspace Key for Authorization + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20SOC%20Import%20Indicators%20TI%2Fazuredeploy.json)[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20SOC%20Import%20Indicators%20TI%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource +2. Go to General -> edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections + +#### b. Assign Role to Update in incident + +Assign role to this playbook + +1. Go to Log Analytics Workspace → → Access Control → Add","2. Add role assignment +3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role +4. Members: select managed identity for assigned access to and add your logic app as member +5. Click on review+assign diff --git a/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/azuredeploy.json new file mode 100644 index 00000000000..da86ecd99a6 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox SOC Import Indicators TI/azuredeploy.json @@ -0,0 +1,589 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-SOC-Import-Indicators-TI", + "description": "Imports each Indicator of a Microsoft Sentinel Incident triggered by an Infoblox SOC Insight into the ThreatIntelligenceIndicator table. You must run the Infoblox-SOC-Get-Insight-Details playbook on a SOC Insight Incident before running this playbook.", + "prerequisites": [ + "1. Entra ID Application Secret", + "2. Client ID", + "3. Tenant ID" + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign role to this playbook**", + "1. Go to Log Analytics Workspace → → Access Control → Add","2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign" + ], + "prerequisitesDeployTemplateFile": "", + "entities": [ "Security Group", "SecurityGroup" + ], + "tags": [ + ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-SOC-Import-Indicators-TI", + "type": "string" + }, + "Entra ID Application Secret": { + "type": "string", + "metadata": { + "description": "Enter value for Entra ID Application Secret" + } + }, + "Client ID": { + "type": "string", + "metadata": { + "description": "Enter value for Application (Client) ID" + } + }, + "Tenant ID": { + "type": "string", + "metadata": { + "description": "Enter value for Directory (Tenant) ID" + } + } + }, + "variables": { + "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": { + }, + "type": "Object" + }, + "Entra ID Application Secret": { + "defaultValue": "[trim(parameters('Entra ID Application Secret'))]", + "type": "string" + }, + "Client ID": { + "defaultValue": "[trim(parameters('Client ID'))]", + "type": "string" + }, + "Tenant ID": { + "defaultValue": "[trim(parameters('Tenant ID'))]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Filter_array_for_Object_GUID_Entity_(InsightID)": { + "runAfter": { + "Parse_Entities_JSON": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_Entities_JSON')", + "where": "@equals(item()?['kind'], 'SecurityGroup')" + } + }, + "For_each_InsightID": { + "foreach": "@body('Filter_array_for_Object_GUID_Entity_(InsightID)')", + "actions": { + "For_each": { + "foreach": "@body('Parse_IPs')?['value']", + "actions": { + "Send_IPs_to_Sentinel": { + "runAfter": { + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "@parameters('Client ID')", + "secret": "@parameters('Entra ID Application Secret')", + "tenant": "@parameters('Tenant ID')", + "type": "ActiveDirectoryOAuth" + }, + "body": { + "action": "alert", + "additionalInformation": "Added via Infoblox SOC Insights", + "description": "Infoblox - IP - @{items('For_each')?['InfobloxB1FeedName']}", + "expirationDateTime": "@addDays(utcNow(), 14)", + "externalId": "@{items('For_each')?['InfobloxInsightID']}", + "indicatorProvider": "Infoblox SOC Insights", + "lastReportedDateTime": "@items('For_each')?['LastSeen']", + "networkIPv4": "@{items('For_each')?['ThreatIndicator']}", + "tags": [ + "Feed: @{items('For_each')?['InfobloxB1FeedName']}", + "FirstSeen: @{items('For_each')?['FirstSeen']}", + "LastSeen: @{items('For_each')?['LastSeen']}", + "Threat Confidence: @{items('For_each')?['ThreatConfidence']}", + "Action: @{items('For_each')?['InfobloxB1PolicyAction']}", + "Actor: @{items('For_each')?['ThreatActor']}", + "Event Count: @{items('For_each')?['EventCount']}", + "Threat Level: @{items('For_each')?['ThreatLevel']}", + "IP" + ], + "targetProduct": "Azure Sentinel", + "threatType": "WatchList", + "tlpLevel": "white" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/beta/security/tiIndicators" + } + } + }, + "runAfter": { + "Parse_IPs": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_Domain": { + "foreach": "@body('Parse_Domains')?['value']", + "actions": { + "Send_Domains_to_Sentinel": { + "runAfter": { + }, + "type": "Http", + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "@parameters('Client ID')", + "secret": "@parameters('Entra ID Application Secret')", + "tenant": "@parameters('Tenant ID')", + "type": "ActiveDirectoryOAuth" + }, + "body": { + "action": "alert", + "additionalInformation": "Added via Infoblox SOC Insights", + "description": "Infoblox - HOST - @{items('For_each_Domain')?['InfobloxB1FeedName']}", + "domainName": "@{items('For_each_Domain')?['ThreatIndicator']}", + "expirationDateTime": "@addDays(utcNow(), 14)", + "externalId": "@{items('For_each_Domain')?['InfobloxInsightID']}", + "indicatorProvider": "Infoblox SOC Insights", + "lastReportedDateTime": "@items('For_each_Domain')?['LastSeen']", + "tags": [ + "Feed: @{items('For_each_Domain')?['InfobloxB1FeedName']}", + "FirstSeen: @{items('For_each_Domain')?['FirstSeen']}", + "LastSeen: @{items('For_each_Domain')?['LastSeen']}", + "Threat Confidence: @{items('For_each_Domain')?['ThreatConfidence']}", + "Action: @{items('For_each_Domain')?['InfobloxB1PolicyAction']}", + "Actor: @{items('For_each_Domain')?['ThreatActor']}", + "Event Count: @{items('For_each_Domain')?['EventCount']}", + "Threat Level: @{items('For_each_Domain')?['ThreatLevel']}", + "HOST" + ], + "targetProduct": "Azure Sentinel", + "threatType": "WatchList", + "tlpLevel": "white" + }, + "method": "POST", + "uri": "https://graph.microsoft.com/beta/security/tiIndicators" + } + } + }, + "runAfter": { + "Parse_Domains": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Domains": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": { + "query": "InfobloxInsightIndicators\n| where InfobloxInsightID == \"@{items('For_each_InsightID')?['properties']?['objectGuid']}\"\n| where isIP == false\n| summarize arg_max(TimeGenerated, *) by ThreatIndicator", + "timerange": { + "relativeTimeRange": "Last 7 days" + }, + "timerangetype": "2" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryDataV2", + "queries": { + "resourcegroups": "TME-RG", + "resourcename": "TME-Workspace", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "be1e61b7-8dbe-4986-a9c2-d85f65524d6e" + } + } + }, + "Get_IPs": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "body": { + "query": "InfobloxInsightIndicators\n| where InfobloxInsightID == \"@{items('For_each_InsightID')?['properties']?['objectGuid']}\"\n| where isIP == true\n| summarize arg_max(TimeGenerated, *) by ThreatIndicator", + "timerange": { + "relativeTimeRange": "Last 7 days" + }, + "timerangetype": "2" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryDataV2", + "queries": { + "resourcegroups": "TME-RG", + "resourcename": "TME-Workspace", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "be1e61b7-8dbe-4986-a9c2-d85f65524d6e" + } + } + }, + "Parse_Domains": { + "runAfter": { + "Get_Domains": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Domains')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "Computer": { + "type": "string" + }, + "DestinationDnsDomain": { + "type": "string" + }, + "EventCount": { + "type": "integer" + }, + "FirstSeen": { + "type": "string" + }, + "InfobloxB1FeedName": { + "type": "string" + }, + "InfobloxB1PolicyAction": { + "type": "string" + }, + "InfobloxInsightID": { + "type": "string" + }, + "InfobloxInsightLogType": { + "type": "string" + }, + "LastSeen": { + "type": "string" + }, + "MG": { + "type": "string" + }, + "ManagementGroupName": { + "type": "string" + }, + "RawData": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + }, + "SourceSystem": { + "type": "string" + }, + "TenantId": { + "type": "string" + }, + "ThreatActor": { + "type": "string" + }, + "ThreatConfidence": { + "type": "string" + }, + "ThreatIndicator": { + "type": "string" + }, + "ThreatLevel": { + "type": "string" + }, + "TimeGenerated": { + "type": "string" + }, + "Type": { + "type": "string" + }, + "isIP": { + "type": "boolean" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Parse_IPs": { + "runAfter": { + "Get_IPs": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_IPs')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "Computer": { + "type": "string" + }, + "DestinationDnsDomain": { + "type": "string" + }, + "EventCount": { + "type": "integer" + }, + "FirstSeen": { + "type": "string" + }, + "InfobloxB1FeedName": { + "type": "string" + }, + "InfobloxB1PolicyAction": { + "type": "string" + }, + "InfobloxInsightID": { + "type": "string" + }, + "InfobloxInsightLogType": { + "type": "string" + }, + "LastSeen": { + "type": "string" + }, + "MG": { + "type": "string" + }, + "ManagementGroupName": { + "type": "string" + }, + "RawData": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + }, + "SourceSystem": { + "type": "string" + }, + "TenantId": { + "type": "string" + }, + "ThreatActor": { + "type": "string" + }, + "ThreatConfidence": { + "type": "string" + }, + "ThreatIndicator": { + "type": "string" + }, + "ThreatLevel": { + "type": "string" + }, + "TimeGenerated": { + "type": "string" + }, + "Type": { + "type": "string" + }, + "isIP": { + "type": "boolean" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "Filter_array_for_Object_GUID_Entity_(InsightID)": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Parse_Entities_JSON": { + "runAfter": { + }, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "schema": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "friendlyName": { + "type": "string" + }, + "objectGuid": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + ], + "type": "object" + }, + "type": "array" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[variables('AzuremonitorlogsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-SOC-Import-Indicators-TI", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzuremonitorlogsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzuremonitorlogsConnectionName')]", + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": { + }, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/Images/InfobloxTIDELookupIncidentBased.png b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/Images/InfobloxTIDELookupIncidentBased.png new file mode 100644 index 00000000000..b2ae4bea2c1 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/Images/InfobloxTIDELookupIncidentBased.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/README.md b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/README.md new file mode 100644 index 00000000000..5ad2a57d349 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/README.md @@ -0,0 +1,26 @@ +# Infoblox TIDE Lookup Via Incident + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook takes entity type and value from incident available in Workbook and ingests TIDE Lookup data for that entity into Log table. + +### Prerequisites + +1. Make sure that Infoblox-TIDE-Lookup playbook is deployed before deploying Infoblox-TIDE-Lookup-Via-Incident playbook. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TIDE%20Lookup%20Incident%20Based%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TIDE%20Lookup%20Incident%20Based%2Fazuredeploy.json) + +### Post-Deployment instructions + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping. \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/azuredeploy.json new file mode 100644 index 00000000000..b421d328358 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Based/azuredeploy.json @@ -0,0 +1,639 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-TIDE-Lookup-Via-Incident", + "description": "The playbook takes entity type and value from incident available in Workbook and ingests TIDE Lookup data for that entity into Log table.", + "prerequisites": [ + "1. Make sure that Infoblox-TIDE-Lookup playbook is deployed before deploying Infoblox-TIDE-Lookup-Via-Incident playbook." + ], + "postDeployment": [ + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping." + ], + "entities": ["Host", "IP", "Hash", "URL"], + "tags": ["Infoblox", "TIDE", "Lookup", "Incident"], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TIDE-Lookup-Via-Incident", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please keep the 'Playbook Name' parameter unchanged. Otherwise, you will need to manually adjust the 'Playbook Name' in the 'Infoblox Lookup Workbook' in edit mode" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Check_TIDE_Lookup_Failure_For_All_Entities": { + "actions": { + "Terminate_If_Failure_For_All_Entities": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "message": "@{variables('error_message')}" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "For_Each_Hash": ["Succeeded", "TimedOut", "Failed"] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('failure_count')", + "@length(triggerBody()?['object']?['properties']?['relatedEntities'])" + ] + } + ] + }, + "type": "If" + }, + "For_Each_Hash": { + "foreach": "@body('Get_FileHashes_From_Entities')?['Filehashes']", + "actions": { + "Condition_To_Verify_TIDE_Playbook_Called_Successfully_For_Hash": { + "actions": {}, + "runAfter": { + "Infoblox_TIDE_Lookup_For_Hash": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Hash": { + "runAfter": { + "Increment_Failure_Count_For_Hash": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_Hash')?['message']" + } + }, + "Increment_Failure_Count_For_Hash": { + "runAfter": {}, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_Hash')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_Hash": { + "runAfter": { + "Set_Target_Type_As_Hash": ["Succeeded"] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_Hash": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_Hash')?['Value']" + } + }, + "Set_Target_Type_As_Hash": { + "runAfter": { + "Set_Target_Hash": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "hash" + } + } + }, + "runAfter": { + "Get_FileHashes_From_Entities": ["Succeeded"] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_Host": { + "foreach": "@body('Get_Hosts_From_Entities')?['Hosts']", + "actions": { + "Condition_To_Verify_TIDE_Lookup_Playbook_Called_Successfully_For_Host": { + "actions": {}, + "runAfter": { + "Infoblox_TIDE_Lookup_For_Host": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Host": { + "runAfter": { + "Increment_Failure_Count_For_Host": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_Host')?['message']" + } + }, + "Increment_Failure_Count_For_Host": { + "runAfter": {}, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_Host')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_Host": { + "runAfter": { + "Set_Target_Type_As_Host": ["Succeeded"] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_Host": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_Host')?['NetBiosName']" + } + }, + "Set_Target_Type_As_Host": { + "runAfter": { + "Set_Target_Host": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "host" + } + } + }, + "runAfter": { + "Get_Hosts_From_Entities": ["Succeeded"] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_IP": { + "foreach": "@body('Get_IPs_From_Entities')?['IPs']", + "actions": { + "Condition_To_Verify_TIDE_Lookup_Playbook_Called_Successfully_For_IP": { + "actions": {}, + "runAfter": { + "Infoblox_TIDE_Lookup_For_IP": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_IP": { + "runAfter": { + "Increment_Failure_Count_For_IP": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_IP')?['message']" + } + }, + "Increment_Failure_Count_For_IP": { + "runAfter": {}, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_IP')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_IP": { + "runAfter": { + "Set_Target_Type_As_IP": ["Succeeded"] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_IP": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_IP')?['Address']" + } + }, + "Set_Target_Type_As_IP": { + "runAfter": { + "Set_Target_IP": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "ip" + } + } + }, + "runAfter": { + "Get_IPs_From_Entities": ["Succeeded"] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_URL": { + "foreach": "@body('Get_URLs_From_Entities')?['URLs']", + "actions": { + "Condition_To_Verify_TIDE_Lookup_Playbook_Called_Successfully_For_urls": { + "actions": {}, + "runAfter": { + "Infoblox_TIDE_Lookup_For_URL": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_URL": { + "runAfter": { + "Increment_Failure_Count_For_URL": ["Succeeded"] + }, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "@body('Infoblox_TIDE_Lookup_For_URL')?['message']" + } + }, + "Increment_Failure_Count_For_URL": { + "runAfter": {}, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Infoblox_TIDE_Lookup_For_URL')?['status']", + "success" + ] + } + ] + }, + "type": "If" + }, + "Infoblox_TIDE_Lookup_For_URL": { + "runAfter": { + "Set_Target_Type_As_URL": ["Succeeded"] + }, + "type": "Workflow", + "inputs": { + "body": { + "target": "@{variables('target')}", + "type": "@{variables('target_type')}" + }, + "host": { + "triggerName": "manual", + "workflow": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Logic/workflows/','Infoblox-TIDE-Lookup')]" + } + } + } + }, + "Set_Target_Type_As_URL": { + "runAfter": { + "Set_Target_URL": ["Succeeded"] + }, + "type": "SetVariable", + "inputs": { + "name": "target_type", + "value": "url" + } + }, + "Set_Target_URL": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "target", + "value": "@items('For_Each_URL')?['Url']" + } + } + }, + "runAfter": { + "Get_URLs_From_Entities": ["Succeeded"] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Get_FileHashes_From_Entities": { + "runAfter": { + "For_Each_Host": ["Succeeded", "TimedOut", "Failed"] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + } + }, + "Get_Hosts_From_Entities": { + "runAfter": { + "For_Each_IP": ["Succeeded", "Failed", "TimedOut"] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "Get_IPs_From_Entities": { + "runAfter": { + "For_Each_URL": ["Succeeded", "Failed", "TimedOut"] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "Get_URLs_From_Entities": { + "runAfter": { + "Initialize_Error_Message": ["Succeeded"] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Failure_Count": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "array" + } + ] + } + }, + "Initialize_Failure_Count": { + "runAfter": { + "Initialize_Target": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "failure_count", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Target": { + "runAfter": { + "Initialize_Target_Type": ["Succeeded"] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "target", + "type": "string" + } + ] + } + }, + "Initialize_Target_Type": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "target_type", + "type": "string" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TIDE-Lookup-Via-Incident", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] + } + \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/Images/InfobloxTIDELookupIncidentCommentBased.png b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/Images/InfobloxTIDELookupIncidentCommentBased.png new file mode 100644 index 00000000000..95180549b87 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/Images/InfobloxTIDELookupIncidentCommentBased.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/README.md b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/README.md new file mode 100644 index 00000000000..b2ad1c9873c --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/README.md @@ -0,0 +1,45 @@ +# Infoblox TIDE Lookup Comment Enrichment + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook enriches an incident by adding TIDE Lookup information as comment on an incident. + +### Prerequisites + +1. User must provide valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox API Key: Enter valid value for API Key + * Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TIDE%20Lookup%20Incident%20Comment%20Based%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TIDE%20Lookup%20Incident%20Comment%20Based%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Assign Role to add comment in incident + +Assign role to this playbook. + +1. Go to Log Analytics Workspace → → Access Control → Add +2. Add role assignment +3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role +4. Members: select managed identity for assigned access to and add your logic app as member +5. Click on review+assign + +#### b. Configurations in Microsoft Sentinel + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP +2. To manually run the playbook on a particular incident follow the below steps: +a. Go to Microsoft Sentinel -> -> Incidents +b. Select an incident +c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option +d. Click on the Run button beside this playbook \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/azuredeploy.json new file mode 100644 index 00000000000..92c1575a8c9 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup Incident Comment Based/azuredeploy.json @@ -0,0 +1,1578 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-TIDE-Lookup-Comment-Enrichment", + "description": "The playbook enrich an incident by adding TIDE Lookup information as comment on an incident.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add", + "2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**b. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": [ "Host", "IP", "Hash", "URL" ], + "tags": [ "Infoblox", "TIDE", "Lookup", "Comment", "Enrichment" ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TIDE-Lookup-Comment-Enrichment", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'PlaybookName' parameter empty, else you will receive validation failure" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "string", + "defaultValue": "https://csp.infoblox.com", + "minLength": 1, + "metadata": { + "description": "Enter Base URL for your infoblox account. (e.g. https://csp.infoblox.com)" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "API Key": { + "type": "string", + "defaultValue": "[trim(parameters('Infoblox API Key'))]" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[trim(parameters('Infoblox Base Url'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Check_If_Entity_Mapping_Is_Not_Available": { + "actions": { + "Add_Comment_To_Incident_If_Entity_Mapping_Not_Found": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No Entity Mapping found associated with incident.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "For_Each_Hash": [ "Succeeded", "TimedOut", "Failed" ] + }, + "expression": { + "and": [ + { + "equals": [ "@variables('entity_mapping')", "@false" ] + } + ] + }, + "type": "If" + }, + "Condition_To_Indicate_Failure_For_All_Entities": { + "actions": { + "Terminate_If_Failure_For_All_Entities": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "message": "@{variables('error_message')}" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Condition_To_Check_If_Entity_Mapping_Is_Not_Available": [ "Succeeded" ] + }, + "expression": { + "and": [ + { + "equals": [ + "@variables('failure_count')", + "@length(triggerBody()?['object']?['properties']?['relatedEntities'])" + ] + } + ] + }, + "type": "If" + }, + "For_Each_Hash": { + "foreach": "@body('Get_FileHashes_From_Entities')?['Filehashes']", + "actions": { + "Condition_To_Check_Hash_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_Hash": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Hash": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For Hash - @{items('For_Each_Hash')?['Value']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_Hash": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Hash": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_Hash": [ "Succeeded" ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_Hash": { + "foreach": "@body('Parse_TIDE_Data_For_Hash')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_Hash": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments_For_Hash": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_Hash": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Add_Hash_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_Hash_TIDE_Data_": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_Hash')?['Value']} - @{items('For_Each_Threat_IOC_Of_Type_Hash')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_Hash')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Hash": { + "runAfter": { + "Add_Hash_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_Hash_TIDE_Data_": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

IPAM Lookup For IP:@{items('For_Each_IP_Lookup_Result')?['address']}
Address@{items('For_Each_IP_Lookup_Result')?['address']}
DHCP Client HostName@{items('For_Each_IP_Lookup_Result')?['dhcp_info']?['client_hostname']}
DHCP Client Mac Address@{items('For_Each_IP_Lookup_Result')?['dhcp_info']?['client_hwaddr']}
DHCP Fingerprint@{items('For_Each_IP_Lookup_Result')?['dhcp_info']?['fingerprint']}
Host@{items('For_Each_IP_Lookup_Result')?['host']}
Tags@{variables('human_readable_tags')}
Comment@{items('For_Each_IP_Lookup_Result')?['comment']}
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_Hash')?['type']}
Hash@{items('For_Each_Threat_IOC_Of_Type_Hash')?['hash']} @{items('For_Each_Threat_IOC_Of_Type_Hash')?['hash_type']}
Class@{items('For_Each_Threat_IOC_Of_Type_Hash')?['class']}
Profile@{items('For_Each_Threat_IOC_Of_Type_Hash')?['profile']}
Property@{items('For_Each_Threat_IOC_Of_Type_Hash')?['property']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_Hash')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_Hash')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_Hash')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_Hash')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_Hash')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_Hash')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_Hash')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_Hash')?['hash']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_Hash')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_Hash": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "batch_id": {}, + "class": {}, + "confidence": {}, + "confidence_score": {}, + "confidence_score_rating": {}, + "confidence_score_vector": {}, + "detected": {}, + "expiration": {}, + "extended": { + "properties": { + "cyberint_guid": {}, + "notes": {} + }, + "type": "object" + }, + "hash": {}, + "hash_type": {}, + "id": {}, + "imported": {}, + "profile": {}, + "property": {}, + "received": {}, + "risk_score": {}, + "risk_score_rating": {}, + "risk_score_vector": {}, + "threat_level": {}, + "threat_score": {}, + "threat_score_rating": {}, + "threat_score_vector": {}, + "type": {}, + "up": {} + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Hash": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For Hash - @{items('For_Each_Hash')?['Value']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash')['statusCode']}" + } + }, + "Increment_Failure_Count_For_Hash": { + "runAfter": { + "Add_Error_Message_For_Hash": [ "Succeeded" ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Hash": { + "runAfter": { + "Set_Entity_Mapping_True_For_Hash": [ "Succeeded" ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_hash')", + "hash": "@items('For_Each_Hash')?['Value']", + "type": "hash" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_Hash": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_FileHashes_From_Entities": [ "Succeeded" ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_Host": { + "foreach": "@body('Get_Hosts_From_Entities')?['Hosts']", + "actions": { + "Condition_To_Check_Host_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_Host": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Host": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For Host - @{items('For_Each_Host')?['NetBiosName']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_Host": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_Host": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_Host": [ "Succeeded" ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_Host": { + "foreach": "@body('Parse_TIDE_Data_For_Host')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_Host": { + "actions": { + "Condition_To_Verify_Incident_Has_99_Comments_For_Host": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_Host": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Add_Host_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_Host_TIDE_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_Host')?['NetBiosName']} - @{items('For_Each_Threat_IOC_Of_Type_Host')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_Host')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Host": { + "runAfter": { + "Add_Host_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_Host_TIDE_Data": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_Host')?['type']}
Host@{items('For_Each_Threat_IOC_Of_Type_Host')?['host']}
Domain@{items('For_Each_Threat_IOC_Of_Type_Host')?['domain']}
URL@{items('For_Each_Threat_IOC_Of_Type_Host')?['url']}
IP@{items('For_Each_Threat_IOC_Of_Type_Host')?['ip']}
Profile@{items('For_Each_Threat_IOC_Of_Type_Host')?['profile']}
Property@{items('For_Each_Threat_IOC_Of_Type_Host')?['property']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_Host')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_Host')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_Host')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_Host')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_Host')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_Host')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_Host')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_Host')?['host']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_Host')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_Host": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_Host')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "class": {}, + "confidence": {}, + "confidence_score": {}, + "confidence_score_rating": {}, + "detected": {}, + "dga": {}, + "domain": {}, + "expiration": {}, + "extended": { + "properties": { + "cyberint_guid": {}, + "notes": { + "type": "string" + }, + "references": {} + }, + "type": "object" + }, + "host": {}, + "id": {}, + "imported": {}, + "profile": {}, + "property": {}, + "received": {}, + "risk_score": {}, + "risk_score_rating": {}, + "threat_level": {}, + "threat_score": {}, + "threat_score_rating": {}, + "type": { + "type": "string" + }, + "up": {} + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Host": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_Host": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For Host - @{items('For_Each_Host')?['NetBiosName']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Host')['statusCode']}" + } + }, + "Increment_Failure_Count_For_Host": { + "runAfter": { + "Add_Error_Message_For_Host": [ "Succeeded" ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_Host')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_Host": { + "runAfter": { + "Set_Entity_Mapping_True_For_Host": [ "Succeeded" ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_host')", + "host": "@items('For_Each_Host')?['NetBiosName']", + "type": "host" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_Host": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_Hosts_From_Entities": [ "Succeeded" ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_IP": { + "foreach": "@body('Get_IPs_From_Entities')?['IPs']", + "actions": { + "Condition_To_Check_IP_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_IP": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_IP": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For IP - @{items('For_Each_IP')?['Address']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_IP": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_IP": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_IP": [ "Succeeded" ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_IP": { + "foreach": "@body('Parse_TIDE_Data_For_IP')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_IP": { + "actions": { + "Condition_To_verify_Incident_Has_99_Comments_For_IP": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_IP": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Add_IP_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_IP_TIDE_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_IP')?['Address']} - @{items('For_Each_Threat_IOC_Of_Type_IP')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_IP')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_IP": { + "runAfter": { + "Add_IP_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_IP_TIDE_Data": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_IP')?['type']}
IP@{items('For_Each_Threat_IOC_Of_Type_IP')?['ip']}
Profile@{items('For_Each_Threat_IOC_Of_Type_IP')?['profile']}
Class@{items('For_Each_Threat_IOC_Of_Type_IP')?['class']}
Property@{items('For_Each_Threat_IOC_Of_Type_IP')?['profile']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_IP')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_IP')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_IP')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_IP')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_IP')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_IP')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_IP')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_IP')?['ip']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_IP')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_IP": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_IP')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "batch_id": {}, + "class": {}, + "confidence": {}, + "detected": {}, + "expiration": {}, + "extended": { + "properties": { + "cyberint_guid": {}, + "notes": {} + }, + "type": "object" + }, + "id": {}, + "imported": {}, + "ip": {}, + "profile": {}, + "property": {}, + "received": {}, + "threat_level": {}, + "type": {}, + "up": {} + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_IP": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_IP": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For IP - @{items('For_Each_IP')?['Address']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_IP')['statusCode']}" + } + }, + "Increment_Failure_Count_For_IP": { + "runAfter": { + "Add_Error_Message_For_IP": [ "Succeeded" ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_IP')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_IP": { + "runAfter": { + "Set_Entity_Mapping_True_For_IP": [ "Succeeded" ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_ip')", + "ip": "@items('For_Each_IP')?['Address']", + "type": "ip" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_IP": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_IPs_From_Entities": [ "Succeeded" ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_Each_URL": { + "foreach": "@body('Get_URLs_From_Entities')?['URLs']", + "actions": { + "Condition_To_Check_URL_TIDE_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_TIDE_Data_Not_Available_For_urls": { + "actions": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_URL": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No TIDE Lookup Results Found For URL - @{items('For_Each_URL')?['Url']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_Empty_Response_For_URL": { + "runAfter": { + "Add_Comment_To_Incident_If_No_TIDE_Data_Found_For_URL": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + } + }, + "runAfter": { + "Parse_TIDE_Data_For_URL": [ "Succeeded" ] + }, + "else": { + "actions": { + "For_Each_Threat_IOC_Of_Type_URL": { + "foreach": "@body('Parse_TIDE_Data_For_URL')?['threat']", + "actions": { + "Condition_To_Check_Comment_Limit_Exceed_For_urls": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments_For_urls": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_For_URL": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Add_URL_TIDE_Data_As_Comment": { + "runAfter": { + "Set_HTML_With_URL_TIDE_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

IOC - @{items('For_Each_URL')?['Url']} - @{items('For_Each_Threat_IOC_Of_Type_URL')?['type']} - @{items('For_Each_Threat_IOC_Of_Type_URL')?['class']}
\n@{variables('html')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comment_Count_For_URL": { + "runAfter": { + "Add_URL_TIDE_Data_As_Comment": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "comment_count", + "value": 1 + } + }, + "Set_HTML_With_URL_TIDE_Data": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "html", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Type@{items('For_Each_Threat_IOC_Of_Type_URL')?['type']}
Host@{items('For_Each_Threat_IOC_Of_Type_URL')?['host']}
Domain@{items('For_Each_Threat_IOC_Of_Type_URL')?['domain']}
URL@{items('For_Each_Threat_IOC_Of_Type_URL')?['url']}
Class@{items('For_Each_Threat_IOC_Of_Type_URL')?['class']}
Profile@{items('For_Each_Threat_IOC_Of_Type_URL')?['profile']}
Property@{items('For_Each_Threat_IOC_Of_Type_URL')?['property']}
Threat Level@{items('For_Each_Threat_IOC_Of_Type_URL')?['threat_level']}
Confidence@{items('For_Each_Threat_IOC_Of_Type_URL')?['confidence']}
Detected@{items('For_Each_Threat_IOC_Of_Type_URL')?['detected']}
Received@{items('For_Each_Threat_IOC_Of_Type_URL')?['received']}
Imported@{items('For_Each_Threat_IOC_Of_Type_URL')?['imported']}
Expiration@{items('For_Each_Threat_IOC_Of_Type_URL')?['expiration']}
Description@{items('For_Each_Threat_IOC_Of_Type_URL')?['extended']?['notes']}
Open in CSP@{variables('base_url')}/#/security_research/search/auto/@{items('For_Each_Threat_IOC_Of_Type_URL')?['url']}/summary

" + } + } + } + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('comment_count')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_TIDE_Data_For_URL')?['record_count']", + 0 + ] + } + ] + }, + "type": "If" + }, + "Parse_TIDE_Data_For_URL": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Get_TIDE_Data_Of_Type_URL')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "batch_id": {}, + "class": {}, + "confidence": {}, + "confidence_score": {}, + "confidence_score_rating": {}, + "confidence_score_vector": {}, + "detected": {}, + "domain": {}, + "expiration": {}, + "extended": { + "properties": { + "attack_chain": {}, + "cyberint_guid": {}, + "notes": {}, + "protocol": {}, + "references": {} + }, + "type": "object" + }, + "host": {}, + "id": {}, + "imported": {}, + "profile": {}, + "property": {}, + "received": {}, + "risk_score": {}, + "risk_score_rating": {}, + "risk_score_vector": {}, + "threat_level": {}, + "threat_score": {}, + "threat_score_rating": {}, + "threat_score_vector": {}, + "tld": {}, + "type": {}, + "up": {}, + "url": {} + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Get_TIDE_Data_Of_Type_URL": [ + "Succeeded", + "Failed", + "TimedOut" + ] + }, + "else": { + "actions": { + "Add_Error_Message_For_URL": { + "runAfter": {}, + "type": "AppendToArrayVariable", + "inputs": { + "name": "error_message", + "value": "Error Occurred While Fetching Data For URL - @{items('For_Each_URL')?['Url']} With Status Code - @{outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_URL')['statusCode']}" + } + }, + "Increment_Failure_Count_For_URL": { + "runAfter": { + "Add_Error_Message_For_URL": [ "Succeeded" ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "failure_count", + "value": 1 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Get_TIDE_Data_Of_Type_URL')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Get_TIDE_Data_Of_Type_URL": { + "runAfter": { + "Set_Entity_Mapping_True_For_URL": [ "Succeeded" ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "fields": "@variables('fields_url')", + "type": "url", + "url": "@items('For_Each_URL')?['Url']" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + }, + "Set_Entity_Mapping_True_For_URL": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "entity_mapping", + "value": "@true" + } + } + }, + "runAfter": { + "Get_URLs_From_Entities": [ "Succeeded" ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Get_FileHashes_From_Entities": { + "runAfter": { + "For_Each_URL": [ "Succeeded", "TimedOut", "Failed" ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + } + }, + "Get_Hosts_From_Entities": { + "runAfter": { + "Initialize_Failure_Count": [ "Succeeded" ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/host" + } + }, + "Get_IPs_From_Entities": { + "runAfter": { + "For_Each_Host": [ "Succeeded", "TimedOut", "Failed" ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "Get_URLs_From_Entities": { + "runAfter": { + "For_Each_IP": [ "Succeeded", "TimedOut", "Failed" ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/url" + } + }, + "Initialize_Base_URL": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Comment_Count": { + "runAfter": { + "Initialize_Entity_Mapping_False": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "comment_count", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Entity_Mapping_False": { + "runAfter": { + "Initialize_HTML": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "entity_mapping", + "type": "boolean", + "value": "@false" + } + ] + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Comment_Count": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "array" + } + ] + } + }, + "Initialize_Failure_Count": { + "runAfter": { + "Initialize_Error_Message": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "failure_count", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Fields_For_Hash": { + "runAfter": { + "Initialize_Fields_For_URL": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_hash", + "type": "string", + "value": "id,type,ip,url,tld,email,hash,hash_type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_Fields_For_Host": { + "runAfter": { + "Initialize_Base_URL": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_host", + "type": "string", + "value": "id,type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_Fields_For_IP": { + "runAfter": { + "Initialize_Fields_For_Host": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_ip", + "type": "string", + "value": "id,type,ip,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_Fields_For_URL": { + "runAfter": { + "Initialize_Fields_For_IP": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields_url", + "type": "string", + "value": "id,type,url,tld,email,hash,hash_type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,threat_score,threat_score_rating,confidence_score,confidence_score_rating,risk_score,risk_score_rating,extended" + } + ] + } + }, + "Initialize_HTML": { + "runAfter": { + "Initialize_Fields_For_Hash": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TIDE-Lookup-Comment-Enrichment", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/Images/InfobloxTIDELookup.png b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/Images/InfobloxTIDELookup.png new file mode 100644 index 00000000000..8e066a27238 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/Images/InfobloxTIDELookup.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/README.md b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/README.md new file mode 100644 index 00000000000..1331f3f6b9d --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/README.md @@ -0,0 +1,38 @@ +# Infoblox TIDE Lookup + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook fetches TIDE lookup data for the provided entity type and value. + +### Prerequisites + +1. User must have a valid Infoblox API Key. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Infoblox Base Url: Enter baseurl for your Infoblox instance.(e.g. https://csp.infoblox.com) + * Infoblox API Key: Enter valid value for API Key + * Workspace Name: Enter name of Log Analytics Workspace + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TIDE%20Lookup%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TIDE%20Lookup%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource +2. Go to General -> edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/azuredeploy.json new file mode 100644 index 00000000000..4bcdee42141 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TIDE Lookup/azuredeploy.json @@ -0,0 +1,686 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-TIDE-Lookup", + "description": "The playbook fetches TIDE lookup data for the provided entity type and value.", + "prerequisites": "User must provide valid Infoblox API Key.", + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections" + ], + "entities": [ "Host", "IP", "Hash", "URL" ], + "tags": [ "Infoblox", "TIDE", "Lookup" ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TIDE-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please keep the 'Playbook Name' parameter unchanged. Otherwise, you will need to manually adjust the 'Playbook Name' in the 'Infoblox Lookup Workbook' in edit mode" + } + }, + "Infoblox API Key": { + "type": "securestring", + "metadata": { + "description": "Enter Infoblox API Key" + } + }, + "Infoblox Base Url": { + "type": "String", + "defaultValue": "https://csp.infoblox.com", + "minLength": 1, + "metadata": { + "description": "Enter Base URL for your infoblox account. (e.g. https://csp.infoblox.com)" + } + }, + "Workspace Name": { + "type": "String", + "metadata": { + "description": "Enter name of Log Analytics Workspace" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "API Key": { + "type": "String", + "defaultValue": "[trim(parameters('Infoblox API Key'))]" + }, + "BaseUrl": { + "type": "String", + "defaultValue": "[trim(parameters('Infoblox Base Url'))]" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "method": "POST" + } + } + }, + "actions": { + "Condition_To_Check_If_All_Parameters_Are_Available": { + "actions": { + "Condition_To_Check_If_IOCs_Of_Provided_Type_and_Target_Are_Not_Available": { + "actions": { + "Condition_To_Check_Threat_Data_Fetched_Successfully": { + "actions": { + "Condition_To_Check_If_Threat_Data_Available_Using_API": { + "actions": { + "For_Each_Threat": { + "foreach": "@variables('threat_data')", + "actions": { + "Condition_To_Check_If_Threat_Data_Is_Available": { + "actions": { + "Send_Data_To_Log_Table": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "@{items('For_Each_Threat')}", + "headers": { + "Log-Type": "tide_lookup_data" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@length(items('For_Each_Threat'))", + 0 + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Set_Threat_Data": [ "Succeeded" ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 50 + } + } + }, + "Response_For_Successfully_Ingesting_Data": { + "runAfter": { + "For_Each_Threat": [ "Succeeded" ] + }, + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Successfully Ingested The TIDE Lookup Data For @{body('Parse_JSON_For_Query_Parameters')?['type']}-@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "status": "success" + }, + "statusCode": 200 + } + }, + "Set_Threat_Data": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "threat_data", + "value": "@chunk(body('Parse_JSON_For_Threat_Data')?['threat'],1000)" + } + } + }, + "runAfter": { + "Parse_JSON_For_Threat_Data": [ "Succeeded" ] + }, + "else": { + "actions": { + "Response_To_Indicate_Success_If_No_Data_Found_For_Target": { + "runAfter": {}, + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "No Data Found For @{body('Parse_JSON_For_Query_Parameters')?['type']}-@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "status": "success" + }, + "statusCode": 200 + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Parse_JSON_For_Threat_Data')?['record_count']", + 0 + ] + } + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Threat_Data": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@body('HTTP_Request_To_Fetch_Threat_Data')", + "schema": { + "properties": { + "record_count": { + "type": "integer" + }, + "threat": { + "items": { + "properties": { + "batch_id": { + "type": "string" + }, + "class": { + "type": "string" + }, + "confidence": { + "type": "integer" + }, + "confidence_score": { + "type": "number" + }, + "confidence_score_rating": { + "type": "string" + }, + "confidence_score_vector": { + "type": "string" + }, + "detected": { + "type": "string" + }, + "dga": { + "type": [ "string", "boolean" ] + }, + "domain": { + "type": "string" + }, + "email": { + "type": "string" + }, + "expiration": { + "type": "string" + }, + "extended": { + "properties": { + "attack_chain": { + "type": "string" + }, + "cyberint_guid": { + "type": "string" + }, + "notes": { + "type": "string" + }, + "protocol": { + "type": "string" + }, + "references": { + "type": "string" + }, + "sample_sha256": { + "type": "string" + } + }, + "type": "object" + }, + "hash": { + "type": "string" + }, + "hash_type": { + "type": "string" + }, + "host": { + "type": "string" + }, + "id": { + "type": "string" + }, + "imported": { + "type": "string" + }, + "ip": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "property": { + "type": "string" + }, + "received": { + "type": "string" + }, + "risk_score": { + "type": "number" + }, + "risk_score_rating": { + "type": "string" + }, + "risk_score_vector": { + "type": "string" + }, + "threat_level": { + "type": "integer" + }, + "threat_score": { + "type": "number" + }, + "threat_score_rating": { + "type": "string" + }, + "threat_score_vector": { + "type": "string" + }, + "tld": { + "type": "string" + }, + "type": { + "type": "string" + }, + "up": { + "type": [ "string", "boolean" ] + }, + "url": { + "type": "string" + } + }, + "required": [ "id", "type" ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + } + }, + "runAfter": { + "HTTP_Request_To_Fetch_Threat_Data": [ + "Succeeded", + "TimedOut", + "Failed" + ] + }, + "else": { + "actions": { + "Response_To_Indicate_Failure_While_Fetching_Threat_Data": { + "runAfter": {}, + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Error Occurred While Fetching Threat Data With Status Code:@{outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']}", + "status": "failure" + }, + "statusCode": "@outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']" + } + }, + "Terminate_Due_To_Error_While_Fetching_Threat_Data": { + "runAfter": { + "Response_To_Indicate_Failure_While_Fetching_Threat_Data": [ + "Succeeded", + "Skipped" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "@{outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']}", + "message": "Error Occurred While Fetching Threat Data With Status Code: @{outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']}\nError: @{body('HTTP_Request_To_Fetch_Threat_Data')}" + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_Request_To_Fetch_Threat_Data')['statusCode']", + 200 + ] + } + ] + }, + "type": "If" + }, + "HTTP_Request_To_Fetch_Threat_Data": { + "runAfter": {}, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Token @{parameters('API Key')}" + }, + "method": "GET", + "queries": { + "@{body('Parse_JSON_For_Query_Parameters')?['type']}": "@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "fields": "@variables('fields')", + "rlimit": "@{variables('rlimit')}", + "type": "@{body('Parse_JSON_For_Query_Parameters')?['type']}" + }, + "uri": "@{variables('base_url')}/tide/api/data/threats" + } + } + }, + "runAfter": { + "Set_Response_Count": [ "Succeeded" ] + }, + "else": { + "actions": { + "Response_To_Indicate_Success_If_Threat_Data_Available_In_Log_Table": { + "runAfter": {}, + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Data already available of TIDE Lookup for @{body('Parse_JSON_For_Query_Parameters')?['type']}-@{body('Parse_JSON_For_Query_Parameters')?['target']}", + "status": "success" + }, + "statusCode": 200 + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ "@variables('response_count')", 0 ] + } + ] + }, + "type": "If" + }, + "Run_Query_For_Caching_Mechanism": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": "let dummyschema = datatable(TimeGenerated:datetime, @{body('Parse_JSON_For_Query_Parameters')?['type']}_s:string, type_s:string, Count:int)[];\nunion isfuzzy=true dummyschema,\ntide_lookup_data_CL\n| where type_s =~ \"@{body('Parse_JSON_For_Query_Parameters')?['type']}\" and @{body('Parse_JSON_For_Query_Parameters')?['type']}_s == \"@{body('Parse_JSON_For_Query_Parameters')?['target']}\"\n| count ", + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryData", + "queries": { + "resourcegroups": "[resourceGroup().name]", + "resourcename": "[parameters('Workspace Name')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[subscription().subscriptionId]", + "timerange": "Last 24 hours" + } + } + }, + "Set_Response_Count": { + "runAfter": { + "Run_Query_For_Caching_Mechanism": [ "Succeeded" ] + }, + "type": "SetVariable", + "inputs": { + "name": "response_count", + "value": "@body('Run_Query_For_Caching_Mechanism')?['value']?[0]?['Count']" + } + } + }, + "runAfter": { + "Initialize_Response_Count": [ "Succeeded" ] + }, + "else": { + "actions": { + "Response_To_Indicate_Failure_Due_To_Absence_Of_Parameters": { + "runAfter": {}, + "type": "Response", + "kind": "Http", + "inputs": { + "body": { + "message": "Target Type or Target Parameter Not Found.", + "status": "failure" + }, + "statusCode": 400 + } + }, + "Terminate_Due_To_Required_Query_Parameters_Not_Found": { + "runAfter": { + "Response_To_Indicate_Failure_Due_To_Absence_Of_Parameters": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "400", + "message": "Target Type or Target Parameter Not Found." + }, + "runStatus": "Failed" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Parse_JSON_For_Query_Parameters')?['type'])", + "@false" + ] + }, + { + "equals": [ + "@empty(body('Parse_JSON_For_Query_Parameters')?['target'])", + "@false" + ] + } + ] + }, + "type": "If" + }, + "Initialize_Base_URL": { + "runAfter": { + "Parse_JSON_For_Query_Parameters": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "base_url", + "type": "string", + "value": "@parameters('BaseUrl')" + } + ] + } + }, + "Initialize_Fields": { + "runAfter": { + "Initialize_Base_URL": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "fields", + "type": "string", + "value": "id,type,ip,url,tld,email,hash,hash_type,host,domain,profile,property,class,threat_level,confidence,detected,received,imported,expiration,dga,up,extended" + } + ] + } + }, + "Initialize_Response_Count": { + "runAfter": { + "Initialize_Threat_Data": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "response_count", + "type": "integer" + } + ] + } + }, + "Initialize_Rlimit": { + "runAfter": { + "Initialize_Fields": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "rlimit", + "type": "integer", + "value": 90000 + } + ] + } + }, + "Initialize_Threat_Data": { + "runAfter": { + "Initialize_Rlimit": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "threat_data", + "type": "array" + } + ] + } + }, + "Parse_JSON_For_Query_Parameters": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()", + "schema": { + "properties": { + "target": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + }, + "azuremonitorlogs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[variables('AzuremonitorlogsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TIDE-Lookup", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzuremonitorlogsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzuremonitorlogsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/Images/InfobloxTimeRangeBasedDHCPLookup.png b/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/Images/InfobloxTimeRangeBasedDHCPLookup.png new file mode 100644 index 00000000000..460919f3bb1 Binary files /dev/null and b/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/Images/InfobloxTimeRangeBasedDHCPLookup.png differ diff --git a/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/README.md b/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/README.md new file mode 100644 index 00000000000..a6b6b1c6988 --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/README.md @@ -0,0 +1,57 @@ +# Infoblox TimeRangeBased DHCP Lookup + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + +## Summary + +The playbook will retrieve IP entities from an incident, search for related DHCP data in a table for a specified time range, and if found, add the DHCP lookup data as a comment on the incident. + +### Prerequisites + +1. CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel. + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Playbook Name: Enter the playbook name here + * Start Date: Enter start date from which you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd + * End Date: Enter end date till you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd + * Workspace Name: Enter name of Log Analytics Workspace where DHCP data is available + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https%3A%2F%2Fportal.azure.com%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TimeRangeBased%20DHCP%20Lookup%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https%3A%2F%2Fportal.azure.us%2F%23create%2FMicrosoft.Template%2Furi%2Fhttps%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FInfoblox%2FPlaybooks%2FInfoblox%20TimeRangeBased%20DHCP%20Lookup%2Fazuredeploy.json) + +### Post-Deployment instructions + +#### a. Authorize connections + +Once deployment is complete, authorize each connection. + +1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource +2. Go to General -> edit API connection +3. Click Authorize +4. Sign in +5. Click Save +6. Repeat steps for other connections + +#### b. Assign Role to add comment in incident + +Assign role to this playbook. + +1. Go to Log Analytics Workspace → → Access Control → Add +2. Add role assignment +3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role +4. Members: select managed identity for assigned access to and add your logic app as member +5. Click on review+assign + +#### c. Configurations in Microsoft Sentinel + +1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP +2. To manually run the playbook on a particular incident follow the below steps: +a. Go to Microsoft Sentinel -> -> Incidents +b. Select an incident +c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option +d. Click on the Run button beside this playbook \ No newline at end of file diff --git a/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/azuredeploy.json b/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/azuredeploy.json new file mode 100644 index 00000000000..ab05fe79d3b --- /dev/null +++ b/Solutions/Infoblox/Playbooks/Infoblox TimeRangeBased DHCP Lookup/azuredeploy.json @@ -0,0 +1,1017 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Infoblox-TimeRangeBased-DHCP-Lookup", + "description": "The playbook will retrieve IP entities from an incident, search for related DHCP data in a table for a apecified time range, and if found, add the DHCP lookup data as a comment on the incident.", + "prerequisites": [ + "1. CEF based Infoblox Data Connector should be configured to ingest DHCP lease related data in Microsoft Sentinel." + ], + "postDeployment": [ + "**a. Authorize connections**", + "Once deployment is complete, authorize each connection.", + "1. Go to your logic app -> API connections -> Select azuremonitorlogs connection resource", + "2. Go to General -> edit API connection", + "3. Click Authorize", + "4. Sign in", + "5. Click Save", + "6. Repeat steps for other connections", + "**b. Assign Role to add comment in incident**", + "Assign role to this playbook.", + "1. Go to Log Analytics Workspace → → Access Control → Add","2. Add role assignment", + "3. Assignment type: Job function roles -> Add 'Microsoft Sentinel Contributor' as a Role", + "4. Members: select managed identity for assigned access to and add your logic app as member", + "5. Click on review+assign", + "**c. Configurations in Microsoft Sentinel**", + "1. In Microsoft sentinel, analytical rules should be configured to trigger an incident which has Entities Mapping available for IP.", + "2. To manually run the playbook on a particular incident follow the below steps:", + "a. Go to Microsoft Sentinel -> -> Incidents", + "b. Select an incident.", + "c. In the right pane, click on Actions, and from the dropdown select the 'Run Playbook' option.", + "d. Click on the Run button beside this playbook." + ], + "entities": [ "IP" ], + "tags": [ "Infoblox", "DHCP", "IP", "Lookup", "TimeBased" ], + "lastUpdateTime": "2024-07-19T16:15:48.355Z", + "support": { + "tier": "Community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Infoblox" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Infoblox-TimeRangeBased-DHCP-Lookup", + "minLength": 1, + "type": "string", + "metadata": { + "description": "Please do not keep 'Playbook Name' parameter empty, else you will receive validation failure" + } + }, + "Start Date": { + "type": "String", + "metadata": { + "description": "Enter start date from which you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd" + } + }, + "End Date": { + "type": "String", + "metadata": { + "description": "Enter end date till you want to perform lookup for DHCP data. Date should be in the format of yyyy-mm-dd" + } + }, + "Workspace Name": { + "type": "string", + "metadata": { + "description": "Enter name of Log Analytics Workspace where DHCP data is available" + } + } + }, + "variables": { + "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + }, + "StartDate": { + "type": "String", + "defaultValue": "[trim(parameters('Start Date'))]" + }, + "EndDate": { + "type": "String", + "defaultValue": "[trim(parameters('End Date'))]" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": { + "actions": { + "Terminate_As_No_IPs_Found": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "message": "No IPs found associated with incident." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Entities_-_Get_IPs')?['IPs'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Condition_To_Validate_StartDate_And_EndDate": { + "actions": { + "Terminate_Due_To_Invalid_StartDate_And_EndDate": { + "runAfter": {}, + "type": "Terminate", + "inputs": { + "runError": { + "message": "StartDate Should be Less than EndDate." + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Initialize_Incident_Comment": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greaterOrEquals": [ + "@variables('StartDate')", + "@variables('EndDate')" + ] + } + ] + }, + "type": "If" + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Condition_To_Validate_StartDate_And_EndDate": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/ip" + } + }, + "For_Each_IP": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Condition_To_Verify_IP_Address_is_Empty_Or_Not": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Empty IP Address found.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_IP_Address": { + "runAfter": { + "Add_Comment_To_Incident_For_Empty_IP_Address_Found": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Check_That_Results_Are_Empty": { + "actions": { + "Condition_To_Verify_Comments_Count_Does_Not_Exceeded_To_100_(2)": { + "actions": { + "Add_Comment__For_Empty_Results_Found_For_IP": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

No Lookup Data Found For IP: @{items('For_Each_IP')?['Address']} From @{variables('StartDate')} To @{variables('EndDate')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_Empty_Results_For_IP": { + "runAfter": { + "Add_Comment__For_Empty_Results_Found_For_IP": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comment_(2)": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Exceeded_Limit_(2)": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded_To_100_(2)": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Records_Are_Remaining_To_Add_And_Count_Limit_is_Not_Exceeded": { + "actions": { + "Add_Comment_To_Incident_For_Remaining_Records": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Remaining_Records": { + "runAfter": { + "Add_Comment_To_Incident_For_Remaining_Records": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": { + "For_Each_Query_Result": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Check_That_Comment_Count_Reaches_to_99": { + "actions": { + "Add_Comment_To_Incident_For_Limit_Exceeded": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments_For_Limit_Exceeded": { + "runAfter": { + "Add_Comment_To_Incident_For_Limit_Exceeded": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('incident_comment')", + "@null" + ] + } + }, + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + }, + "For_Each_Query_Result": { + "foreach": "@body('Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range')?['value']", + "actions": { + "Append_HTML_Table_Content_For_A_Record": { + "runAfter": { + "Parse_JSON_For_Query_Result_Data": [ + "Succeeded" + ] + }, + "type": "AppendToStringVariable", + "inputs": { + "name": "html_table", + "value": "

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
DHCP Lookup For IP @{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source IP@{body('Parse_JSON_For_Query_Result_Data')?['SourceIP']}
Source HostName@{body('Parse_JSON_For_Query_Result_Data')?['SourceHostName']}
Source Mac Address@{body('Parse_JSON_For_Query_Result_Data')?['SourceMACAddress']}
Device Name@{body('Parse_JSON_For_Query_Result_Data')?['DeviceName']}
Device Address@{body('Parse_JSON_For_Query_Result_Data')?['DeviceAddress']}
Device DNS Domain@{body('Parse_JSON_For_Query_Result_Data')?['DeviceDnsDomain']}
Infoblox Host@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxHost']}
Infoblox Subnet@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxSubnet']}
Infoblox Range Start@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeStart']}
Infoblox Range End@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxRangeEnd']}
Infoblox Lease Op@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLeaseOp']}
Infoblox Client ID@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxClientID']}
Infoblox Lifetime@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxLifetime']}
Infoblox Fingerprint Pr@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprintPr']}
Infoblox Fingerprint@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxFingerprint']}
Infoblox DHCP Options@{body('Parse_JSON_For_Query_Result_Data')?['InfobloxDHCPOptions']}

" + } + }, + "Condition_To_Verify_Character_Limit_Does_Not_Exceeded": { + "actions": { + "Set_Incident_Comment": { + "runAfter": {}, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@variables('html_table')" + } + } + }, + "runAfter": { + "Append_HTML_Table_Content_For_A_Record": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Condition_To_Verify_Comment_Count_Does_Not_Exceeded_To_100": { + "actions": { + "Add_Comment_For_DHCP_Record_In_HTML_Table_Format_": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

@{variables('incident_comment')}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Comments_Count_For_HTML_Table": { + "runAfter": { + "Add_Comment_For_DHCP_Record_In_HTML_Table_Format_": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + }, + "Reset_HTML_Table": { + "runAfter": { + "Reset_Incident_Comment": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "html_table", + "value": "@{null}" + } + }, + "Reset_Incident_Comment": { + "runAfter": { + "Increment_Comments_Count_For_HTML_Table": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "incident_comment", + "value": "@{null}" + } + } + }, + "runAfter": {}, + "else": { + "actions": { + "Condition_To_Verify_That_Incident_Has_99_Comments": { + "actions": { + "Add_Comment_That_Limit_Has_Been_Exceeded": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Comment limit to an incident has been breached.

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Increment_Number_Of_Comments": { + "runAfter": { + "Add_Comment_That_Limit_Has_Been_Exceeded": [ + "Succeeded" + ] + }, + "type": "IncrementVariable", + "inputs": { + "name": "number_of_comments", + "value": 1 + } + } + }, + "runAfter": {}, + "expression": { + "and": [ + { + "equals": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@variables('number_of_comments')", + 99 + ] + } + ] + }, + "type": "If" + } + } + }, + "expression": { + "and": [ + { + "less": [ + "@length(variables('html_table'))", + 30000 + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON_For_Query_Result_Data": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@items('For_Each_Query_Result')", + "schema": { + "properties": { + "Activity": { + "type": "string" + }, + "DeviceAddress": { + "type": "string" + }, + "DeviceDnsDomain": { + "type": "string" + }, + "DeviceName": { + "type": "string" + }, + "InfobloxClientID": { + "type": "string" + }, + "InfobloxDHCPOptions": { + "type": "string" + }, + "InfobloxDUID": { + "type": "string" + }, + "InfobloxFingerprint": { + "type": "string" + }, + "InfobloxFingerprintPr": { + "type": "string" + }, + "InfobloxHost": { + "type": "string" + }, + "InfobloxHostID": { + "type": "string" + }, + "InfobloxIPSpace": { + "type": "string" + }, + "InfobloxLeaseOp": { + "type": "string" + }, + "InfobloxLeaseUUID": { + "type": "string" + }, + "InfobloxLifetime": { + "type": "string" + }, + "InfobloxRangeEnd": { + "type": "string" + }, + "InfobloxRangeStart": { + "type": "string" + }, + "InfobloxSubnet": { + "type": "string" + }, + "SourceHostName": { + "type": "string" + }, + "SourceIP": { + "type": "string" + }, + "SourceMACAddress": { + "type": "string" + } + }, + "type": "object" + } + } + } + }, + "runAfter": {}, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(body('Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range')?['value'])", + "@true" + ] + } + ] + }, + "type": "If" + }, + "Run_Query_And_List_DHCP_Lookup_Data_For_Provided_Time_Range": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "query": "let DHCP_VALUE = 'DHCP';\nlet IP = '@{items('For_each_IP')?['Address']}';\nCommonSecurityLog\n| where DeviceEventClassID contains DHCP_VALUE\n and SourceIP == IP\n| parse-kv AdditionalExtensions as (InfobloxHost : string,\nInfobloxHostID : string,\nInfobloxIPSpace : string,\nInfobloxSubnet : string,\nInfobloxRangeStart : string,\nInfobloxRangeEnd : string,\nInfobloxLeaseOp : string,\nInfobloxClientID : string,\nInfobloxDUID : string,\nInfobloxLifetime : string,\nInfobloxLeaseUUID : string,\nInfobloxFingerprintPr : string,\nInfobloxFingerprint : string,\nInfobloxDHCPOptions : string) with(kv_delimiter=\"=\", pair_delimiter=\";\")\n| project \nSourceIP,SourceHostName,SourceMACAddress, Activity, DeviceName,DeviceAddress,DeviceDnsDomain,\nInfobloxHost,\nInfobloxHostID,\nInfobloxIPSpace,\nInfobloxSubnet,\nInfobloxRangeStart,\nInfobloxRangeEnd,\nInfobloxLeaseOp,\nInfobloxClientID,\nInfobloxDUID,\nInfobloxLifetime,\nInfobloxLeaseUUID,\nInfobloxFingerprintPr,\nInfobloxFingerprint,\nInfobloxDHCPOptions\n", + "timerange": { + "exactTimeRangeFrom": "@variables('StartDate')", + "exactTimeRangeTo": "@variables('EndDate')" + }, + "timerangetype": "Exact" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuremonitorlogs']['connectionId']" + } + }, + "method": "post", + "path": "/queryDataV2", + "queries": { + "resourcegroups": "[resourceGroup().name]", + "resourcename": "[parameters('Workspace Name')]", + "resourcetype": "Log Analytics Workspace", + "subscriptions": "[subscription().subscriptionId]" + } + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@empty(items('For_Each_IP')?['Address'])", + "@true" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Condition_To_Terminate_Execution_If_No_IPs_Found": [ + "Succeeded" + ] + }, + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Initialize_Data_Variable": { + "runAfter": { + "Initialize_Length_of_Data": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "dhcp_data", + "type": "array" + } + ] + } + }, + "Initialize_End_Date": { + "runAfter": { + "Initialize_Start_Date": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "EndDate", + "type": "string", + "value": "@parameters('EndDate')" + } + ] + } + }, + "Initialize_Error_Message": { + "runAfter": { + "Initialize_Number_Of_Comments": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "error_message", + "type": "string" + } + ] + } + }, + "Initialize_HTML_Table": { + "runAfter": { + "Initialize_Error_Message": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "html_table", + "type": "string" + } + ] + } + }, + "Initialize_Incident_Comment": { + "runAfter": { + "Initialize_Data_Variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "incident_comment", + "type": "string" + } + ] + } + }, + "Initialize_Length_of_Data": { + "runAfter": { + "Initialize_End_Date": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "length_of_data", + "type": "integer", + "value": 0 + } + ] + } + }, + "Initialize_Number_Of_Comments": { + "runAfter": {}, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "number_of_comments", + "type": "integer", + "value": "@length(triggerBody()?['object']?['properties']?['Comments'])" + } + ] + } + }, + "Initialize_Start_Date": { + "runAfter": { + "Initialize_HTML_Table": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "StartDate", + "type": "string", + "value": "@parameters('StartDate')" + } + ] + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuremonitorlogs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "connectionName": "[variables('AzuremonitorlogsConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + }, + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Infoblox-TimeRangeBased-DHCP-Lookup", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzuremonitorlogsConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzuremonitorlogsConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzuremonitorlogsConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuremonitorlogs')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] +} diff --git a/Solutions/Infoblox/ReleaseNotes b/Solutions/Infoblox/ReleaseNotes new file mode 100644 index 00000000000..3eb75331718 --- /dev/null +++ b/Solutions/Infoblox/ReleaseNotes @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 15-07-2024 | Initial Solution Release | diff --git a/Solutions/Infoblox/SolutionMetadata.json b/Solutions/Infoblox/SolutionMetadata.json new file mode 100644 index 00000000000..ef8f5611221 --- /dev/null +++ b/Solutions/Infoblox/SolutionMetadata.json @@ -0,0 +1,22 @@ +{ + "publisherId": "infoblox", + "offerId": "infoblox-sentinel", + "firstPublishDate": "2024-07-15", + "lastPublishDate": "2024-07-15", + "providers": [ + "Infoblox" + ], + "categories": { + "domains": [ + "Networking", + "Security - Threat Intelligence", + "Security - Threat Protection", + "Security - Network" + ] + }, + "support": { + "name": "Infoblox", + "tier": "Partner", + "link": "https://support.infoblox.com/" + } +} \ No newline at end of file diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black1.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black1.png new file mode 100644 index 00000000000..f2b95b00c58 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black1.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black2.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black2.png new file mode 100644 index 00000000000..321b2a49df0 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black2.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black3.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black3.png new file mode 100644 index 00000000000..d7c9de9290a Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black3.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black4.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black4.png new file mode 100644 index 00000000000..381de7d3289 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-Black4.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White1.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White1.png new file mode 100644 index 00000000000..0f7da1678c3 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White1.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White2.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White2.png new file mode 100644 index 00000000000..c39a3a2fcfc Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White2.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White3.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White3.png new file mode 100644 index 00000000000..a4cc7b17811 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White3.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White4.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White4.png new file mode 100644 index 00000000000..5e48505894b Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Lookup Workbook/Infoblox-Lookup-Workbook-White4.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black1.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black1.png new file mode 100644 index 00000000000..af035762b61 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black1.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black2.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black2.png new file mode 100644 index 00000000000..016c20bb411 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black2.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black3.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black3.png new file mode 100644 index 00000000000..e224cf1e6d9 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black3.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black4.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black4.png new file mode 100644 index 00000000000..c86f0a22c5f Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black4.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black5.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black5.png new file mode 100644 index 00000000000..f79ead4e535 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black5.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black6.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black6.png new file mode 100644 index 00000000000..eeb4dfbf94b Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black6.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black7.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black7.png new file mode 100644 index 00000000000..d3e1770d850 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black7.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black8.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black8.png new file mode 100644 index 00000000000..f445434fad8 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black8.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black9.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black9.png new file mode 100644 index 00000000000..4f2eea2f54a Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-Black9.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White1.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White1.png new file mode 100644 index 00000000000..85d7bad2c95 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White1.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White2.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White2.png new file mode 100644 index 00000000000..cd4e650bd88 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White2.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White3.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White3.png new file mode 100644 index 00000000000..5d43e6b2b7c Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White3.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White4.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White4.png new file mode 100644 index 00000000000..f237941ef91 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White4.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White5.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White5.png new file mode 100644 index 00000000000..9daba74f615 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White5.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White6.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White6.png new file mode 100644 index 00000000000..dc944c3998f Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White6.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White7.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White7.png new file mode 100644 index 00000000000..3f70f852874 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White7.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White8.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White8.png new file mode 100644 index 00000000000..57ab88f36f8 Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White8.png differ diff --git a/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White9.png b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White9.png new file mode 100644 index 00000000000..a3adc92812d Binary files /dev/null and b/Solutions/Infoblox/Workbooks/Images/Preview/Infoblox Workbook/Infoblox-Workbook-White9.png differ diff --git a/Solutions/Infoblox/Workbooks/Infoblox_Lookup_Workbook.json b/Solutions/Infoblox/Workbooks/Infoblox_Lookup_Workbook.json new file mode 100644 index 00000000000..81719888ff7 --- /dev/null +++ b/Solutions/Infoblox/Workbooks/Infoblox_Lookup_Workbook.json @@ -0,0 +1,4458 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "8db3a050-3c9c-4e91-ab49-ac4d4768f203", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "TIDE Lookup", + "subTarget": "1", + "style": "link" + }, + { + "id": "42f28d3c-e462-48c4-9ac9-c616a5b7d1b7", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "TIDE Lookup via Incident", + "subTarget": "4", + "style": "link" + }, + { + "id": "718e54eb-4786-4d21-bef1-372877db0a85", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Dossier Lookup", + "subTarget": "2", + "style": "link" + }, + { + "id": "86d6d161-40c8-4d8c-81cd-78aa762610e6", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Dossier Lookup via Incident", + "subTarget": "3", + "style": "link" + } + ] + }, + "name": "links - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This workbook depends on the **Infoblox-TIDE-Lookup** logic app which is deployed with the Microsoft Sentinel Solution.
\r\nPlease configure this logic app first and keep it enabled in order to use this workbook.\r\n", + "style": "info" + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "## Infoblox TIDE Lookup\r\n---\r\n\r\n" + }, + "name": "text - 7" + }, + { + "type": 1, + "content": { + "json": "## Steps to perform TIDE Lookup using this workbook\r\n- This workbook is intended to help perform TIDE Lookup for Indicators.\r\n- Select the **Resource Group** and **Subscription ID**.\r\n- Select Indicator type from Type filter and provide indicator value corresponding to it's type in the Target parameter.\r\n- You will be able to see a lookup panel for that specific indicator. \r\n- If lookup information of this target is available in the last 24 hours it will be displayed in the lookup panel.\r\n- If there is message like **The query returned no results** on lookup panel, then click on the **GET TIDE DATA** button.\r\n- This will execute the **TIDE-Lookup** logic app in the background.\r\n- You can check the status of the playbook to identify the TIDE Lookup status.\r\n- Click on the refresh button of the lookup panel until you get the TIDE Lookup information.\r\n
\r\n
\r\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details. ", + "style": "upsell" + }, + "name": "text - 9" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "7783c2b4-a6e6-4117-92ec-a9a751f01465", + "version": "KqlParameterItem/1.0", + "name": "SubscriptionId", + "label": "Subscription ID", + "type": 2, + "isRequired": true, + "query": "Resources\r\n| distinct subscriptionId", + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + }, + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + }, + { + "id": "4a15b858-69b6-4198-abfd-6af5f187d813", + "version": "KqlParameterItem/1.0", + "name": "SentinelResourceGroup", + "label": "Resource Group", + "type": 2, + "isRequired": true, + "query": "Resources\r\n| where subscriptionId == ('{SubscriptionId}')\r\n| extend ResourceGroupName = resourceGroup\r\n| distinct ResourceGroupName", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 1 - Copy" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ca226b80-e11b-4cb2-a1ae-3722f60aa4c1", + "version": "KqlParameterItem/1.0", + "name": "EntityType", + "label": "Type", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"host\", \"ip\", \"url\", \"hash\", \"email\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": null + }, + { + "id": "9fbfab7b-f382-483b-975c-ab1fe0815b83", + "version": "KqlParameterItem/1.0", + "name": "EntityName", + "type": 1, + "isGlobal": true, + "timeContext": { + "durationMs": 86400000 + }, + "value": "", + "label": "Target" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibilities": [ + { + "parameterName": "SubscriptionId", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "SentinelResourceGroup", + "comparison": "isNotEqualTo" + } + ], + "name": "parameters - 1" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "paragraph", + "links": [ + { + "id": "f2242052-b69a-48b7-ac97-1f33d5e58c0f", + "linkTarget": "ArmAction", + "linkLabel": "GET TIDE DATA", + "style": "primary", + "linkIsContextBlade": true, + "armActionContext": { + "path": "/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup}/providers/Microsoft.Logic/workflows/Infoblox-TIDE-Lookup/triggers/manual/run?api-version=2016-10-01", + "headers": [], + "params": [], + "body": "{\r\n \"type\": \"{EntityType}\",\r\n \"target\": \"{EntityName}\"\r\n}", + "httpMethod": "POST", + "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "EntityName", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "EntityType", + "comparison": "isNotEqualTo" + } + ], + "name": "links - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| where type_s == toupper('{EntityType}') and ip_s == '{EntityName}'\r\n| project \r\n IP = column_ifexists(\"ip_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for ip : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibilities": [ + { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "ip" + }, + { + "parameterName": "EntityName", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| extend host_s = column_ifexists(\"host_s\",\"\")\r\n| extend type_s = column_ifexists(\"type_s\",\"\")\r\n| where type_s == toupper('{EntityType}') and host_s == '{EntityName}'\r\n| project \r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for host : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibilities": [ + { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "host" + }, + { + "parameterName": "EntityName", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| extend url_s = column_ifexists(\"url_s\",\"\")\r\n| extend type_s = column_ifexists(\"type_s\",\"\")\r\n| where type_s == toupper('{EntityType}') and url_s == '{EntityName}'\r\n| project \r\n Url = column_ifexists(\"url_s\",\"\"),\r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for url : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibilities": [ + { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "url" + }, + { + "parameterName": "EntityName", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| extend hash_s = column_ifexists(\"hash_s\",\"\")\r\n| extend type_s = column_ifexists(\"type_s\",\"\")\r\n| where type_s == toupper('{EntityType}') and hash_s == '{EntityName}'\r\n| project \r\n Hash = column_ifexists(\"hash_s\",\"\"),\r\n ['Hash Type'] = column_ifexists(\"hash_type_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for hash : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibilities": [ + { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "hash" + }, + { + "parameterName": "EntityName", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| extend email_s = column_ifexists(\"email_s\",\"\")\r\n| extend type_s = column_ifexists(\"type_s\",\"\")\r\n| where type_s == toupper('{EntityType}') and email_s == '{EntityName}'\r\n| project \r\n Email = column_ifexists(\"email_s\",\"\"),\r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for email : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibilities": [ + { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "email" + }, + { + "parameterName": "EntityName", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "1" + }, + "name": "group - 3", + "styleSettings": { + "padding": "10px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This workbook depends on the **Infoblox-TIDE-Lookup-Via-Incident** playbook which is deployed with the Microsoft Sentinel Solution.
\r\nPlease configure this logic app first and keep it enabled in order to use this workbook.\r\n\r\n", + "style": "info" + }, + "name": "text - 8" + }, + { + "type": 1, + "content": { + "json": "## Infoblox TIDE Lookup via Incidents\r\n---\r\n" + }, + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "## Steps to perform TIDE Lookup via Incident using this workbook\r\n- This workbook is intended to help perform TIDE Lookup for Indicators via Incidents.\r\n- Select the **Resource Group**, **Subscription ID**, **Workspace** and provide **[Tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant)**.\r\n- Select TimeRange and Type for Incidents.\r\n- From the **Available Incidents** panel, select any indicator.\r\n- You will be able to see a lookup panel for that specific indicator. \r\n- If lookup information of this target is available in the last 24 hours it will be displayed in the lookup panel.\r\n- If there is message like **The query returned no results** on lookup panel, then click on the **GET TIDE DATA** link to get the TIDE Lookup information for the Indicator of that Incident.\r\n- This will execute the **TIDE-Lookup-Via-Incident** logic app in the background.\r\n- You can check the status of the playbook to identify the TIDE Lookup status.\r\n- Click on the refresh button of the lookup panel until you get the TIDE Lookup information.\r\n
\r\n
\r\n**Note** :\r\n\t* In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\r\n\t* Please ensure that you select the workspace where your workbook and playbook are available. Otherwise, the data ingested by the playbook will not be reflected in the drilldown panel.\r\n", + "style": "upsell" + }, + "name": "text - 9" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "7783c2b4-a6e6-4117-92ec-a9a751f01465", + "version": "KqlParameterItem/1.0", + "name": "SubscriptionId", + "label": "Subscription ID", + "type": 2, + "isRequired": true, + "query": "Resources\r\n| distinct subscriptionId", + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + }, + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + }, + { + "id": "4a15b858-69b6-4198-abfd-6af5f187d813", + "version": "KqlParameterItem/1.0", + "name": "SentinelResourceGroup", + "label": "Resource Group", + "type": 2, + "isRequired": true, + "query": "Resources\r\n| where subscriptionId == ('{SubscriptionId}')\r\n| extend ResourceGroupName = resourceGroup\r\n| distinct ResourceGroupName", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + }, + { + "id": "9e2b01b1-798f-4239-a845-f1a0a3781a99", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "query": "where type =~ \"microsoft.operationalinsights/workspaces\"\r\n| where resourceGroup =~ \"{SentinelResourceGroup}\"", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "854db66e-d6e4-4ae3-bb16-abc9dcd0a334", + "version": "KqlParameterItem/1.0", + "name": "TenantID", + "label": "Tenant ID", + "type": 1, + "isRequired": true, + "value": "" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 1 - Copy" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "51b0558c-95f7-452c-95c3-c501535f7a92", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 604800000 + }, + "label": "Time Range" + }, + { + "id": "ca226b80-e11b-4cb2-a1ae-3722f60aa4c1", + "version": "KqlParameterItem/1.0", + "name": "IOCType", + "label": "Type", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities.Type in ('ip','filehash','url','host')\r\n| distinct tostring(Entities.Type)\r\n", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibilities": [ + { + "parameterName": "TenantID", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "Workspace", + "comparison": "isNotEqualTo" + } + ], + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| extend AlertIds = todynamic(AlertIds)\r\n| extend AlertId = tostring(AlertIds[0])\r\n| join kind=inner (SecurityAlert| project SystemAlertId, Entities) on $left.AlertId == $right.SystemAlertId\r\n| mv-expand todynamic(Entities)\r\n| extend EntityType = case(Entities.Type =~ \"filehash\",\"hash\",Entities.Type)\r\n| where isnotempty(EntityType)\r\n| where \"{IOCType:escapejson}\" == '*' or EntityType in ({IOCType})\r\n| extend EntityName = case(EntityType =~ \"ip\", Entities.Address, \r\n EntityType =~ \"hash\", Entities.Value,\r\n EntityType =~ \"host\", Entities.NetBiosName,\r\n EntityType =~ \"url\", Entities.Url,\r\n \"\"), ['TIDE Lookup'] = \"GET TIDE DATA\"\r\n| where isnotempty(EntityName)\r\n| summarize arg_max(TimeGenerated, *) by EntityName,tostring(EntityType)\r\n| project ['IOC Value'] = EntityName, ['IOC Type'] = EntityType, IncidentUrl, ['TIDE Lookup'], IncidentName, Title, Description, Severity, Status, ProviderName, CreatedTime, IncidentNumber, Tasks, Labels, ModifiedBy\r\n", + "size": 0, + "showAnalytics": true, + "title": "Available Incidents", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "IncidentName", + "parameterName": "IncidentName" + }, + { + "fieldName": "IOC Value", + "parameterName": "EntityName", + "parameterType": 1 + }, + { + "fieldName": "IOC Type", + "parameterName": "EntityType", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Open Incident", + "linkIsContextBlade": false + } + }, + { + "columnMatch": "TIDE Lookup", + "formatter": 7, + "formatOptions": { + "linkTarget": "ArmAction", + "linkIsContextBlade": true, + "armActionContext": { + "path": "/{Workspace}/providers/Microsoft.SecurityInsights/incidents/{IncidentName}/runPlaybook?api-version=2019-01-01-preview", + "headers": [], + "params": [], + "body": "{\r\n\r\n\"LogicAppsResourceId\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup}/providers/Microsoft.Logic/workflows/Infoblox-TIDE-Lookup-Via-Incident\",\r\n\r\n \"TenantId\":\"{TenantID}\"\r\n\r\n}", + "httpMethod": "POST", + "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." + } + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibilities": [ + { + "parameterName": "TenantID", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "Workspace", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 0", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| where type_s == toupper('{EntityType}') and ip_s == '{EntityName}'\r\n| project \r\n IP = column_ifexists(\"ip_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for ip : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "ip" + }, + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| extend host_s = column_ifexists(\"host_s\",\"\")\r\n| extend type_s = column_ifexists(\"type_s\",\"\")\r\n| where type_s == toupper('{EntityType}') and host_s == '{EntityName}'\r\n| project \r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for host : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "host" + }, + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| extend url_s = column_ifexists(\"url_s\",\"\")\r\n| extend type_s = column_ifexists(\"type_s\",\"\")\r\n| where type_s == toupper('{EntityType}') and url_s == '{EntityName}'\r\n| project \r\n Url = column_ifexists(\"url_s\",\"\"),\r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for url : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "url" + }, + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, type_s: string, ip_s: string, host_s:string, url_s:string, hash_s:string, email_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ntide_lookup_data_CL\r\n| extend hash_s = column_ifexists(\"hash_s\",\"\")\r\n| extend type_s = column_ifexists(\"type_s\",\"\")\r\n| where type_s == toupper('{EntityType}') and hash_s == '{EntityName}'\r\n| project \r\n Hash = column_ifexists(\"hash_s\",\"\"),\r\n ['Hash Type'] = column_ifexists(\"hash_type_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ['Threat Level'] = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")", + "size": 0, + "showAnalytics": true, + "title": "Lookup for hash : {EntityName}", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "EntityType", + "comparison": "isEqualTo", + "value": "hash" + }, + "name": "query - 3", + "styleSettings": { + "padding": "5px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "4" + }, + "name": "TIDE Incident Lookup", + "styleSettings": { + "padding": "10px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This workbook depends on the **Dossier Function App** which is deployed with the Microsoft Sentinel Solution. \r\n
Please configure this function app first and keep it enabled in order to use this workbook.\r\n", + "style": "info" + }, + "name": "text - 9" + }, + { + "type": 1, + "content": { + "json": "## Infoblox Dossier Lookup\r\n---" + }, + "name": "text - 7" + }, + { + "type": 1, + "content": { + "json": "## Steps to perform Dossier Lookup using this workbook\r\n- This workbook is intended to help perform Dossier Lookup for Indicators.\r\n- Select **Dossier Function App Name** which is deployed with the Microsoft Sentinel Solution.\r\n- Select Indicator type from Type filter and provide indicator value corresponding to it's type in the Target parameter.\r\n- Click on the **GET DOSSIER DATA** link.\r\n- This will execute the function app in the background to get the Dossier Lookup data (You will be redirect in new tab).\r\n- You will be able to see a message like **Refresh to check for Dossier data availability**.\r\n- Click on the refresh button above the message until you get a message like **Click here to view the data**.\r\n- Click on the message **Click here to view the data** and it will display various lookup panels for different source data.\r\n
\r\n
\r\n**Note** :\r\n\t* The lookup information will be cache for 24 hours in sentinel.
\r\n\t* It is suggested to perform a **Hard Refresh** before getting Dossier data for the new target. Otherwise, the source drill down panels will not be populated properly.\r\n", + "style": "upsell" + }, + "name": "text - 10" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "1bc43239-b48a-4894-a7ef-5d9326cfe690", + "version": "KqlParameterItem/1.0", + "name": "DurableFunction", + "label": "Dossier Function App Name", + "type": 5, + "isRequired": true, + "query": "resources\r\n| where type contains \"microsoft.web/sites\"\r\n| where name startswith \"dossier\"\r\n| distinct name", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 11" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ca226b80-e11b-4cb2-a1ae-3722f60aa4c1", + "version": "KqlParameterItem/1.0", + "name": "IOCType", + "label": "Type", + "type": 2, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\"host\", \"ip\", \"url\", \"hash\", \"email\"]", + "timeContext": { + "durationMs": 86400000 + }, + "value": null + }, + { + "id": "9fbfab7b-f382-483b-975c-ab1fe0815b83", + "version": "KqlParameterItem/1.0", + "name": "IOCValue", + "label": "Target", + "type": 1, + "isGlobal": true, + "timeContext": { + "durationMs": 86400000 + }, + "value": "" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(Dossier_Lookup: string)\r\n[\r\n \"https://{DurableFunction}.azurewebsites.net/api/orchestrators/InfobloxDossierOrchestrator?target={IOCValue}&type={IOCType}\"\r\n];\r\ndummy_table", + "size": 3, + "timeContext": { + "durationMs": 86400000 + }, + "exportFieldName": "Dossier_Lookup", + "exportParameterName": "Dossier_Lookup", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Dossier_Lookup", + "formatter": 1, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "GET DOSSIER DATA" + } + }, + "showBorder": false, + "sortCriteriaField": "export_param" + } + }, + "customWidth": "50", + "conditionalVisibilities": [ + { + "parameterName": "IOCValue", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "IOCType", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 10", + "styleSettings": { + "maxWidth": "20%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string) [];\r\nunion isfuzzy=true dummy_table, dossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_source_s == \"atp\"\r\n| summarize count()\r\n| extend status = case(count_ == 0 , \"Refresh to check for Dossier data availability\",\"Click here to view the data\")\r\n| project status\r\n", + "size": 3, + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "exportFieldName": "status", + "exportParameterName": "dossier_status", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "status", + "formatter": 1 + }, + "showBorder": false, + "size": "auto" + }, + "textSettings": { + "style": "editor" + } + }, + "customWidth": "50", + "conditionalVisibilities": [ + { + "parameterName": "IOCValue", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "Dossier_Lookup", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 10", + "styleSettings": { + "maxWidth": "30%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whitelist_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"whitelist\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_whitelisted_b = column_ifexists(\"data_whitelisted_b\",\"\")\r\n| where isnotempty(data_whitelisted_b)\r\n| project tostring(data_whitelisted_b)", + "size": 3, + "title": "Whitelist", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "data_whitelisted_b", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "False", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "True", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "20" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_infoblox_web_cat_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"infoblox_web_cat\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_results_s = column_ifexists(\"data_results_s\",\"\")\r\n| where isnotempty(data_results_s)\r\n| extend data_results_s = parse_json(data_results_s)\r\n| mv-expand data_results_s\r\n| project ['Web Category'] = data_results_s.name", + "size": 3, + "title": "Web Categories", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Web Category", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Uncategorized", + "representation": "Normal", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Not Found", + "representation": "Unknown", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "sortOrderField": 2, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "80" + } + } + ] + }, + "customWidth": "0", + "name": "group - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev1", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_rpz_feeds_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"rpz_feeds\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n class = column_ifexists(\"class_s\",\"\"),\r\n detected = column_ifexists(\"detected_t\",\"\"),\r\n expiration = column_ifexists(\"expiration_t\",\"\"),\r\n feed_name = column_ifexists(\"feed_name_s\",\"\"),\r\n property = column_ifexists(\"property_s\",\"\"),\r\n threat_level = column_ifexists(\"threat_level_d\", 0)\r\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\r\n|extend Severity = case( tolong(threat_level) >= 75, \"High\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \"Medium\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\"Low\",tolong(threat_level) <25 , \"Info\",\"\")\r\n| project\r\n ['Feed Name'] = feed_name,\r\n ['Threat Level'] = threat_level,\r\n Severity,\r\n Property = property,\r\n Class = class,\r\n Detected = detected,\r\n Expiration = expiration", + "size": 3, + "showAnalytics": true, + "title": "Active Threat Feeds and Status (RPZ Feeds)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_inforank_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"inforank\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\n Domain = column_ifexists(\"data_domain_s\",\"\"),\r\n Interval = column_ifexists(\"data_interval_s\",\"\"),\r\n Rank = column_ifexists(\"data_rank_d\",\"\"),\r\n Message = column_ifexists(\"data_message_s\",\"\")\r\n| where\r\nisnotempty(Domain) or\r\nisnotempty(Interval) or\r\nisnotempty(Rank) or\r\nisnotempty(Message)\r\n| project \r\n Domain,\r\n Interval,\r\n Rank,\r\n Message\r\n\r\n", + "size": 3, + "title": "Inforank Ranking", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_threat_actor_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"threat_actor\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\n actor_description = column_ifexists( \"data_actor_description_s\",\"\"),\r\n actor_name = column_ifexists( \"data_actor_name_s\",\"\"),\r\n purpose = column_ifexists( \"data_purpose_s\",\"\"),\r\n related_count = column_ifexists( \"data_related_count_s\",\"\"),\r\n ttp = column_ifexists( \"data_ttp_s\",\"\"),\r\n Url = strcat('https://csp.infoblox.com/#/security_research/search/auto/','{IOCValue}','/threat-actor')\r\n| where\r\n isnotempty(actor_description) or\r\n isnotempty(actor_name) or\r\n isnotempty(purpose) or\r\n isnotempty(ttp)\r\n| extend purpose = replace_string(purpose,'\"','')\r\n| extend purpose = replace_string(purpose,',',', ')\r\n| extend purpose = trim(@\"[\\[\\]]\",purpose)\r\n| extend ttp = replace_string(ttp,'\"','')\r\n| extend ttp = replace_string(ttp,',',', ')\r\n| extend ttp = trim(@\"[\\[\\]]\",ttp)\r\n| project\r\n ['Actor Description'] = actor_description,\r\n ['Actor Name'] = actor_name,\r\n Purpose = purpose,\r\n ['Related Count'] = related_count,\r\n ['CSP Portal'] = Url,\r\n Ttp = ttp", + "size": 3, + "title": "DNS Threat Actor", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "CSP Portal", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "More Detail" + } + } + ] + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12 - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_geo_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"geo\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend\r\n asn_num = column_ifexists(\"data_asn_num_s\", \"\"),\r\n city = column_ifexists(\"data_city_s\", \"\"),\r\n country_code = column_ifexists(\"data_country_code_s\", \"\"),\r\n country_name = column_ifexists(\"data_country_name_s\", \"\"),\r\n isp = column_ifexists(\"data_isp_s\", \"\"),\r\n latitude = column_ifexists(\"data_latitude_d\", \"\"),\r\n longitude = column_ifexists(\"data_longitude_d\", \"\"),\r\n org = column_ifexists(\"data_org_s\", \"\"),\r\n postal_code = column_ifexists(\"data_postal_code_s\", \"\"),\r\n region = column_ifexists(\"data_region_s\", \"\")\r\n| where\r\n isnotempty(asn_num) or\r\n isnotempty(city) or\r\n isnotempty(country_code) or\r\n isnotempty(country_name) or\r\n isnotempty(isp) or\r\n isnotempty(latitude) or\r\n isnotempty(longitude) or\r\n isnotempty(org) or\r\n isnotempty(postal_code) or\r\n isnotempty(region)\r\n| project \r\n ['Asn Number'] = asn_num,\r\n City = city,\r\n ['Country Code'] = country_code,\r\n ['Country Name'] = country_name,\r\n Isp = isp,\r\n Latitude = latitude,\r\n Longitude = longitude,\r\n Org = org,\r\n ['Postal Code'] = postal_code,\r\n Region = region", + "size": 3, + "title": "Geo Graphic Details", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_tld_risk_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"tld_risk\" \r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_matches = column_ifexists(\"data_matches_s\",\"\")\r\n| mv-expand todynamic(data_matches)\r\n| project data_matches\r\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\"')\r\n| where\r\n isnotempty(confidence) or\r\n isnotempty(popular) or\r\n isnotempty(rare) or\r\n isnotempty(score) or\r\n isnotempty(score_label) or\r\n isnotempty(tld)\r\n| project \r\n ['Score Label'] = score_label,\r\n Score = score,\r\n TLD = tld,\r\n Confidence = confidence,\r\n Popular = popular,\r\n Rare = rare\r\n\r\n", + "size": 0, + "title": "TLD Reputation", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Score Label", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High Risk", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Moderate Risk", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low Risk", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + }, + "tileSettings": { + "showBorder": false + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_nameserver_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"nameserver\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_nameserver_matches_CL) on $left.task_id_g == $right.task_id_g\r\n|extend \r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n Confidence = column_ifexists(\"ns_reputation_confidence_s\",\"\"),\r\n Label = column_ifexists(\"ns_reputation_label_s\",\"\"),\r\n malicious_counts = column_ifexists(\"ns_reputation_malicious_counts_s\",\"\"),\r\n Popular = column_ifexists(\"ns_reputation_popular_s\",\"\"),\r\n Rare = column_ifexists(\"ns_reputation_rare_s\",\"\"),\r\n raw_score = column_ifexists(\"ns_reputation_raw_score_s\",\"\"),\r\n Score = column_ifexists(\"ns_reputation_score_s\",\"\"),\r\n total_counts = column_ifexists(\"ns_reputation_total_counts_s\",\"\")\r\n| where\r\n isnotempty(Domain) or\r\n isnotempty(Confidence) or\r\n isnotempty(Label) or\r\n isnotempty(malicious_counts) or\r\n isnotempty(Popular) or\r\n isnotempty(Rare) or\r\n isnotempty(raw_score) or\r\n isnotempty(Score) or\r\n isnotempty(total_counts)\r\n| project \r\n Domain,\r\n Label,\r\n Score,\r\n Confidence,\r\n Popular,\r\n Rare,\r\n ['Raw Score'] = raw_score,\r\n ['Total Counts'] = total_counts,\r\n ['Malicious Counts'] = malicious_counts\r\n", + "size": 0, + "title": "Nameserver Reputation", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Label", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High Risk", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Moderate Risk", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low Risk", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Very Low Risk", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "sortBy": [ + { + "itemKey": "Popular", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Popular", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 14", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\")\r\n| project \r\n Host,\r\n Domain,\r\n TLD,\r\n Profile,\r\n Property,\r\n Confidence,\r\n Class,\r\n Detected,\r\n ['Threat Level'] = ThreatLevel,\r\n Imported,\r\n Received,\r\n Up,\r\n Expiration,\r\n Dga,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whois_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"whois\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\n RegistrantName = column_ifexists(\"data_response_registrant_s\",\"\"),\r\n Nameservers = column_ifexists(\"data_response_nameservers_s\",\"\"),\r\n RegistrarEmail = column_ifexists(\"data_response_parsed_whois_registrar_abuse_contact_email_s\",\"\"),\r\n RegistrarPhone = column_ifexists(\"data_response_parsed_whois_registrar_abuse_contact_phone_s\",\"\"),\r\n Domain = column_ifexists(\"data_response_parsed_whois_domain_s\",\"\"),\r\n Created = column_ifexists(\"data_response_registration_created_t\",\"\"),\r\n Expires = column_ifexists(\"data_response_registration_expires_t\",\"\"),\r\n Statuses = column_ifexists(\"data_response_registration_statuses_s\",\"\"),\r\n Updated = column_ifexists(\"data_response_registration_updated_t\",\"\")\r\n| where \r\n isnotempty(RegistrantName) or\r\n isnotempty(Nameservers) or\r\n isnotempty(RegistrarEmail) or\r\n isnotempty(RegistrarPhone) or\r\n isnotempty(Domain) or\r\n isnotempty(Created) or\r\n isnotempty(Expires) or\r\n isnotempty(Statuses) or\r\n isnotempty(Updated)\r\n| extend Nameservers = replace_string(Nameservers,'\"','')\r\n| extend Nameservers = replace_string(Nameservers,',',', ')\r\n| extend Nameservers = trim(@\"[\\[\\]]\",Nameservers)\r\n| extend Statuses = replace_string(Statuses,'\"','')\r\n| extend Statuses = replace_string(Statuses,',',', ')\r\n| extend Statuses = trim(@\"[\\[\\]]\",Statuses)\r\n| project \r\n ['Registrant Name'] = RegistrantName,\r\n Domain,\r\n Statuses,\r\n ['Name Servers'] = Nameservers,\r\n ['Registrar Email'] = RegistrarEmail,\r\n ['Registrar Phone'] = RegistrarPhone,\r\n Created,\r\n Expires,\r\n Updated", + "size": 3, + "title": "Registered Owner (WHOIS)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nlet dns_A_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n A = column_ifexists(\"data_A_s\",\"\")\r\n | mv-expand todynamic(data_A_s)\r\n | project Type=\"A\", Value=data_A_s.ip, Reverse=data_A_s.reverse, TTL=data_A_s.ttl;\r\nlet dns_AAAA_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n AAAA = column_ifexists(\"data_AAAA_s\",\"\")\r\n | mv-expand todynamic(data_AAAA_s)\r\n | project Type=\"AAAA\",Value=data_AAAA_s;\r\nlet dns_CERT_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n CERT = column_ifexists(\"data_CERT_s\",\"\")\r\n | mv-expand todynamic(data_CERT_s)\r\n | project Type=\"CERT\",Value=data_CERT_s;\r\nlet dns_CNAME_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n CNAME = column_ifexists(\"data_CNAME_s\",\"\")\r\n | mv-expand todynamic(data_CNAME_s)\r\n | project Type=\"CNAME\",Value=data_CNAME_s;\r\nlet dns_HTTPS_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n HTTPS = column_ifexists(\"data_HTTPS_s\",\"\")\r\n | mv-expand todynamic(data_HTTPS_s)\r\n | project Type=\"HTTPS\",Value=data_HTTPS_s;\r\nlet dns_NS_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n NS = column_ifexists(\"data_NS_s\",\"\")\r\n | mv-expand todynamic(data_NS_s)\r\n | project Type=\"NS\",Value=data_NS_s;\r\nlet dns_SOA_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n SOA = column_ifexists(\"data_SOA_s\",\"\")\r\n | mv-expand todynamic(data_SOA_s)\r\n | project Type=\"SOA\",Value=data_SOA_s;\r\nlet dns_MX_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n MX = column_ifexists(\"data_MX_s\",\"\")\r\n | mv-expand todynamic(data_MX_s)\r\n | project Type=\"MX\",Value=data_MX_s;\r\nlet dns_SVCB_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n SVCB = column_ifexists(\"data_SVCB_s\",\"\")\r\n | mv-expand todynamic(data_SVCB_s)\r\n | project Type=\"SVCB\",Value=data_SVCB_s;\r\nlet dns_TSIG_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n TSIG = column_ifexists(\"data_TSIG_s\",\"\")\r\n | mv-expand todynamic(data_TSIG_s)\r\n | project Type=\"TSIG\",Value=data_TSIG_s;\r\nlet dns_TXT_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n TXT = column_ifexists(\"data_TXT_s\",\"\")\r\n | mv-expand todynamic(data_TXT_s)\r\n | project Type=\"TXT\",Value=data_TXT_s;\r\n union dns_A_data,dns_AAAA_data,dns_CERT_data,\r\ndns_CNAME_data,\r\ndns_HTTPS_data,\r\ndns_NS_data,\r\ndns_SOA_data,\r\ndns_MX_data,\r\ndns_SVCB_data,\r\ndns_TSIG_data,\r\ndns_TXT_data\r\n| where isnotempty( Value) or isnotempty( Reverse) or isnotempty( TTL)\r\n| sort by Type asc", + "size": 0, + "showAnalytics": true, + "title": "Current DNS", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Type", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "host" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whitelist_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"whitelist\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_whitelisted_b = column_ifexists(\"data_whitelisted_b\",\"\")\r\n| where isnotempty(data_whitelisted_b)\r\n| project tostring(data_whitelisted_b)", + "size": 3, + "title": "Whitelisted", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "data_whitelisted_b", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "False", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "True", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "20" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_ptr_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s == \"ip\" and params_source_s == \"ptr\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend ptr_record = column_ifexists(\"data_ptr_record_s\",\"\")\r\n| extend ptr_record = case( isempty(ptr_record), \"Not Found\",ptr_record)\r\n| project ptr_record", + "size": 3, + "title": "Domain Name Associated (PTR)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "ptr_record", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Not Found", + "representation": "Unavailable", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "name": "query - 1", + "styleSettings": { + "maxWidth": "20" + } + } + ] + }, + "customWidth": "0", + "name": "group - 11", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 7 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_rpz_feeds_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"rpz_feeds\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n class = column_ifexists(\"class_s\",\"\"),\r\n detected = column_ifexists(\"detected_t\",\"\"),\r\n expiration = column_ifexists(\"expiration_t\",\"\"),\r\n feed_name = column_ifexists(\"feed_name_s\",\"\"),\r\n property = column_ifexists(\"property_s\",\"\"),\r\n threat_level = column_ifexists(\"threat_level_d\", 0)\r\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\r\n|extend Severity = case( tolong(threat_level) >= 75, \"High\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \"Medium\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\"Low\",tolong(threat_level) <25 , \"Info\",\"\")\r\n| project\r\n ['Feed Name'] = feed_name,\r\n ['Threat Level'] = threat_level,\r\n Severity,\r\n Property = property,\r\n Class = class,\r\n Detected = detected,\r\n Expiration = expiration", + "size": 3, + "showAnalytics": true, + "title": "Active Threat Feeds and Status (RPZ Feeds)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "40", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_geo_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"geo\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend\r\n asn_num = column_ifexists(\"data_asn_num_s\", \"\"),\r\n city = column_ifexists(\"data_city_s\", \"\"),\r\n country_code = column_ifexists(\"data_country_code_s\", \"\"),\r\n country_name = column_ifexists(\"data_country_name_s\", \"\"),\r\n isp = column_ifexists(\"data_isp_s\", \"\"),\r\n latitude = column_ifexists(\"data_latitude_d\", \"\"),\r\n longitude = column_ifexists(\"data_longitude_d\", \"\"),\r\n org = column_ifexists(\"data_org_s\", \"\"),\r\n postal_code = column_ifexists(\"data_postal_code_s\", \"\"),\r\n region = column_ifexists(\"data_region_s\", \"\")\r\n| where\r\n isnotempty(asn_num) or\r\n isnotempty(city) or\r\n isnotempty(country_code) or\r\n isnotempty(country_name) or\r\n isnotempty(isp) or\r\n isnotempty(latitude) or\r\n isnotempty(longitude) or\r\n isnotempty(org) or\r\n isnotempty(postal_code) or\r\n isnotempty(region) \r\n| project \r\n ['Asn Number'] = asn_num,\r\n City = city,\r\n ['Country Code'] = country_code,\r\n ['Country Name'] = country_name,\r\n Isp = isp,\r\n Latitude = latitude,\r\n Longitude = longitude,\r\n Org = org,\r\n ['Postal Code'] = postal_code,\r\n Region = region", + "size": 3, + "title": "Geo Graphic Details", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "60", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n IP = column_ifexists(\"ip_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n Threatlevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n IP,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = Threatlevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whois_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"whois\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\nCountry = column_ifexists(\"data_response_ip_response_country_s\",\"\"),\r\nHandle = column_ifexists(\"data_response_ip_response_handle_s\",\"\"),\r\nlast_changed = column_ifexists(\"data_response_ip_response_last_changed_t\",\"\"),\r\nName = column_ifexists(\"data_response_ip_response_name_s\",\"\"),\r\nnet_range = column_ifexists(\"data_response_ip_response_net_range_s\",\"\"),\r\nnet_type = column_ifexists(\"data_response_ip_response_net_type_s\",\"\"),\r\nParent = column_ifexists(\"data_response_ip_response_parent_s\",\"\"),\r\nRegistration = column_ifexists(\"data_response_ip_response_registration_t\",\"\"),\r\nsource_registery = column_ifexists(\"data_response_ip_response_source_registery_s\",\"\")\r\n| where\r\n isnotempty(Country) or\r\n isnotempty(Handle) or\r\n isnotempty(last_changed) or\r\n isnotempty(Name) or\r\n isnotempty(net_range) or\r\n isnotempty(net_type) or\r\n isnotempty(Parent) or\r\n isnotempty(Registration) or\r\n isnotempty(source_registery)\r\n| project \r\n Name,\r\n Country,\r\n Handle,\r\n ['Network Range'] = net_range,\r\n ['Network Type'] = net_type,\r\n Parent,\r\n ['Source Registery'] = source_registery,\r\n ['Last Changed'] = last_changed ,\r\n Registration", + "size": 3, + "title": "Registered Owner (WHOIS)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "ip" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whitelist_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"whitelist\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_whitelisted_b = column_ifexists(\"data_whitelisted_b\",\"\")\r\n| where isnotempty(data_whitelisted_b)\r\n| project tostring(data_whitelisted_b)", + "size": 3, + "title": "Whitelist", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "data_whitelisted_b", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "False", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "True", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "20" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_infoblox_web_cat_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"infoblox_web_cat\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_results_s = column_ifexists(\"data_results_s\",\"\")\r\n| where isnotempty(data_results_s)\r\n| extend data_results_s = parse_json(data_results_s)\r\n| mv-expand data_results_s\r\n| project ['Web Category'] = data_results_s.name", + "size": 3, + "title": "Web Categories", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Web Category", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Uncategorized", + "representation": "Normal", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Not Found", + "representation": "Unknown", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "sortOrderField": 2, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "80" + } + } + ] + }, + "customWidth": "0", + "name": "group - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_tld_risk_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"tld_risk\" \r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_matches = column_ifexists(\"data_matches_s\",\"\")\r\n| mv-expand todynamic(data_matches)\r\n| project data_matches\r\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\"')\r\n| where\r\n isnotempty(confidence) or\r\n isnotempty(popular) or\r\n isnotempty(rare) or\r\n isnotempty(score) or\r\n isnotempty(score_label) or\r\n isnotempty(tld)\r\n| project \r\n ['Score Label'] = score_label,\r\n Score = score,\r\n TLD = tld,\r\n Confidence = confidence,\r\n Popular = popular,\r\n Rare = rare\r\n\r\n", + "size": 3, + "title": "TLD Reputation", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Score Label", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High Risk", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Moderate Risk", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low Risk", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + }, + "tileSettings": { + "showBorder": false + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Url = column_ifexists(\"url_s\",\"\"),\r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n Url,\r\n Host,\r\n Domain,\r\n TLD,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = ThreatLevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Dga,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "url" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"hash\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev1", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 3 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"hash\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"hash\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Hash = column_ifexists(\"hash_s\",\"\"),\r\n HashType = column_ifexists(\"hash_type_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n Hash,\r\n ['Hash Type'] = HashType,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = ThreatLevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "hash" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5 - Copy - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 2 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"email\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev1", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"email\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Email = column_ifexists(\"email_s\",\"\"),\r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n Email,\r\n Host,\r\n Domain,\r\n TLD,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = ThreatLevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Dga,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "email" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 6" + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "2" + }, + "name": "group - 3", + "styleSettings": { + "padding": "10px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This workbook depends on the **Dossier Function App** which is deployed with the Microsoft Sentinel Solution.\r\n
Please configure this function app first and keep it enabled in order to use this workbook.\r\n", + "style": "info" + }, + "name": "text - 9" + }, + { + "type": 1, + "content": { + "json": "## Infoblox Dossier Lookup via Incidents\r\n---\r\n" + }, + "name": "text - 7" + }, + { + "type": 1, + "content": { + "json": "## Steps to perform Dossier Lookup via Incident using this workbook\r\n- This workbook is intended to help perform Dossier Lookup for Indicators via Incidents.\r\n- Select **Dossier Function App Name** which is deployed with the Microsoft Sentinel Solution.\r\n- Select TimeRange and Type for Incidents .\r\n- From the **Available Incidents** panel, select any indicator and click on the **GET DOSSIER DATA** link (You will be redirect in new tab) to get the Dossier Lookup information for the Indicator of that Incident.\r\n- This will execute the function app in the background to get the Dossier Lookup data.\r\n- You will be able to see a message like **Refresh to check for Dossier data availability**.\r\n- Click on the refresh button above the message until you get a message like **Click here to view the data**.\r\n- Click on that message and it will display various lookup panels for different source data.\r\n
\r\n
\r\n**Note** :\r\n\t* The lookup information will be cache for 24 hours in sentinel.
\r\n\t* It is suggested to perform a **Hard Refresh** before getting Dossier data for the new target. Otherwise, the source drill down panels will not be populated properly.", + "style": "upsell" + }, + "name": "text - 10" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "1bc43239-b48a-4894-a7ef-5d9326cfe690", + "version": "KqlParameterItem/1.0", + "name": "DurableFunction", + "label": "Dossier Function App Name", + "type": 5, + "isRequired": true, + "query": "resources\r\n| where type contains \"microsoft.web/sites\"\r\n| where name startswith \"dossier\"\r\n| distinct name", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 11" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "de1d2274-20d3-4f7f-81cf-d8df4db9c0ec", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 604800000 + } + }, + { + "id": "10e7adfc-f0de-45db-b3e7-1adc0b3fe3b5", + "version": "KqlParameterItem/1.0", + "name": "Type", + "type": 2, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityAlert\r\n| mv-expand todynamic(Entities)\r\n| where Entities.Type in ('ip','filehash','url','host')\r\n| distinct tostring(Entities.Type)\r\n", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 604800000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SecurityIncident\r\n| summarize arg_max(TimeGenerated, *) by IncidentName\r\n| extend AlertIds = todynamic(AlertIds)\r\n| extend AlertId = tostring(AlertIds[0])\r\n| join kind=inner (SecurityAlert| project SystemAlertId, Entities) on $left.AlertId == $right.SystemAlertId\r\n| mv-expand todynamic(Entities)\r\n| extend IOCType = case(Entities.Type =~ \"filehash\",\"hash\",Entities.Type)\r\n| extend IOCValue = case(IOCType =~ \"ip\", Entities.Address, \r\n IOCType =~ \"hash\", Entities.Value,\r\n IOCType =~ \"host\", Entities.NetBiosName,\r\n IOCType =~ \"url\", Entities.Url,\r\n \"\")\r\n|extend ['Dossier Lookup'] =strcat('https://','{DurableFunction}','.azurewebsites.net/api/orchestrators/InfobloxDossierOrchestrator?target=',IOCValue,'&type=',IOCType)\r\n| where isnotempty(IOCType) and isnotempty(IOCValue)\r\n| where \"{Type:escapejson}\" == '*' or IOCType in ({Type})\r\n| summarize arg_max(TimeGenerated, *) by ['IOC Value'] = IOCValue,['IOC Type'] = tostring(IOCType)\r\n| project ['IOC Value'], ['IOC Type'], IncidentUrl, ['Dossier Lookup'], IncidentName, Title, Description, Severity, Status, ProviderName, CreatedTime, IncidentNumber, Tasks, Labels, ModifiedBy\r\n", + "size": 0, + "showAnalytics": true, + "title": "Available Incidents", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "IOC Value", + "parameterName": "IOCValue", + "parameterType": 1 + }, + { + "fieldName": "IOC Type", + "parameterName": "IOCType", + "parameterType": 1 + }, + { + "fieldName": "Dossier Lookup", + "parameterName": "Dossier_Lookup", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Open Incident" + } + }, + { + "columnMatch": "Dossier Lookup", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "GET DOSSIER DATA" + } + } + ], + "rowLimit": 10000, + "filter": true + }, + "sortBy": [] + }, + "conditionalVisibility": { + "parameterName": "DurableFunction", + "comparison": "isNotEqualTo" + }, + "name": "query - 0", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string) [];\r\nunion isfuzzy=true dummy_table, dossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_source_s == \"atp\"\r\n| summarize count()\r\n| extend status = case(count_ == 0 , \"Refresh to check for Dossier data availability\",\"Click here to view the data\")\r\n| project status\r\n", + "size": 3, + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "exportFieldName": "status", + "exportParameterName": "dossier_status", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "status", + "formatter": 1 + }, + "showBorder": false, + "size": "auto" + }, + "textSettings": { + "style": "editor" + } + }, + "customWidth": "50", + "conditionalVisibilities": [ + { + "parameterName": "IOCValue", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "Dossier_Lookup", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 10", + "styleSettings": { + "maxWidth": "30%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whitelist_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"whitelist\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_whitelisted_b = column_ifexists(\"data_whitelisted_b\",\"\")\r\n| where isnotempty(data_whitelisted_b)\r\n| project tostring(data_whitelisted_b)", + "size": 3, + "title": "Whitelist", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "data_whitelisted_b", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "False", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "True", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "20" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_infoblox_web_cat_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"infoblox_web_cat\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_results_s = column_ifexists(\"data_results_s\",\"\")\r\n| where isnotempty(data_results_s)\r\n| extend data_results_s = parse_json(data_results_s)\r\n| mv-expand data_results_s\r\n| project ['Web Category'] = data_results_s.name", + "size": 3, + "title": "Web Categories", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Web Category", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Uncategorized", + "representation": "Normal", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Not Found", + "representation": "Unknown", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "sortOrderField": 2, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "80" + } + } + ] + }, + "customWidth": "0", + "name": "group - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev1", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_rpz_feeds_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"rpz_feeds\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n class = column_ifexists(\"class_s\",\"\"),\r\n detected = column_ifexists(\"detected_t\",\"\"),\r\n expiration = column_ifexists(\"expiration_t\",\"\"),\r\n feed_name = column_ifexists(\"feed_name_s\",\"\"),\r\n property = column_ifexists(\"property_s\",\"\"),\r\n threat_level = column_ifexists(\"threat_level_d\", 0)\r\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\r\n|extend Severity = case( tolong(threat_level) >= 75, \"High\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \"Medium\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\"Low\",tolong(threat_level) <25 , \"Info\",\"\")\r\n| project\r\n ['Feed Name'] = feed_name,\r\n ['Threat Level'] = threat_level,\r\n Severity,\r\n Property = property,\r\n Class = class,\r\n Detected = detected,\r\n Expiration = expiration", + "size": 3, + "showAnalytics": true, + "title": "Active Threat Feeds and Status (RPZ Feeds)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_inforank_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"inforank\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\n Domain = column_ifexists(\"data_domain_s\",\"\"),\r\n Interval = column_ifexists(\"data_interval_s\",\"\"),\r\n Rank = column_ifexists(\"data_rank_d\",\"\"),\r\n Message = column_ifexists(\"data_message_s\",\"\")\r\n| where\r\nisnotempty(Domain) or\r\nisnotempty(Interval) or\r\nisnotempty(Rank) or\r\nisnotempty(Message)\r\n| project \r\n Domain,\r\n Interval,\r\n Rank,\r\n Message\r\n\r\n", + "size": 3, + "title": "Inforank Ranking", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_threat_actor_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"threat_actor\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\n actor_description = column_ifexists( \"data_actor_description_s\",\"\"),\r\n actor_name = column_ifexists( \"data_actor_name_s\",\"\"),\r\n purpose = column_ifexists( \"data_purpose_s\",\"\"),\r\n related_count = column_ifexists( \"data_related_count_s\",\"\"),\r\n ttp = column_ifexists( \"data_ttp_s\",\"\"),\r\n Url = strcat('https://csp.infoblox.com/#/security_research/search/auto/','{IOCValue}','/threat-actor')\r\n| where\r\n isnotempty(actor_description) or\r\n isnotempty(actor_name) or\r\n isnotempty(purpose) or\r\n isnotempty(ttp)\r\n| extend purpose = replace_string(purpose,'\"','')\r\n| extend purpose = replace_string(purpose,',',', ')\r\n| extend purpose = trim(@\"[\\[\\]]\",purpose)\r\n| extend ttp = replace_string(ttp,'\"','')\r\n| extend ttp = replace_string(ttp,',',', ')\r\n| extend ttp = trim(@\"[\\[\\]]\",ttp)\r\n| project\r\n ['Actor Description'] = actor_description,\r\n ['Actor Name'] = actor_name,\r\n Purpose = purpose,\r\n ['Related Count'] = related_count,\r\n ['CSP Portal'] = Url,\r\n Ttp = ttp", + "size": 3, + "title": "DNS Threat Actor", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "CSP Portal", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "More Detail" + } + } + ] + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12 - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_geo_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"geo\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend\r\n asn_num = column_ifexists(\"data_asn_num_s\", \"\"),\r\n city = column_ifexists(\"data_city_s\", \"\"),\r\n country_code = column_ifexists(\"data_country_code_s\", \"\"),\r\n country_name = column_ifexists(\"data_country_name_s\", \"\"),\r\n isp = column_ifexists(\"data_isp_s\", \"\"),\r\n latitude = column_ifexists(\"data_latitude_d\", \"\"),\r\n longitude = column_ifexists(\"data_longitude_d\", \"\"),\r\n org = column_ifexists(\"data_org_s\", \"\"),\r\n postal_code = column_ifexists(\"data_postal_code_s\", \"\"),\r\n region = column_ifexists(\"data_region_s\", \"\")\r\n| where\r\n isnotempty(asn_num) or\r\n isnotempty(city) or\r\n isnotempty(country_code) or\r\n isnotempty(country_name) or\r\n isnotempty(isp) or\r\n isnotempty(latitude) or\r\n isnotempty(longitude) or\r\n isnotempty(org) or\r\n isnotempty(postal_code) or\r\n isnotempty(region)\r\n| project \r\n ['Asn Number'] = asn_num,\r\n City = city,\r\n ['Country Code'] = country_code,\r\n ['Country Name'] = country_name,\r\n Isp = isp,\r\n Latitude = latitude,\r\n Longitude = longitude,\r\n Org = org,\r\n ['Postal Code'] = postal_code,\r\n Region = region", + "size": 3, + "title": "Geo Graphic Details", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_tld_risk_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"tld_risk\" \r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_matches = column_ifexists(\"data_matches_s\",\"\")\r\n| mv-expand todynamic(data_matches)\r\n| project data_matches\r\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\"')\r\n| where\r\n isnotempty(confidence) or\r\n isnotempty(popular) or\r\n isnotempty(rare) or\r\n isnotempty(score) or\r\n isnotempty(score_label) or\r\n isnotempty(tld)\r\n| project \r\n ['Score Label'] = score_label,\r\n Score = score,\r\n TLD = tld,\r\n Confidence = confidence,\r\n Popular = popular,\r\n Rare = rare\r\n\r\n", + "size": 0, + "title": "TLD Reputation", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Score Label", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High Risk", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Moderate Risk", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low Risk", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + }, + "tileSettings": { + "showBorder": false + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_nameserver_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"nameserver\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_nameserver_matches_CL) on $left.task_id_g == $right.task_id_g\r\n|extend \r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n Confidence = column_ifexists(\"ns_reputation_confidence_s\",\"\"),\r\n Label = column_ifexists(\"ns_reputation_label_s\",\"\"),\r\n malicious_counts = column_ifexists(\"ns_reputation_malicious_counts_s\",\"\"),\r\n Popular = column_ifexists(\"ns_reputation_popular_s\",\"\"),\r\n Rare = column_ifexists(\"ns_reputation_rare_s\",\"\"),\r\n raw_score = column_ifexists(\"ns_reputation_raw_score_s\",\"\"),\r\n Score = column_ifexists(\"ns_reputation_score_s\",\"\"),\r\n total_counts = column_ifexists(\"ns_reputation_total_counts_s\",\"\")\r\n| where\r\n isnotempty(Domain) or\r\n isnotempty(Confidence) or\r\n isnotempty(Label) or\r\n isnotempty(malicious_counts) or\r\n isnotempty(Popular) or\r\n isnotempty(Rare) or\r\n isnotempty(raw_score) or\r\n isnotempty(Score) or\r\n isnotempty(total_counts)\r\n| project \r\n Domain,\r\n Label,\r\n Score,\r\n Confidence,\r\n Popular,\r\n Rare,\r\n ['Raw Score'] = raw_score,\r\n ['Total Counts'] = total_counts,\r\n ['Malicious Counts'] = malicious_counts\r\n", + "size": 0, + "title": "Nameserver Reputation", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Label", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High Risk", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Moderate Risk", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low Risk", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Very Low Risk", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "sortBy": [ + { + "itemKey": "Popular", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Popular", + "sortOrder": 1 + } + ] + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 14", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\")\r\n| project \r\n Host,\r\n Domain,\r\n TLD,\r\n Profile,\r\n Property,\r\n Confidence,\r\n Class,\r\n Detected,\r\n ['Threat Level'] = ThreatLevel,\r\n Imported,\r\n Received,\r\n Up,\r\n Expiration,\r\n Dga,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whois_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"whois\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\n RegistrantName = column_ifexists(\"data_response_registrant_s\",\"\"),\r\n Nameservers = column_ifexists(\"data_response_nameservers_s\",\"\"),\r\n RegistrarEmail = column_ifexists(\"data_response_parsed_whois_registrar_abuse_contact_email_s\",\"\"),\r\n RegistrarPhone = column_ifexists(\"data_response_parsed_whois_registrar_abuse_contact_phone_s\",\"\"),\r\n Domain = column_ifexists(\"data_response_parsed_whois_domain_s\",\"\"),\r\n Created = column_ifexists(\"data_response_registration_created_t\",\"\"),\r\n Expires = column_ifexists(\"data_response_registration_expires_t\",\"\"),\r\n Statuses = column_ifexists(\"data_response_registration_statuses_s\",\"\"),\r\n Updated = column_ifexists(\"data_response_registration_updated_t\",\"\")\r\n| where \r\n isnotempty(RegistrantName) or\r\n isnotempty(Nameservers) or\r\n isnotempty(RegistrarEmail) or\r\n isnotempty(RegistrarPhone) or\r\n isnotempty(Domain) or\r\n isnotempty(Created) or\r\n isnotempty(Expires) or\r\n isnotempty(Statuses) or\r\n isnotempty(Updated)\r\n| extend Nameservers = replace_string(Nameservers,'\"','')\r\n| extend Nameservers = replace_string(Nameservers,',',', ')\r\n| extend Nameservers = trim(@\"[\\[\\]]\",Nameservers)\r\n| extend Statuses = replace_string(Statuses,'\"','')\r\n| extend Statuses = replace_string(Statuses,',',', ')\r\n| extend Statuses = trim(@\"[\\[\\]]\",Statuses)\r\n| project \r\n ['Registrant Name'] = RegistrantName,\r\n Domain,\r\n Statuses,\r\n ['Name Servers'] = Nameservers,\r\n ['Registrar Email'] = RegistrarEmail,\r\n ['Registrar Phone'] = RegistrarPhone,\r\n Created,\r\n Expires,\r\n Updated", + "size": 3, + "title": "Registered Owner (WHOIS)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nlet dns_A_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n A = column_ifexists(\"data_A_s\",\"\")\r\n | mv-expand todynamic(data_A_s)\r\n | project Type=\"A\", Value=data_A_s.ip, Reverse=data_A_s.reverse, TTL=data_A_s.ttl;\r\nlet dns_AAAA_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n AAAA = column_ifexists(\"data_AAAA_s\",\"\")\r\n | mv-expand todynamic(data_AAAA_s)\r\n | project Type=\"AAAA\",Value=data_AAAA_s;\r\nlet dns_CERT_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n CERT = column_ifexists(\"data_CERT_s\",\"\")\r\n | mv-expand todynamic(data_CERT_s)\r\n | project Type=\"CERT\",Value=data_CERT_s;\r\nlet dns_CNAME_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n CNAME = column_ifexists(\"data_CNAME_s\",\"\")\r\n | mv-expand todynamic(data_CNAME_s)\r\n | project Type=\"CNAME\",Value=data_CNAME_s;\r\nlet dns_HTTPS_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n HTTPS = column_ifexists(\"data_HTTPS_s\",\"\")\r\n | mv-expand todynamic(data_HTTPS_s)\r\n | project Type=\"HTTPS\",Value=data_HTTPS_s;\r\nlet dns_NS_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n NS = column_ifexists(\"data_NS_s\",\"\")\r\n | mv-expand todynamic(data_NS_s)\r\n | project Type=\"NS\",Value=data_NS_s;\r\nlet dns_SOA_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n SOA = column_ifexists(\"data_SOA_s\",\"\")\r\n | mv-expand todynamic(data_SOA_s)\r\n | project Type=\"SOA\",Value=data_SOA_s;\r\nlet dns_MX_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n MX = column_ifexists(\"data_MX_s\",\"\")\r\n | mv-expand todynamic(data_MX_s)\r\n | project Type=\"MX\",Value=data_MX_s;\r\nlet dns_SVCB_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n SVCB = column_ifexists(\"data_SVCB_s\",\"\")\r\n | mv-expand todynamic(data_SVCB_s)\r\n | project Type=\"SVCB\",Value=data_SVCB_s;\r\nlet dns_TSIG_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n TSIG = column_ifexists(\"data_TSIG_s\",\"\")\r\n | mv-expand todynamic(data_TSIG_s)\r\n | project Type=\"TSIG\",Value=data_TSIG_s;\r\nlet dns_TXT_data=\r\n union isfuzzy=true dummy_table,\r\n dossier_dns_CL\r\n | where params_target_s == '{IOCValue}' and params_type_s ==\"host\" and params_source_s == \"dns\"\r\n | summarize arg_max(TimeGenerated,*) by params_target_s\r\n | extend\r\n TXT = column_ifexists(\"data_TXT_s\",\"\")\r\n | mv-expand todynamic(data_TXT_s)\r\n | project Type=\"TXT\",Value=data_TXT_s;\r\n union dns_A_data,dns_AAAA_data,dns_CERT_data,\r\ndns_CNAME_data,\r\ndns_HTTPS_data,\r\ndns_NS_data,\r\ndns_SOA_data,\r\ndns_MX_data,\r\ndns_SVCB_data,\r\ndns_TSIG_data,\r\ndns_TXT_data\r\n| where isnotempty( Value) or isnotempty( Reverse) or isnotempty( TTL)\r\n| sort by Type asc", + "size": 0, + "showAnalytics": true, + "title": "Current DNS", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Type", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "host" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whitelist_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"whitelist\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_whitelisted_b = column_ifexists(\"data_whitelisted_b\",\"\")\r\n| where isnotempty(data_whitelisted_b)\r\n| project tostring(data_whitelisted_b)", + "size": 3, + "title": "Whitelisted", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "data_whitelisted_b", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "False", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "True", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "20" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_ptr_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s == \"ip\" and params_source_s == \"ptr\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend ptr_record = column_ifexists(\"data_ptr_record_s\",\"\")\r\n| extend ptr_record = case( isempty(ptr_record), \"Not Found\",ptr_record)\r\n| project ptr_record", + "size": 3, + "title": "Domain Name Associated (PTR)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "ptr_record", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Not Found", + "representation": "Unavailable", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "name": "query - 1", + "styleSettings": { + "maxWidth": "20" + } + } + ] + }, + "customWidth": "0", + "name": "group - 11", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 7 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_rpz_feeds_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"rpz_feeds\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (union isfuzzy = true dummy_table, dossier_rpz_feeds_records_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n class = column_ifexists(\"class_s\",\"\"),\r\n detected = column_ifexists(\"detected_t\",\"\"),\r\n expiration = column_ifexists(\"expiration_t\",\"\"),\r\n feed_name = column_ifexists(\"feed_name_s\",\"\"),\r\n property = column_ifexists(\"property_s\",\"\"),\r\n threat_level = column_ifexists(\"threat_level_d\", 0)\r\n| where isnotempty(class ) or isnotempty(detected ) or isnotempty(expiration ) or isnotempty(feed_name ) or isnotempty(property )\r\n|extend Severity = case( tolong(threat_level) >= 75, \"High\",tolong(threat_level) < 75 and tolong(threat_level) >= 50, \"Medium\",tolong(threat_level) < 50 and tolong(threat_level) >= 25,\"Low\",tolong(threat_level) <25 , \"Info\",\"\")\r\n| project\r\n ['Feed Name'] = feed_name,\r\n ['Threat Level'] = threat_level,\r\n Severity,\r\n Property = property,\r\n Class = class,\r\n Detected = detected,\r\n Expiration = expiration", + "size": 3, + "showAnalytics": true, + "title": "Active Threat Feeds and Status (RPZ Feeds)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "40", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_geo_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"geo\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend\r\n asn_num = column_ifexists(\"data_asn_num_s\", \"\"),\r\n city = column_ifexists(\"data_city_s\", \"\"),\r\n country_code = column_ifexists(\"data_country_code_s\", \"\"),\r\n country_name = column_ifexists(\"data_country_name_s\", \"\"),\r\n isp = column_ifexists(\"data_isp_s\", \"\"),\r\n latitude = column_ifexists(\"data_latitude_d\", \"\"),\r\n longitude = column_ifexists(\"data_longitude_d\", \"\"),\r\n org = column_ifexists(\"data_org_s\", \"\"),\r\n postal_code = column_ifexists(\"data_postal_code_s\", \"\"),\r\n region = column_ifexists(\"data_region_s\", \"\")\r\n| where\r\n isnotempty(asn_num) or\r\n isnotempty(city) or\r\n isnotempty(country_code) or\r\n isnotempty(country_name) or\r\n isnotempty(isp) or\r\n isnotempty(latitude) or\r\n isnotempty(longitude) or\r\n isnotempty(org) or\r\n isnotempty(postal_code) or\r\n isnotempty(region) \r\n| project \r\n ['Asn Number'] = asn_num,\r\n City = city,\r\n ['Country Code'] = country_code,\r\n ['Country Name'] = country_name,\r\n Isp = isp,\r\n Latitude = latitude,\r\n Longitude = longitude,\r\n Org = org,\r\n ['Postal Code'] = postal_code,\r\n Region = region", + "size": 3, + "title": "Geo Graphic Details", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "60", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n IP = column_ifexists(\"ip_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n Threatlevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n IP,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = Threatlevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whois_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"ip\" and params_source_s == \"whois\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend \r\nCountry = column_ifexists(\"data_response_ip_response_country_s\",\"\"),\r\nHandle = column_ifexists(\"data_response_ip_response_handle_s\",\"\"),\r\nlast_changed = column_ifexists(\"data_response_ip_response_last_changed_t\",\"\"),\r\nName = column_ifexists(\"data_response_ip_response_name_s\",\"\"),\r\nnet_range = column_ifexists(\"data_response_ip_response_net_range_s\",\"\"),\r\nnet_type = column_ifexists(\"data_response_ip_response_net_type_s\",\"\"),\r\nParent = column_ifexists(\"data_response_ip_response_parent_s\",\"\"),\r\nRegistration = column_ifexists(\"data_response_ip_response_registration_t\",\"\"),\r\nsource_registery = column_ifexists(\"data_response_ip_response_source_registery_s\",\"\")\r\n| where\r\n isnotempty(Country) or\r\n isnotempty(Handle) or\r\n isnotempty(last_changed) or\r\n isnotempty(Name) or\r\n isnotempty(net_range) or\r\n isnotempty(net_type) or\r\n isnotempty(Parent) or\r\n isnotempty(Registration) or\r\n isnotempty(source_registery)\r\n| project \r\n Name,\r\n Country,\r\n Handle,\r\n ['Network Range'] = net_range,\r\n ['Network Type'] = net_type,\r\n Parent,\r\n ['Source Registery'] = source_registery,\r\n ['Last Changed'] = last_changed ,\r\n Registration", + "size": 3, + "title": "Registered Owner (WHOIS)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "ip" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_whitelist_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"whitelist\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_whitelisted_b = column_ifexists(\"data_whitelisted_b\",\"\")\r\n| where isnotempty(data_whitelisted_b)\r\n| project tostring(data_whitelisted_b)", + "size": 3, + "title": "Whitelist", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "data_whitelisted_b", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "False", + "representation": "failed", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "True", + "representation": "success", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "20" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_infoblox_web_cat_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"infoblox_web_cat\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_results_s = column_ifexists(\"data_results_s\",\"\")\r\n| where isnotempty(data_results_s)\r\n| extend data_results_s = parse_json(data_results_s)\r\n| mv-expand data_results_s\r\n| project ['Web Category'] = data_results_s.name", + "size": 3, + "title": "Web Categories", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Web Category", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Uncategorized", + "representation": "Normal", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Not Found", + "representation": "Unknown", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev3", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "sortOrderField": 2, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "maxWidth": "80" + } + } + ] + }, + "customWidth": "0", + "name": "group - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_tld_risk_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"tld_risk\" \r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_matches = column_ifexists(\"data_matches_s\",\"\")\r\n| mv-expand todynamic(data_matches)\r\n| project data_matches\r\n| parse-kv data_matches as (confidence:string, popular:string, rare:string, score:string, score_label:string, tld:string) with (pair_delimiter=',', kv_delimiter=':',quote='\"')\r\n| where\r\n isnotempty(confidence) or\r\n isnotempty(popular) or\r\n isnotempty(rare) or\r\n isnotempty(score) or\r\n isnotempty(score_label) or\r\n isnotempty(tld)\r\n| project \r\n ['Score Label'] = score_label,\r\n Score = score,\r\n TLD = tld,\r\n Confidence = confidence,\r\n Popular = popular,\r\n Rare = rare\r\n\r\n", + "size": 3, + "title": "TLD Reputation", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Score Label", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High Risk", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Moderate Risk", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low Risk", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + }, + "tileSettings": { + "showBorder": false + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"url\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Url = column_ifexists(\"url_s\",\"\"),\r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n Url,\r\n Host,\r\n Domain,\r\n TLD,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = ThreatLevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Dga,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "url" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"hash\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev1", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 3 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_malware_analysis_v3_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"hash\" and params_source_s == \"malware_analysis_v3\"| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| extend data_info = column_ifexists(\"data_info_s\",\"\"), data_reason = column_ifexists(\"data_reason_s\",\"\"), Status = column_ifexists(\"status_s\",\"\")\r\n| where Status == \"error\"\r\n| project Information = data_info, Reason = data_reason", + "size": 3, + "title": "VirusTotal", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"hash\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Hash = column_ifexists(\"hash_s\",\"\"),\r\n HashType = column_ifexists(\"hash_type_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n Hash,\r\n ['Hash Type'] = HashType,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = ThreatLevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "hash" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 5 - Copy - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "loadType": "always", + "items": [ + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 2 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"email\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\")\r\n| where todatetime(Expiration) >= now()\r\n| distinct ['Threat Property'] = Property", + "size": 3, + "title": "Threat Property", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Threat Property", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "Sev1", + "text": "{0}{1}" + } + ] + } + }, + "showBorder": true, + "size": "auto" + } + }, + "customWidth": "0", + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "---" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, params_source_s: string, params_target_s:string, params_type_s:string, task_id_g:string) [];\r\nunion isfuzzy=true dummy_table,\r\ndossier_atp_CL\r\n| where params_target_s == '{IOCValue}' and params_type_s ==\"email\" and params_source_s == \"atp\"\r\n| summarize arg_max(TimeGenerated,*) by params_target_s\r\n| join kind=inner (dossier_atp_threat_CL) on $left.task_id_g == $right.task_id_g\r\n| extend \r\n Email = column_ifexists(\"email_s\",\"\"),\r\n Host = column_ifexists(\"host_s\",\"\"),\r\n Domain = column_ifexists(\"domain_s\",\"\"),\r\n TLD = column_ifexists(\"tld_s\",\"\"),\r\n Profile = column_ifexists(\"profile_s\",\"\"),\r\n Property = column_ifexists(\"property_s\",\"\"),\r\n Class = column_ifexists(\"class_s\",\"\"),\r\n Confidence = column_ifexists(\"confidence_d\",\"\"),\r\n ThreatLevel = column_ifexists(\"threat_level_d\",\"\"),\r\n Detected = column_ifexists(\"detected_t\",\"\"),\r\n Received = column_ifexists(\"received_t\",\"\"),\r\n Imported = column_ifexists(\"imported_t\",\"\"),\r\n Expiration = column_ifexists(\"expiration_t\",\"\"),\r\n Up = column_ifexists(\"up_s\",\"\"),\r\n Dga = column_ifexists(\"dga_s\",\"\"),\r\n Notes = column_ifexists(\"extended_notes_s\",\"\")\r\n| project \r\n Email,\r\n Host,\r\n Domain,\r\n TLD,\r\n Profile,\r\n Property,\r\n Class,\r\n Confidence,\r\n ['Threat Level'] = ThreatLevel,\r\n Detected,\r\n Received,\r\n Imported,\r\n Expiration,\r\n Up,\r\n Dga,\r\n Notes", + "size": 0, + "showAnalytics": true, + "title": "Threat Details (ATP)", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + }, + "name": "query - 12", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "IOCType", + "comparison": "isEqualTo", + "value": "email" + }, + { + "parameterName": "dossier_status", + "comparison": "isEqualTo", + "value": "Click here to view the data" + } + ], + "name": "group - 6" + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "3" + }, + "name": "group - 2", + "styleSettings": { + "padding": "10px" + } + } + ], + "fromTemplateId": "sentinel-Infoblox | Infoblox Lookup Workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json new file mode 100644 index 00000000000..477109ffdd8 --- /dev/null +++ b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json @@ -0,0 +1,7394 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "370d206d-18b1-43d4-a170-71a4a12ba9b2", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "SOC Insights Overview", + "subTarget": "6", + "style": "link" + }, + { + "id": "63a011d0-c970-408d-b027-a8579848a6fd", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "Config Insights Overview", + "subTarget": "8", + "style": "link" + }, + { + "id": "f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "Blocked Traffic Overview", + "subTarget": "4", + "style": "link" + }, + { + "id": "d3af8e0b-806c-4f1f-b006-845c842bc2fc", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "DNS Overview", + "subTarget": "1", + "style": "link" + }, + { + "id": "dbd0c004-e0b4-446c-91cd-5a5af3f6e16e", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "DHCP Overview", + "subTarget": "2", + "style": "link" + }, + { + "id": "41df2b27-5f91-4a8b-adcb-e7997f86d6d6", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "Audit Log Overview", + "subTarget": "3", + "style": "link" + }, + { + "id": "4f1a6ec7-3d56-4f50-8045-34adbb8d92d0", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "Service Log Overview", + "subTarget": "5", + "style": "link" + }, + { + "id": "ffabdc7f-2cb7-40fc-a883-d82609bba051", + "cellValue": "Parameter", + "linkTarget": "parameter", + "linkLabel": "Threat Intelligence Overview", + "subTarget": "7", + "style": "link" + } + ] + }, + "name": "links - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "e1e015ea-e688-48be-ac2b-846fe98be48e", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "9f36e52f-3282-4976-9187-7b3f551d91e9", + "version": "KqlParameterItem/1.0", + "name": "User", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"DNS\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where isnotempty(SourceUserName)\r\n| distinct SourceUserName\r\n| sort by SourceUserName asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "4bf79012-0d96-4024-8cb6-0b9c0d9407ef", + "version": "KqlParameterItem/1.0", + "name": "HostName", + "label": "Host Name", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"DNS\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\n| distinct SourceHostName\r\n| sort by SourceHostName desc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "8b364f17-07f7-4403-8086-26bf36c92536", + "version": "KqlParameterItem/1.0", + "name": "Asset", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"DNS\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName)\r\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\n| distinct DeviceName\r\n| sort by DeviceName desc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "66255f50-472e-4295-8d64-6b9fa2e3c887", + "version": "KqlParameterItem/1.0", + "name": "SLD", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"DNS\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\", SecondLevelDomain)\r\n| where isnotempty(SecondLevelDomain)\r\n| distinct SecondLevelDomain\r\n| order by SecondLevelDomain \r\n", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "f0a80c9f-a800-4958-b51c-4b38bfaf6624", + "version": "KqlParameterItem/1.0", + "name": "ResponseCode", + "label": "Response Code", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode)\r\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\n| distinct InfobloxDNSRCode\r\n| sort by InfobloxDNSRCode asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "aeb144ce-64b1-45ba-85d9-f0a2da9a69d3", + "version": "KqlParameterItem/1.0", + "name": "RecordType", + "label": "Record Type", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType)\r\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\n| distinct InfobloxDNSQType\r\n| sort by InfobloxDNSQType asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(DestinationDnsDomain)\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by DestinationDnsDomain\r\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\r\n| project ['Destination Dns Domain'], Count\r\n| sort by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Most Requested FQDNs", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "Destination Dns Domain", + "exportParameterName": "DestinationDnsDomain", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "Most Requested FQDNs", + "styleSettings": { + "margin": "5px", + "padding": "0", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'" + }, + "conditionalVisibility": { + "parameterName": "DestinationDnsDomain", + "comparison": "isEqualTo" + }, + "name": "text - 18", + "styleSettings": { + "margin": "5px" + } + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 20" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a", + "version": "KqlParameterItem/1.0", + "name": "TopDevices", + "type": 1, + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(DeviceName)\r\n| summarize Count = count() by DeviceName\r\n| top 10 by Count desc\r\n| summarize DeviceList = make_list(DeviceName)\r\n\r\n", + "timeContext": { + "durationMs": 1209600000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "102ee8fc-7658-4bca-82f3-54ed66d2ba9d", + "version": "KqlParameterItem/1.0", + "name": "TopMAC", + "type": 1, + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(SourceMACAddress)\r\n| summarize Count = count() by SourceMACAddress\r\n| top 10 by Count desc\r\n| summarize DeviceList = make_list(SourceMACAddress)\r\n\r\n", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "4c59d86e-9130-41a4-ba95-4e7974e4de06", + "version": "KqlParameterItem/1.0", + "name": "FirstDevice", + "type": 1, + "query": "print (todynamic('{TopDevices}')[0])", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "0f1d8907-d375-4db8-a5c9-f9d7390d8f7f", + "version": "KqlParameterItem/1.0", + "name": "SecondDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[1]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "bd2a1987-e9ba-42ac-9856-a8c781ebb332", + "version": "KqlParameterItem/1.0", + "name": "ThirdDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[2]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "04910ee0-5aa4-4897-82d6-15167ad50e01", + "version": "KqlParameterItem/1.0", + "name": "FourthDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[3]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f", + "version": "KqlParameterItem/1.0", + "name": "FifthDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[4]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "5619aab8-f9b6-4218-9315-c6741facf4eb", + "version": "KqlParameterItem/1.0", + "name": "SixthDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[5]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f", + "version": "KqlParameterItem/1.0", + "name": "SeventhDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[6]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "1a2455e4-36ec-46c9-bb3f-395ff1186abb", + "version": "KqlParameterItem/1.0", + "name": "EightDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[7]", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "72b22373-007c-4d10-bbdd-bdac49ea666c", + "version": "KqlParameterItem/1.0", + "name": "NinethDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[8]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "eb44f209-d53b-488f-8275-05294b57b1c6", + "version": "KqlParameterItem/1.0", + "name": "TenthDevice", + "type": 1, + "query": "print todynamic('{TopDevices}')[9]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "bb6a7aa4-0cf3-49d4-9649-179f6d60af71", + "version": "KqlParameterItem/1.0", + "name": "FirstMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[0]", + "timeContext": { + "durationMs": 2592000000 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "571e7afc-50fc-4f35-a7cf-c1d23a00effe", + "version": "KqlParameterItem/1.0", + "name": "SecondMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[1]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "00dca50c-6034-4a97-b1b0-da773ed535e7", + "version": "KqlParameterItem/1.0", + "name": "ThirdMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[2]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "05752a54-7398-4373-9d67-bc5ce96c32a1", + "version": "KqlParameterItem/1.0", + "name": "FourthMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[3]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "42233555-d975-4e88-b62e-2a53e728ae38", + "version": "KqlParameterItem/1.0", + "name": "FifthMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[4]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "3a0eea52-845c-4347-b01b-6f4531de2d5c", + "version": "KqlParameterItem/1.0", + "name": "SixthMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[5]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "29854b31-e4cd-4157-94d4-c0c3fef6f9a2", + "version": "KqlParameterItem/1.0", + "name": "SeventhMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[6]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "959fdc81-126b-44f9-8a82-753bc8d5bebd", + "version": "KqlParameterItem/1.0", + "name": "EightMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[7]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "78b51494-7bb5-4a7d-ab01-67483568319d", + "version": "KqlParameterItem/1.0", + "name": "NinethMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[8]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "b66ac0ed-09b2-49e1-bead-88c1a1145f70", + "version": "KqlParameterItem/1.0", + "name": "TenthMAC", + "type": 1, + "query": "print todynamic('{TopMAC}')[9]", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Hide", + "comparison": "isNotEqualTo" + }, + "name": "parameters - 18" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Top 10 Devices for Domain : {DestinationDnsDomain}", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{FirstDevice}')\r\n| summarize Count = count() by SourceIP\r\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\r\n\r\n\r\n\r\n\r\n", + "size": 4, + "showAnalytics": true, + "title": "Device : {FirstDevice} , MAC : {FirstMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "FirstDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 18", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{SecondDevice}') \r\n| summarize Count = count() by SourceIP\r\n\r\n\r\n\r\n\r\n", + "size": 4, + "showAnalytics": true, + "title": "Device : {SecondDevice} , MAC : {SecondMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": null, + "showMetrics": false, + "showLegend": true, + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "SecondDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{ThirdDevice}') \r\n| summarize Count = count() by SourceIP\r\n\r\n\r\n\r\n\r\n", + "size": 4, + "showAnalytics": true, + "title": "Device : {ThirdDevice} , MAC : {ThirdMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "ThirdDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{FourthDevice}') \r\n| summarize Count = count() by SourceIP\r\n\r\n\r\n\r\n\r\n", + "size": 4, + "showAnalytics": true, + "title": "Device : {FourthDevice} , MAC : {FourthMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "FourthDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{FifthDevice}') \r\n| summarize Count = count() by SourceIP\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", + "size": 4, + "showAnalytics": true, + "title": "Device : {FifthDevice} , MAC : {FifthMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "FifthDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{SixthDevice}') \r\n| summarize Count = count() by SourceIP\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", + "size": 4, + "showAnalytics": true, + "title": "Device : {SixthDevice} , MAC : {SixthMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "SixthDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{SeventhDevice}') \r\n| summarize Count = count() by SourceIP", + "size": 4, + "showAnalytics": true, + "title": "Device : {SeventhDevice} , MAC : {SeventhMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "SeventhDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{EightDevice}') \r\n| summarize Count = count() by SourceIP", + "size": 4, + "showAnalytics": true, + "title": "Device : {EightDevice} , MAC : {EightMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "EightDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{NinethDevice}') \r\n| summarize Count = count() by SourceIP", + "size": 4, + "showAnalytics": true, + "title": "Device : {NinethDevice} , MAC : {NinethMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "NinethDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand DeviceName == ('{TenthDevice}') \r\n| summarize Count = count() by SourceIP", + "size": 4, + "showAnalytics": true, + "title": "Device : {TenthDevice} , MAC : {TenthMAC}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "TenthDevice", + "comparison": "isNotEqualTo" + }, + "name": "query - 9", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "DestinationDnsDomain", + "comparison": "isNotEqualTo" + }, + "name": "group - 19" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(SourceUserName)\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD})) \r\n| project-rename User = SourceUserName\r\n| summarize Count = count() by User\r\n| project User, Count\r\n| sort by Count desc", + "size": 0, + "showAnalytics": true, + "title": "DNS Requests Count by Users", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "User", + "exportParameterName": "SourceUserName", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue", + "compositeBarSettings": { + "labelText": "", + "columnSettings": [] + } + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "Top Users", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'" + }, + "conditionalVisibility": { + "parameterName": "SourceUserName", + "comparison": "isEqualTo" + }, + "name": "text - 19", + "styleSettings": { + "margin": "5px" + } + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 19" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\r\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \r\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \r\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand SourceUserName == ('{SourceUserName}')\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\r\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']", + "size": 0, + "showAnalytics": true, + "title": "Overall DNS Requests made by User : {SourceUserName}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Log Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "8", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "SourceUserName", + "comparison": "isNotEqualTo" + }, + "name": "query - 15", + "styleSettings": { + "margin": "5px", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\" \r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand SourceUserName == ('{SourceUserName}')\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by DestinationDnsDomain\r\n| top 10 by Count", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Requested Domains by User : {SourceUserName}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ] + }, + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "DestinationDnsDomain", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "group": "DestinationDnsDomain", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "SourceUserName", + "comparison": "isNotEqualTo" + }, + "name": "query - 8", + "styleSettings": { + "margin": "5px", + "padding": "68px", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(InfobloxDNSRCode)\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize count() by InfobloxDNSRCode", + "size": 3, + "showAnalytics": true, + "title": "Response Types", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "Response_Type", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "rowLimit": 10000 + }, + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "100", + "name": "query - 9", + "styleSettings": { + "margin": "5px", + "padding": "68px", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\r\n" + }, + "conditionalVisibility": { + "parameterName": "Response_Type", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 17" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\r\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\r\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\r\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand InfobloxDNSRCode == ('{Response_Type}')\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\r\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']", + "size": 0, + "showAnalytics": true, + "title": "{Response_Type} DNS Requests", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Log Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "8", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "8", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Response_Type", + "comparison": "isNotEqualTo" + }, + "name": "query - 16", + "styleSettings": { + "padding": "17px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand InfobloxDNSRCode == ('{Response_Type}')\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by DeviceName\r\n| top 20 by Count\r\n", + "size": 3, + "showAnalytics": true, + "title": "Top 20 Devices for {Response_Type} DNS Request", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 20, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Response_Type", + "comparison": "isNotEqualTo" + }, + "name": "query - 17", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(InfobloxDNSQType)\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize count() by InfobloxDNSQType\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Query Types", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 10", + "styleSettings": { + "margin": "5px", + "padding": "68px", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(InfobloxDNSRCode)\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| sort by TimeGenerated asc\r\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode", + "size": 0, + "title": "Overall Queries Per Hour", + "timeContext": { + "durationMs": 86400000 + }, + "exportFieldName": "x", + "exportParameterName": "QPS_Time", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "showLegend": true, + "showDataPoints": true, + "xSettings": { + "label": "Time" + } + } + }, + "customWidth": "100", + "name": "query - 11", + "styleSettings": { + "margin": "5px", + "padding": "18px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'" + }, + "conditionalVisibility": { + "parameterName": "QPS_Time", + "comparison": "isEqualTo" + }, + "name": "text - 20", + "styleSettings": { + "margin": "5px" + } + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 21" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Gridtimestring = tostring('{QPS_Time}');\r\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \" \"), indexof(Gridtimestring, \"GMT\") - 1 - indexof(Gridtimestring, \" \"))) -5h - 30m;\r\n\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\" \r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(InfobloxDNSRCode)\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\r\n| sort by TimeGenerated asc\r\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode", + "size": 0, + "showAnalytics": true, + "title": "Overall Queries Per Minute", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "gridSettings": { + "rowLimit": 10000 + }, + "sortBy": [], + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Count", + "color": "blueDark" + } + ] + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "QPS_Time", + "comparison": "isNotEqualTo" + }, + "name": "query - 13", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Gridtimestring = tostring('{QPS_Time}');\r\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \" \"), indexof(Gridtimestring, \"GMT\") - 1 - indexof(Gridtimestring, \" \"))) -5h - 30m;\r\n\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand isnotempty(InfobloxDNSQType)\r\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by DeviceName", + "size": 3, + "showAnalytics": true, + "title": "Overall Query by Devices per hour", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "QPS_Time", + "comparison": "isNotEqualTo" + }, + "name": "query - 17", + "styleSettings": { + "padding": "52px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\r\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\r\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\r\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName), InfobloxDNSRCode = trim(@\"\\s\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), DestinationDnsDomain = trim(@\"\\s\", DestinationDnsDomain), SourceHostName = trim(@\"\\s\", SourceHostName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand (('{RecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({RecordType}))\r\nand (('{ResponseCode:escapjson}') == \"*\" or InfobloxDNSRCode in~ ({ResponseCode}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\r\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']", + "size": 0, + "showAnalytics": true, + "title": "DNS Requests", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Log Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "8", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "8", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxAnCount", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "yellowGreenBlue" + } + }, + { + "columnMatch": "InfobloxNsCount", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "yellowOrangeBrown" + } + }, + { + "columnMatch": "InfobloxArCount", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "SourceUserName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "!=", + "representation": "brown", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 14", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 15" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "1" + }, + "name": "Main Group", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.
\r\nPlease configure this logic app first and keep it enabled in order to use this workbook.", + "style": "info" + }, + "name": "text - 15" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "4abe4038-7e69-4b2c-9ec2-e1f9311e96be", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "379d941d-6191-494d-b518-caf9e0d8ce55", + "version": "KqlParameterItem/1.0", + "name": "DHCPServer", + "label": "DHCP Server", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID)\r\n| where isnotempty(InfobloxHostID) \r\n| distinct InfobloxHostID\r\n| sort by InfobloxHostID asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "68911f86-d896-407d-9a0b-07934f997037", + "version": "KqlParameterItem/1.0", + "name": "HostName", + "label": "Host Name", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID has_cs \"DHCP\" \r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend SourceHostName = trim(@\"\\s\", SourceHostName), InfobloxHostID = trim(@\"\\s\", InfobloxHostID)\r\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer}))\r\n| distinct SourceHostName\r\n| sort by SourceHostName asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "c5628a47-4153-4808-a618-9a06d560428b", + "version": "KqlParameterItem/1.0", + "name": "MAC", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" and DeviceProduct == \"Data Connector\" and DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend SourceMACAddress = trim(@\"\\s\", SourceMACAddress), InfobloxHostID = trim(@\"\\s\", InfobloxHostID)\r\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer}))\r\n| distinct SourceMACAddress\r\n| sort by SourceMACAddress asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "053f6da7-3bb9-4f9f-9bc5-ec09a9723f52", + "version": "KqlParameterItem/1.0", + "name": "IP_Space", + "label": "IP Space", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer}))\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where isnotempty(name_s)\r\n| distinct name_s\r\n| order by name_s asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID == \"DHCP-LEASE-DELETE\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| summarize dcount(SourceIP)", + "size": 3, + "showAnalytics": true, + "title": "Released DHCP Leases (Unique IPs)", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "rowLimit": 200, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "dcount_SourceIP", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "green" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Released DHCP Leases (Unique IPs)", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID == \"DHCP-LEASE-DELETE\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| summarize count()", + "size": 3, + "showAnalytics": true, + "title": "Released DHCP Leases", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "rowLimit": 200, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Released DHCP Leases", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID in (\"DHCP-LEASE-CREATE\", \"DHCP-LEASE-UPDATE\")\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| summarize dcount(SourceIP)", + "size": 3, + "showAnalytics": true, + "title": "New / Updated DHCP Leases (Unique IPs)", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "rowLimit": 200, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "dcount_SourceIP", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "magenta" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Updated DHCP Leases (Unique IPs)", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\" \r\n and DeviceEventClassID in (\"DHCP-LEASE-CREATE\", \"DHCP-LEASE-UPDATE\")\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| summarize count()", + "size": 3, + "showAnalytics": true, + "title": "New / Updated DHCP Leases ", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "gridSettings": { + "rowLimit": 200, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "InfobloxThreatLevel", + "sortOrder": 1 + } + ], + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "greenDark" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Updated DHCP Leases ", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp", + "size": 0, + "showAnalytics": true, + "title": "DHCP Leases over Time", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart", + "chartSettings": { + "showLegend": true + } + }, + "name": "query - 7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName})) \r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| extend InfobloxLeaseOp = trim(@\"\\s\", InfobloxLeaseOp)\r\n| where isnotempty(InfobloxLeaseOp)\r\n| summarize count() by InfobloxLeaseOp", + "size": 3, + "showAnalytics": true, + "title": "DHCP Activity Summary", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "Lease", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "100", + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "padding": "51px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'" + }, + "conditionalVisibility": { + "parameterName": "Lease", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\" \r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand isnotempty(SourceMACAddress)\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| summarize Count = count() by SourceMACAddress\r\n| top 10 by Count desc", + "size": 3, + "showAnalytics": true, + "title": "Top 10 MAC Address", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "Pie_MAC", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ] + }, + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "100", + "name": "query - 6", + "styleSettings": { + "padding": "53px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'" + }, + "conditionalVisibility": { + "parameterName": "Pie_MAC", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 15" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\r\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\r\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\r\nInfobloxFingerprint: string ) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName),\r\nSourceMACAddress = trim(@\"\\s\", SourceMACAddress), InfobloxLeaseOp = trim(@\"\\s\", InfobloxLeaseOp)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName})) \r\nand InfobloxLeaseOp == ('{Lease}')\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\"\\s\", InfobloxLeaseOp))\r\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\r\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint", + "size": 0, + "showAnalytics": true, + "title": "DHCP Lease for Activity : {Lease}", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "100", + "conditionalVisibility": { + "parameterName": "Lease", + "comparison": "isNotEqualTo" + }, + "name": "query - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\" \r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand SourceMACAddress == ('{Pie_MAC}')\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\r\n", + "size": 0, + "showAnalytics": true, + "title": "Source IPs for MAC : {Pie_MAC}", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "showLegend": true + } + }, + "conditionalVisibility": { + "parameterName": "Pie_MAC", + "comparison": "isNotEqualTo" + }, + "name": "query - 14", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\" \r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName),\r\nSourceMACAddress = trim(@\"\\s\", SourceMACAddress), SourceIP = trim(@\"\\s\", SourceIP)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\nand isnotempty(SourceIP)\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| summarize Count=count() by SourceIP\r\n| top 10 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top 10 IP Addresses", + "showRefreshButton": true, + "exportFieldName": "SourceIP", + "exportParameterName": "SourceIP", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "name": "query - 3", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Top 10 IP Addresses' grid to see 'Host for IP'" + }, + "conditionalVisibility": { + "parameterName": "SourceIP", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName),\r\nSourceMACAddress = trim(@\"\\s\", SourceMACAddress), SourceIP = trim(@\"\\s\", SourceIP)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName})) \r\nand SourceIP == ('{SourceIP}')\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| summarize Count = count() by SourceHostName", + "size": 3, + "showAnalytics": true, + "title": "Host for IP : {SourceIP}", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "SourceIP", + "comparison": "isNotEqualTo" + }, + "name": "query - 6", + "styleSettings": { + "padding": "52px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\" \r\nand DeviceProduct == \"Data Connector\" \r\nand DeviceEventClassID has_cs \"DHCP\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\r\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\r\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend InfobloxHostID = trim(@\"\\s\", InfobloxHostID), SourceHostName = trim(@\"\\s\", SourceHostName), SourceMACAddress = trim(@\"\\s\", SourceMACAddress)\r\n| where (('{DHCPServer:escapjson}') == \"*\" or InfobloxHostID in~ ({DHCPServer})) \r\nand (('{MAC:escapjson}') == \"*\" or SourceMACAddress in~ ({MAC})) \r\nand (('{HostName:escapjson}') == \"*\" or SourceHostName in~ ({HostName}))\r\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where (('{IP_Space:escapjson}') == \"*\" or name_s in~ ({IP_Space}))\r\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\r\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint", + "size": 0, + "showAnalytics": true, + "title": "DHCP Lease", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "LogSeverity", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 0", + "styleSettings": { + "margin": "5", + "padding": "5", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 14" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "2" + }, + "name": "group - 5", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "82320096-33a6-4d48-b64f-2c90aa564ed4", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "00756d7d-b074-42e5-996e-4ffa6487606f", + "version": "KqlParameterItem/1.0", + "name": "UserName", + "label": "User", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"Audit\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where isnotempty(SourceUserName)\r\n| distinct SourceUserName\r\n| sort by SourceUserName asc\r\n", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 1209600000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "3d2f3549-f5c5-4496-a013-f9b306321c75", + "version": "KqlParameterItem/1.0", + "name": "Action", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"Audit\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceAction = trim(@\"\\s\", DeviceAction)\r\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \"*\" or SourceUserName in~ ({UserName}))\r\n| distinct DeviceAction\r\n| sort by DeviceAction asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 1209600000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"Audit\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceAction = trim(@\"\\s\", DeviceAction)\r\n| where isnotempty(DeviceAction)\r\n| where (('{UserName:escapjson}') == \"*\" or SourceUserName in~ ({UserName})) \r\nand (('{Action:escapjson}') == \"*\" or DeviceAction in~ ({Action}))\r\n| project-rename Action = DeviceAction\r\n| summarize Count = count() by Action\r\n", + "size": 0, + "showAnalytics": true, + "title": "Types of Actions", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "bar_Action", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "Action", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "Action", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'" + }, + "conditionalVisibility": { + "parameterName": "bar_Action", + "comparison": "isEqualTo" + }, + "name": "text - 4" + } + ], + "exportParameters": true + }, + "name": "group - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"Audit\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceAction = trim(@\"\\s\", DeviceAction)\r\n| where isnotempty(SourceUserName)\r\nand DeviceAction == ('{bar_Action}')\r\nand (('{UserName:escapjson}') == \"*\" or SourceUserName in~ ({UserName}))\r\n| project-rename User = SourceUserName, Action = DeviceAction\r\n| summarize Count = count() by User\r\n| top 10 by Count desc", + "size": 3, + "showAnalytics": true, + "title": "Top 10 User for Action : {bar_Action}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "Pie_user", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "100", + "conditionalVisibility": { + "parameterName": "bar_Action", + "comparison": "isNotEqualTo" + }, + "name": "query - 4", + "styleSettings": { + "margin": "5px", + "padding": "70px", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'" + }, + "conditionalVisibility": { + "parameterName": "Pie_user", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "bar_Action", + "comparison": "isNotEqualTo" + }, + "name": "group - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"Audit\" \r\n and DeviceAction == ('{bar_Action}')\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\r\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \r\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \r\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \r\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceAction = trim(@\"\\s\", DeviceAction)\r\n| where (('{UserName:escapjson}') == \"*\" or SourceUserName in~ ({UserName}))\r\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\r\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']", + "size": 0, + "showAnalytics": true, + "title": "Audit Logs for Action : {bar_Action}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "sortBy": [] + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "bar_Action", + "comparison": "isNotEqualTo" + }, + "name": "query - 3", + "styleSettings": { + "margin": "5px", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"Audit\" \r\n and DeviceAction == ('{bar_Action}')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceAction = trim(@\"\\s\", DeviceAction)\r\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\r\n| summarize Count = count() by SourceIP\r\n| top 10 by Count desc", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Source IP for User : {Pie_user}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Pie_user", + "comparison": "isNotEqualTo" + }, + "name": "query - 5", + "styleSettings": { + "padding": "49px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"Audit\"\r\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\r\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\r\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\r\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\r\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\"=\", pair_delimiter=\";\")\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceAction = trim(@\"\\s\", DeviceAction)\r\n| where (('{UserName:escapjson}') == \"*\" or SourceUserName in~ ({UserName})) \r\n and (('{Action:escapjson}') == \"*\" or DeviceAction in~ ({Action}))\r\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\r\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']", + "size": 0, + "showAnalytics": true, + "title": "Audit Logs", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "LogSeverity", + "formatter": 4, + "formatOptions": { + "palette": "yellowOrangeRed" + } + } + ], + "rowLimit": 10000, + "filter": true + }, + "sortBy": [] + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 6" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "3" + }, + "name": "group - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "daee0513-3b57-4c4d-9052-7a92094a4036", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + }, + "label": "Time Range" + }, + { + "id": "9f36e52f-3282-4976-9187-7b3f551d91e9", + "version": "KqlParameterItem/1.0", + "name": "User", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \"Block\"\r\n| summarize arg_max(TimeGenerated,*) by SourceUserName\r\n| distinct SourceUserName\r\n| sort by SourceUserName asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 2419200000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "8b364f17-07f7-4403-8086-26bf36c92536", + "version": "KqlParameterItem/1.0", + "name": "Asset", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| extend DeviceName = trim(@\"\\s\", DeviceName)\r\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend DeviceName = trim(@\"\\s\", DeviceName), SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \"Block\"\r\n| distinct DeviceName\r\n| sort by DeviceName desc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "cf61f3a4-fe90-4244-b94b-4aedc1210af9", + "version": "KqlParameterItem/1.0", + "name": "Location", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend Location = trim(@\"\\s\", InfobloxB1Region), SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where isnotempty(Location) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand InfobloxB1PolicyAction contains \"Block\"\r\n| distinct Location\r\n| sort by Location asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 2419200000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b", + "version": "KqlParameterItem/1.0", + "name": "SLD", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \"Block\"\r\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| where isnotempty(SecondLevelDomain)\r\n| distinct SecondLevelDomain\r\n| order by SecondLevelDomain", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 2419200000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "aeb144ce-64b1-45ba-85d9-f0a2da9a69d3", + "version": "KqlParameterItem/1.0", + "name": "DNSRecordType", + "label": "DNS Record Type", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"DNS\"\r\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \"Block\"\r\n| distinct InfobloxDNSQType\r\n| order by InfobloxDNSQType asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 2419200000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "f67927b9-00eb-4a45-b9d0-4bde9ac74d86", + "version": "KqlParameterItem/1.0", + "name": "PolicyName", + "label": "Policy Name", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\" \r\n and DeviceProduct == \"Data Connector\" \r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend InfobloxB1PolicyName = trim(@\"\\s\",InfobloxB1PolicyName), SourceUserName = trim(@\"\\s\", SourceUserName)\r\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \"Block\"\r\n| distinct InfobloxB1PolicyName\r\n| sort by InfobloxB1PolicyName asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 2419200000 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\r\n InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName),\r\n Location = trim(@\"\\s\", InfobloxB1Region), DestinationDnsDomain = trim(@\"\\s\",DestinationDnsDomain),\r\n InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\"\\s\",InfobloxB1PolicyName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{DNSRecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({DNSRecordType}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand (('{Location:escapjson}') == \"*\" or InfobloxB1Region in~ ({Location}))\r\nand (('{PolicyName:escapjson}') == \"*\" or InfobloxB1PolicyName in~ ({PolicyName}))\r\nand isnotempty(SourceUserName) \r\nand InfobloxB1PolicyAction contains \"Block\"\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by User = SourceUserName\r\n| top 10 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top 10 Compromised Users", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 0 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "33", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName),\r\n Location = trim(@\"\\s\", InfobloxB1Region), DestinationDnsDomain = trim(@\"\\s\",DestinationDnsDomain),\r\n InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\"\\s\",InfobloxB1PolicyName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{DNSRecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({DNSRecordType}))\r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset}))\r\nand (('{Location:escapjson}') == \"*\" or InfobloxB1Region in~ ({Location}))\r\nand (('{PolicyName:escapjson}') == \"*\" or InfobloxB1PolicyName in~ ({PolicyName}))\r\nand isnotempty(DestinationDnsDomain)\r\nand InfobloxB1PolicyAction contains \"Block\"\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by DestinationDnsDomain\r\n| top 10 by Count", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Blocked Domains", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ] + }, + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "padding": "49px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName),\r\n Location = trim(@\"\\s\", InfobloxB1Region), DestinationDnsDomain = trim(@\"\\s\",DestinationDnsDomain),\r\n InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\"\\s\",InfobloxB1PolicyName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User}))\r\nand (('{DNSRecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({DNSRecordType})) \r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset})) \r\nand (('{Location:escapjson}') == \"*\" or InfobloxB1Region in~ ({Location})) \r\nand (('{PolicyName:escapjson}') == \"*\" or InfobloxB1PolicyName in~ ({PolicyName}))\r\nand InfobloxB1PolicyAction contains \"Block\"\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by InfobloxRPZ\r\n| top 10 by Count", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Feeds, Filters", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 8", + "styleSettings": { + "padding": "52px", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"RPZ\" \r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName),\r\n Location = trim(@\"\\s\", InfobloxB1Region), DestinationDnsDomain = trim(@\"\\s\",DestinationDnsDomain),\r\n InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\"\\s\",InfobloxB1PolicyName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User})) \r\nand (('{DNSRecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({DNSRecordType})) \r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset})) \r\nand (('{Location:escapjson}') == \"*\" or InfobloxB1Region in~ ({Location})) \r\nand (('{PolicyName:escapjson}') == \"*\" or InfobloxB1PolicyName in~ ({PolicyName}))\r\nand isnotempty(DeviceName) \r\nand InfobloxB1PolicyAction contains \"Block\"\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| summarize Count = count() by Asset = DeviceName\r\n| top 10 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top 10 Compromised Assets", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "Asset", + "exportParameterName": "DeviceName", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "100", + "name": "query - 0", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'" + }, + "conditionalVisibility": { + "parameterName": "DeviceName", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\r\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\r\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\r\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName),\r\n Location = trim(@\"\\s\", InfobloxB1Region), DestinationDnsDomain = trim(@\"\\s\",DestinationDnsDomain),\r\n InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\"\\s\",InfobloxB1PolicyName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User})) \r\nand (('{DNSRecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({DNSRecordType})) \r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset})) \r\nand (('{Location:escapjson}') == \"*\" or InfobloxB1Region in~ ({Location})) \r\nand (('{PolicyName:escapjson}') == \"*\" or InfobloxB1PolicyName in~ ({PolicyName}))\r\nand DeviceName == ('{DeviceName}')\r\nand InfobloxB1PolicyAction contains \"Block\"\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\r\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\r\n", + "size": 0, + "showAnalytics": true, + "title": "Overall Asset : {DeviceName} Details ", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "8", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Threat Level", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "80", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "<=", + "thresholdValue": "29", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "DeviceName", + "comparison": "isNotEqualTo" + }, + "name": "query - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"RPZ\"\r\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\r\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\r\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\r\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend SourceUserName = trim(@\"\\s\", SourceUserName), DeviceName = trim(@\"\\s\", DeviceName),\r\n Location = trim(@\"\\s\", InfobloxB1Region), DestinationDnsDomain = trim(@\"\\s\",DestinationDnsDomain),\r\n InfobloxDNSQType = trim(@\"\\s\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\"\\s\",InfobloxB1PolicyName)\r\n| where (('{User:escapjson}') == \"*\" or SourceUserName in~ ({User})) \r\nand (('{DNSRecordType:escapjson}') == \"*\" or InfobloxDNSQType in~ ({DNSRecordType})) \r\nand (('{Asset:escapjson}') == \"*\" or DeviceName in~ ({Asset})) \r\nand (('{Location:escapjson}') == \"*\" or InfobloxB1Region in~ ({Location})) \r\nand (('{PolicyName:escapjson}') == \"*\" or InfobloxB1PolicyName in~ ({PolicyName}))\r\nand InfobloxB1PolicyAction contains \"Block\"\r\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\r\n| extend domains = split(DestinationDnsDomain_,'.')\r\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\r\n| extend SecondLevelDomain = trim(@\"\\s\",SecondLevelDomain)\r\n| where (('{SLD:escapjson}') == \"*\" or SecondLevelDomain in~ ({SLD}))\r\n| order by TimeGenerated\r\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\r\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']", + "size": 0, + "showAnalytics": true, + "title": "Blocked DNS Requests", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<=", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "5", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "8", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Threat Level", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "80", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "<=", + "thresholdValue": "29", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Blocked", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "green", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 7" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "4" + }, + "name": "group - 4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.
\r\nPlease configure this logic apps first and keep enabled in order to use this workbook.", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "19baf045-4606-49d8-8cb7-ef3ee9fed69a", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "af60a861-3c2f-42a5-9045-295348fa5ac6", + "version": "KqlParameterItem/1.0", + "name": "ServiceName", + "label": "Service Name", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"Service\"\r\n and isnotempty(AdditionalExtensions)\r\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\r\n| extend name_s = trim(@\"\\s\", name_s)\r\n| where isnotempty(name_s)\r\n| distinct name_s\r\n| order by name_s asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + }, + { + "id": "796c7544-d2ff-42c6-a5c4-816298e72782", + "version": "KqlParameterItem/1.0", + "name": "HostName", + "label": "Host Name", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"Service\"\r\n and isnotempty(AdditionalExtensions)\r\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\r\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\r\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\r\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\r\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\r\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\r\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\r\n| extend HostName = trim(@\"\\s\", display_name_s), name_s = trim(@\"\\s\", name_s)\r\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \"*\" or name_s in~ ({ServiceName}))\r\n| distinct HostName\r\n| order by HostName asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\r\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\r\nCommonSecurityLog\r\n| where TimeGenerated {TimeRange:value}\r\n and DeviceVendor == \"Infoblox\"\r\n and DeviceProduct == \"Data Connector\"\r\n and DeviceEventClassID has_cs \"Service\"\r\n and isnotempty(AdditionalExtensions)\r\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\r\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\r\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\r\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\r\n| extend InfobloxLogName = split(InfobloxLogName, '/')\r\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\r\n LogSeverityProcess = tostring(InfobloxLogName[1]),\r\n Message = split(iif(isempty(Message), msg , Message), '\"')[1]\r\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\r\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\r\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\r\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\r\n| extend ['Service Name'] = trim(@\"\\s\", name_s), ['Host Name'] = trim(@\"\\s\", display_name_s), ['Process Name'] = trim(@\"\\s\",Process)\r\n| where ('{ServiceName:escapejson}' == \"*\" or ['Service Name'] in~ ({ServiceName}))\r\nand ('{HostName:escapejson}' == \"*\" or ['Host Name'] in~ ({HostName}))\r\n| project-rename ['Date Time'] = TimeGenerated\r\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message", + "size": 0, + "showAnalytics": true, + "title": "Service Log Data", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "5" + }, + "name": "group - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.", + "style": "info" + }, + "name": "text - 15", + "styleSettings": { + "padding": "0 0 20px 0" + } + }, + { + "type": 1, + "content": { + "json": "# Infoblox SOC Insights Workbook\r\n\r\n##### Get a closer look at your Infoblox SOC Insights. \r\n\r\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\r\n\r\n---\r\n" + }, + "name": "text - 3", + "styleSettings": { + "margin": "0 0 20px 0" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\r\nunion isfuzzy=true dummy_table,\r\nInfobloxInsight\r\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\r\n| extend isConfigIssue = iff((ThreatClass has_cs (\"CONFIGURATIONISSUE\")), \"Configuration\", \"Threats\")\r\n| summarize count() by isConfigIssue", + "size": 3, + "title": "Insight Types", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "MEDIUM", + "color": "orange" + }, + { + "seriesName": "CRITICAL", + "color": "pink" + }, + { + "seriesName": "INFO", + "color": "blue" + }, + { + "seriesName": "LOW", + "color": "yellow" + }, + { + "seriesName": "HIGH", + "color": "red" + } + ] + } + }, + "customWidth": "50", + "name": "Insight Types" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\r\nunion isfuzzy=true dummy_table,\r\nInfobloxInsight\r\n| summarize dcount(InfobloxInsightID) by Priority", + "size": 3, + "title": "Priority", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "MEDIUM", + "color": "orange" + }, + { + "seriesName": "CRITICAL", + "color": "purple" + }, + { + "seriesName": "INFO", + "color": "blue" + }, + { + "seriesName": "LOW", + "color": "yellow" + }, + { + "seriesName": "HIGH", + "color": "red" + }, + { + "seriesName": "N/A", + "color": "gray" + } + ] + } + }, + "customWidth": "50", + "name": "Priority" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\r\nunion isfuzzy=true dummy_table,\r\nInfobloxInsight\r\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\r\n| summarize count() by ThreatProperty", + "size": 3, + "title": "Threat Families", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "MEDIUM", + "color": "orange" + }, + { + "seriesName": "CRITICAL", + "color": "pink" + }, + { + "seriesName": "INFO", + "color": "blue" + }, + { + "seriesName": "LOW", + "color": "yellow" + }, + { + "seriesName": "HIGH", + "color": "red" + } + ] + } + }, + "customWidth": "50", + "name": "Threat Families" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\r\nunion isfuzzy=true dummy_table,\r\nInfobloxInsight\r\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\r\n| summarize count() by ThreatType", + "size": 3, + "title": "Threat Classes", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "Threat Classes" + } + ] + }, + "name": "Overall" + }, + { + "type": 1, + "content": { + "json": "## Using this Workbook\r\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\r\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\r\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\r\n\r\nYou can use one or both at the same time, but beware of duplicate data!\r\n\r\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\r\n\r\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\r\n\r\n## Run playbooks directly from this workbook!\r\n\r\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\r\n\r\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \r\n\r\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\r\n\r\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \r\n\r\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\r\n\r\n**You can rerun playbooks on Insights** that already contain data to get the most recent. ", + "style": "upsell" + }, + "name": "text - 15", + "styleSettings": { + "padding": "0 0 5px 0" + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "e8613f2c-08c6-49e6-a2c6-e12d185c6bd3", + "version": "KqlParameterItem/1.0", + "name": "ResourceTypes", + "label": "Resource Types", + "type": 7, + "description": "This parameter must be set to Logic app.", + "isRequired": true, + "isGlobal": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "isHiddenWhenLocked": true, + "typeSettings": { + "includeAll": true, + "showDefault": false + }, + "value": [ + "microsoft.logic/workflows" + ] + }, + { + "id": "4a15b858-69b6-4198-abfd-6af5f187d813", + "version": "KqlParameterItem/1.0", + "name": "SentinelResourceGroup", + "label": "Incidents Resource Group", + "type": 2, + "isRequired": true, + "isGlobal": true, + "query": "Resources\r\n| where type in~ ({ResourceTypes})\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project resourceGroup", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + }, + { + "id": "7783c2b4-a6e6-4117-92ec-a9a751f01465", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "isGlobal": true, + "query": "where type =~ \"microsoft.operationalinsights/workspaces\"\r\n| where resourceGroup =~ \"{SentinelResourceGroup}\"", + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + }, + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": "" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 1 - Copy" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "0a92b010-8b48-4601-872f-83e13561b088", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + }, + { + "id": "63c75027-cc56-4958-9296-e0c986ab11e0", + "version": "KqlParameterItem/1.0", + "name": "PlaybookResourceGroup", + "label": "Playbook Resource Group", + "type": 2, + "isRequired": true, + "query": "Resources\r\n| where type in~ ({ResourceTypes})\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project resourceGroup", + "crossComponentResources": [ + "{Subscription}" + ], + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + }, + { + "id": "3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb", + "version": "KqlParameterItem/1.0", + "name": "TenantID", + "label": "Tenant ID", + "type": 1, + "isRequired": true, + "value": "" + }, + { + "id": "e1ea6f58-cd1b-4807-a7de-7da91b787bd4", + "version": "KqlParameterItem/1.0", + "name": "PlaybookName", + "label": "Playbook", + "type": 5, + "description": "Set the playbook to run when clicking on the \"Run Playbook\" in the SOC Insight Incidents table below.", + "isRequired": true, + "query": "Resources\r\n| where type in~({ResourceTypes})\r\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\r\n| where resourceGroup =~ \"{PlaybookResourceGroup}\"// or '*' in~({PlaybookResourceGroup})\r\n| order by name asc\r\n| extend Rank = row_number()\r\n| project label = tostring(name)", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": "Infoblox-SOC-Get-Insight-Details" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 0 - Copy" + }, + { + "type": 1, + "content": { + "json": "#### Click on **SOC Insight Incident** below to view more information.", + "style": "upsell" + }, + "name": "text - 15", + "styleSettings": { + "padding": "15px 0 0 0" + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "103f5c4e-6007-46c3-88ed-74fdb7843acc", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + } + ] + }, + "value": { + "durationMs": 2592000000 + } + }, + { + "id": "7c4c6733-a2d8-40b1-abf5-7f2d777e814c", + "version": "KqlParameterItem/1.0", + "name": "SelectPriority", + "label": "Priority", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "jsonData": "[\r\n { \"value\":\"N/A\"},\r\n { \"value\":\"INFO\"},\r\n { \"value\":\"LOW\"},\r\n { \"value\":\"MEDIUM\"},\r\n { \"value\":\"HIGH\"},\r\n { \"value\":\"CRITICAL\"}\r\n]", + "defaultValue": "value::all", + "value": [ + "value::all" + ] + }, + { + "id": "3e3ee805-c983-480e-9c10-49a47be4ddc6", + "version": "KqlParameterItem/1.0", + "name": "Status", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityIncident\r\n| where CreatedTime {TimeRange:value}\r\n| distinct Status\r\n| sort by Status asc", + "crossComponentResources": [ + "{Workspace}" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d", + "version": "KqlParameterItem/1.0", + "name": "Owner", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "SecurityIncident\r\n| where CreatedTime {TimeRange:value}\r\n| where Status in ({Status})\r\n| project Owner=tostring(Owner.userPrincipalName)\r\n| sort by Owner asc\r\n| extend Owner = iff(isnotempty( Owner), Owner, \"Unassigned\")\r\n| distinct Owner", + "crossComponentResources": [ + "{Workspace}" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 19 - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let x =\r\nSecurityIncident\r\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\r\n| extend IncidentID = IncidentName\r\n| extend IncidentNumber = toint(IncidentNumber)\r\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \"Unassigned\" in ({Owner}))\r\n| extend RunPlaybook = \"Run Playbook\"\r\n| where Title has_cs \"Infoblox - SOC Insight\"\r\n| extend Labels = tostring(Labels)\r\n| extend InfobloxInsightID = extract(\"InfobloxInsightID: (.*?)\\\"\", 1, Labels)\r\n| join \r\n (InfobloxInsight\r\n | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\r\n ) on InfobloxInsightID\r\n//sometimes duplicate TimeGenerated so grab LastSeen next\r\n| summarize arg_max(LastSeen, *) by IncidentNumber\r\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\r\n; \r\nlet incidents =\r\nSecurityIncident\r\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\r\n| extend IncidentID = IncidentName\r\n| extend IncidentNumber = toint(IncidentNumber)\r\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \"Unassigned\" in ({Owner}))\r\n| extend RunPlaybook = \"Run Playbook\"\r\n| where Title has_cs \"Infoblox - SOC Insight\"\r\n| extend Alerts = extract(\"\\\\[(.*?)\\\\]\", 1, tostring(AlertIds))\r\n| mv-expand AlertIds to typeof(string)\r\n//----------------\r\n;\r\nlet alerts =\r\n SecurityAlert\r\n | extend AlertEntities = parse_json(Entities)\r\n //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\r\n;\r\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\r\n//----------------------\r\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\r\n// -------------\r\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\r\n| join kind=fullouter x on IncidentNumber\r\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\r\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' == \"All\"\r\n| where Status in ({Status}) or '{Status:label}' == \"All\"\r\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\r\n//| project-away IncidentID\r\n| order by toint(IncidentNumber) desc\r\n", + "size": 0, + "title": "SOC Insight Incidents", + "timeContextFromParameter": "TimeRange", + "exportedParameters": [ + { + "fieldName": "InfobloxInsightID", + "parameterName": "InfobloxInsightID", + "parameterType": 1 + }, + { + "fieldName": "IncidentID", + "parameterName": "IncidentID", + "parameterType": 1 + }, + { + "fieldName": "Title", + "parameterName": "Title", + "parameterType": 1 + } + ], + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "High", + "representation": "Sev0", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "Sev1", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "Sev2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Informational", + "representation": "Sev4", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": "", + "representation": "unknown", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Priority", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "INFO", + "representation": "blue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "LOW", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "MEDIUM", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "HIGH", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "CRITICAL", + "representation": "purple", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "Default", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "New", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Active", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": "", + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Owner", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "25ch" + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Open Incident" + } + }, + { + "columnMatch": "RunPlaybook", + "formatter": 7, + "formatOptions": { + "linkTarget": "ArmAction", + "linkIsContextBlade": true, + "armActionContext": { + "path": "/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview", + "headers": [], + "params": [], + "body": "{\r\n \"LogicAppsResourceId\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\",\r\n \"tenantId\":\"{TenantID}\"\r\n}", + "httpMethod": "POST", + "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." + } + }, + "tooltipFormat": { + "tooltip": "Run {PlaybookName} on this insight." + } + }, + { + "columnMatch": "EventsCount", + "formatter": 3, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "NotBlockedCount", + "formatter": 3, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "BlockedCount", + "formatter": 3, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "InsightDataReady", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Data Not Found", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Ready", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "gray", + "text": "{0}{1}" + } + ] + }, + "tooltipFormat": { + "tooltip": "To see data for this insight, run the Infoblox-SOC-API-Get-Insight-Details playbook." + } + }, + { + "columnMatch": "isPopulated", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Ready", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Data Not Found", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + }, + "tooltipFormat": { + "tooltip": "To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook." + } + }, + { + "columnMatch": "Alerts", + "formatter": 5 + }, + { + "columnMatch": "AlertCount", + "formatter": 0, + "formatOptions": { + "aggregation": "Sum" + } + }, + { + "columnMatch": "Entities", + "formatter": 1 + }, + { + "columnMatch": "alertCount", + "formatter": 8, + "formatOptions": { + "min": 0, + "palette": "redBright" + } + }, + { + "columnMatch": "count_AlertCount", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "rowLimit": 500, + "filter": true + }, + "sortBy": [] + }, + "name": "IncidentDetailsView" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "46b4abc5-316b-4c75-89b7-5cf134d6dbb0", + "cellValue": "view", + "linkTarget": "parameter", + "linkLabel": "Summary", + "subTarget": "Summary", + "style": "link" + }, + { + "id": "81661594-3591-4fe6-a67d-b69ae55abf67", + "cellValue": "view", + "linkTarget": "parameter", + "linkLabel": "Assets", + "subTarget": "Assets", + "preText": "IPs", + "style": "link" + }, + { + "id": "46ca603b-ead0-46bd-987d-1d157b2a763a", + "cellValue": "view", + "linkTarget": "parameter", + "linkLabel": "Indicators", + "subTarget": "Indicators", + "style": "link" + }, + { + "id": "f2ce2fdb-104a-447f-b42b-6d11931a09ff", + "cellValue": "view", + "linkTarget": "parameter", + "linkLabel": "Events", + "subTarget": "Events", + "style": "link" + }, + { + "id": "03782b90-e744-4654-95c3-a1056cfe78f9", + "cellValue": "view", + "linkTarget": "parameter", + "linkLabel": "Comments", + "subTarget": "Comments", + "style": "link" + } + ] + }, + "conditionalVisibility": { + "parameterName": "InfobloxInsightID", + "comparison": "isNotEqualTo" + }, + "name": "links - 16", + "styleSettings": { + "padding": "20px 0 20px 0" + } + }, + { + "type": 1, + "content": { + "json": "#### Click on **SOC Insight Incident** above to view more information.", + "style": "upsell" + }, + "conditionalVisibility": { + "parameterName": "InfobloxInsightID", + "comparison": "isEqualTo" + }, + "name": "text - 14", + "styleSettings": { + "padding": "10px 0 10px 0" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## {Title}" + }, + "name": "text - 8" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "list", + "links": [ + { + "id": "5c15d5ff-4108-4538-930b-201f4f8da870", + "cellValue": "https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary", + "linkTarget": "Url", + "linkLabel": "Redirect To Summary on CSP", + "preText": "", + "style": "link" + } + ] + }, + "name": "links - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsight\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *)\r\n| where isnotempty(LastSeen)\r\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\r\n| extend FirstSeen = strcat(tostring(FirstSeen), \" UTC\")\r\n| project FirstSeen", + "size": 3, + "title": "First Seen", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "FirstSeen", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "red" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "First Seen" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsight\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *)\r\n| where isnotempty(LastSeen)\r\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\r\n| extend LastSeen = strcat(tostring(LastSeen), \" UTC\")\r\n| project LastSeen", + "size": 3, + "title": "Last Seen ", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "LastSeen", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "red" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "Last Seen" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsight\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *)\r\n| where isnotempty(SpreadingDate)\r\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\r\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \" UTC\")\r\n| project SpreadingDate", + "size": 3, + "title": "Spreading Date", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "SpreadingDate", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "red" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "Spreading Date" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsight\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *)\r\n| where isnotempty(PersistentDate)\r\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\r\n| extend PersistentDate = strcat(tostring(PersistentDate), \" UTC\")\r\n| project PersistentDate", + "size": 3, + "title": "Persistent Date", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "PersistentDate", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "red" + } + }, + "showBorder": false, + "size": "auto" + } + }, + "customWidth": "25", + "name": "Persistent Date" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsight\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *)\r\n| where isnotempty(BlockedCount)\r\n| project BlockedCount", + "size": 3, + "title": "Blocked Hits", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "BlockedCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "green" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Blocked Hits" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsight\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *)\r\n| where isnotempty(NotBlockedCount)\r\n| project NotBlockedCount", + "size": 3, + "title": "Not Blocked Hits", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "NotBlockedCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "red" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Not Blocked Hits" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsight\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *)\r\n| where isnotempty(EventsCount)\r\n| project EventsCount\r\n", + "size": 3, + "title": "Total Hits", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "EventsCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "gray" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "Total Hits" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\n// Finding Tops \r\nlet Top = materialize(InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(Lookback)\r\n| where isnotempty(SourceIP)\r\n| summarize count() by SourceIP\r\n| top 20 by count_ \r\n| project SourceIP);\r\n// Filtering datasource to Tops and Plot Time chart\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(Lookback)\r\n| where SourceIP in ((Top))\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\r\n", + "size": 0, + "title": "Top 20 Compromised Assets", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "barchart", + "chartSettings": { + "createOtherGroup": 15, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Top Impacted IPs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\n// Finding Tops \r\nlet Top = materialize(InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(Lookback)\r\n| where isnotempty(ThreatIndicator)\r\n| summarize count() by ThreatIndicator\r\n| top 20 by count_ \r\n| project ThreatIndicator);\r\n// Filtering datasource to Tops and Plot Time chart\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(Lookback)\r\n| where ThreatIndicator in ((Top))\r\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\r\n", + "size": 0, + "title": "Top 20 Indicators", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "barchart", + "chartSettings": { + "createOtherGroup": 15, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Top 20 Indicators" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\n// Finding Tops \r\nlet Top = materialize(InfobloxInsightEvents\r\n| where Detected >= ago(Lookback)\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(DestinationDnsDomain)\r\n| summarize count() );\r\n// Filtering datasource to Tops and Plot Time chart\r\nInfobloxInsightEvents\r\n| where Detected >= ago(Lookback)\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d", + "size": 0, + "title": "Events", + "color": "amethyst", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "areachart" + }, + "customWidth": "33", + "name": "Events" + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "view", + "comparison": "isEqualTo", + "value": "Summary" + }, + { + "parameterName": "InfobloxInsightID", + "comparison": "isNotEqualTo" + } + ], + "name": "Summary" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Assets\r\n---\r\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**" + }, + "name": "text - 6" + }, + { + "type": 1, + "content": { + "json": "#### Click on **Asset** below to view more information.", + "style": "upsell" + }, + "name": "text - 7", + "styleSettings": { + "margin": "15px 0 15px 0" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| join\r\n(\r\n InfobloxInsightAssets\r\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\r\n) on SourceIP\r\n| order by LastSeen, EventCount desc\r\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\r\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\r\n\r\n\r\n\r\n", + "size": 1, + "showAnalytics": true, + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "SourceIP", + "exportParameterName": "SourceIP", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "EventCount", + "formatter": 3, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "IndicatorDistinctCount", + "formatter": 3, + "formatOptions": { + "palette": "purpleBlue" + } + } + ], + "rowLimit": 500, + "filter": true, + "labelSettings": [ + { + "columnId": "EventCount", + "label": "Associated Events" + }, + { + "columnId": "IndicatorDistinctCount", + "label": "Associated Indicators" + } + ] + } + }, + "name": "Assets", + "styleSettings": { + "margin": "0 0 20px 0" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where SourceIP == '{SourceIP}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| order by Detected desc", + "size": 0, + "showAnalytics": true, + "title": "Events for {SourceIP}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Allow", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Block", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 500, + "filter": true + }, + "sortBy": [] + }, + "customWidth": "75", + "conditionalVisibility": { + "parameterName": "SourceIP", + "comparison": "isNotEqualTo" + }, + "name": "Events for {SourceIP}", + "styleSettings": { + "margin": "0 60px 0 0" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where SourceIP == '{SourceIP}'\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\r\n| summarize Count = count() by ThreatIndicator\r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Indicators for {SourceIP}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 3, + "formatOptions": { + "palette": "yellowOrangeRed" + } + } + ], + "rowLimit": 500, + "filter": true + } + }, + "customWidth": "25", + "conditionalVisibility": { + "parameterName": "SourceIP", + "comparison": "isNotEqualTo" + }, + "name": " Indicators for {SourceIP}", + "styleSettings": { + "margin": "0 15px 0 0" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\nInfobloxInsightEvents\r\n| where SourceIP == '{SourceIP}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected > ago(30d)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\r\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel", + "size": 0, + "showAnalytics": true, + "title": "Threat Level Trend for {SourceIP}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "linechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Allow", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Block", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 500, + "filter": true + }, + "chartSettings": { + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "N/A", + "color": "turquoise" + }, + { + "seriesName": "Info", + "color": "lightBlue" + }, + { + "seriesName": "Low", + "color": "yellow" + }, + { + "seriesName": "Medium", + "color": "orange" + }, + { + "seriesName": "High", + "color": "red" + } + ] + } + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "SourceIP", + "comparison": "isNotEqualTo" + }, + "name": "Threat Level Trend for {SourceIP}" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\nInfobloxInsightEvents\r\n| where SourceIP == '{SourceIP}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected > ago(30d)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\r\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction", + "size": 0, + "showAnalytics": true, + "title": "Action Trend for {SourceIP}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "timechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Allow", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Block", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 500, + "filter": true + }, + "chartSettings": { + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "N/A", + "color": "turquoise" + }, + { + "seriesName": "Block", + "color": "green" + }, + { + "seriesName": "Not Blocked", + "color": "red" + }, + { + "seriesName": "Log", + "color": "blue" + } + ] + } + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "SourceIP", + "comparison": "isNotEqualTo" + }, + "name": "Action Trend for {SourceIP}" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\nInfobloxInsightEvents\r\n| where SourceIP == '{SourceIP}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected > ago(30d)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\r\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d", + "size": 0, + "title": "All Events for {SourceIP}", + "color": "amethyst", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "areachart" + }, + "customWidth": "33", + "conditionalVisibility": { + "parameterName": "SourceIP", + "comparison": "isNotEqualTo" + }, + "name": "All Events for {SourceIP}" + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "view", + "comparison": "isEqualTo", + "value": "Assets" + }, + { + "parameterName": "InfobloxInsightID", + "comparison": "isNotEqualTo" + } + ], + "name": "Assets" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Indicators\r\n---\r\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\r\n\r\n" + }, + "name": "text - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(InfobloxB1PolicyAction)\r\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction", + "size": 3, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "Not Blocked", + "color": "red" + }, + { + "seriesName": "Blocked", + "color": "green" + } + ] + } + }, + "customWidth": "50", + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| summarize count_distinct(ThreatIndicator) by ThreatLevel", + "size": 3, + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "High", + "color": "red" + }, + { + "seriesName": "Medium", + "color": "orange" + }, + { + "seriesName": "Low", + "color": "yellow" + }, + { + "seriesName": "Info", + "color": "blue" + }, + { + "seriesName": "N/A", + "color": "gray" + } + ] + } + }, + "customWidth": "50", + "name": "query - 8 - Copy" + }, + { + "type": 1, + "content": { + "json": "#### Click on **Indicator** below to view more information.", + "style": "upsell" + }, + "name": "text - 7", + "styleSettings": { + "padding": "15px 0 15px 0" + } + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Workspace}" + ], + "parameters": [ + { + "id": "5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5", + "version": "KqlParameterItem/1.0", + "name": "ThreatLevelParam", + "label": "Threat Level", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "InfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| distinct ThreatLevel", + "crossComponentResources": [ + "{Workspace}" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "e36bc3c2-b85e-478c-968b-7faf79c21c49", + "version": "KqlParameterItem/1.0", + "name": "InfobloxB1PolicyActionParam", + "label": "Action", + "type": 2, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "InfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| distinct InfobloxB1PolicyAction", + "crossComponentResources": [ + "{Workspace}" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "All", + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "TimeRange", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 6 - Copy - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"66b112e0-3187-4faa-9357-d229e98002ca\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \"All\"\r\n| join\r\n (\r\n AssetCount\r\n ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n ThreatLevel == \"High\", 5,\r\n ThreatLevel == \"Medium\", 4,\r\n ThreatLevel == \"Low\", 3,\r\n ThreatLevel == \"N/A\", 2,\r\n 1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n", + "size": 0, + "showAnalytics": true, + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "ThreatIndicator", + "exportParameterName": "ThreatIndicator", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Blocked", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Not Blocked", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "EventCount", + "formatter": 3, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Investigate in Dossier" + } + }, + { + "columnMatch": "SourceIPDistinctCount", + "formatter": 3, + "formatOptions": { + "palette": "bluePurple" + } + } + ], + "rowLimit": 500, + "filter": true, + "labelSettings": [ + { + "columnId": "EventCount", + "label": "Associated Events" + }, + { + "columnId": "URL", + "label": "Investigate in Dossier" + } + ] + }, + "sortBy": [] + }, + "name": "Indicators", + "styleSettings": { + "margin": "0 15px 0 0" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where ThreatIndicator has_cs '{ThreatIndicator}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| join\r\n(\r\n InfobloxInsightAssets\r\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\r\n) on SourceIP\r\n| order by LastSeen, EventCount desc\r\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\r\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Assets for {ThreatIndicator}", + "noDataMessage": "Select an Indicator in the above chart to see details.", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "EventCount", + "formatter": 3, + "formatOptions": { + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "IndicatorDistinctCount", + "formatter": 3, + "formatOptions": { + "palette": "purpleBlue" + } + } + ], + "rowLimit": 500, + "filter": true + } + }, + "customWidth": "70", + "conditionalVisibility": { + "parameterName": "ThreatIndicator", + "comparison": "isNotEqualTo" + }, + "name": "Assets for {ThreatIndicator}", + "styleSettings": { + "margin": "0 20px 0 0" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\n// Finding Tops \r\nlet Top = materialize(InfobloxInsightEvents\r\n| where Detected >= ago(Lookback)\r\n| where ThreatIndicator has_cs '{ThreatIndicator}'\r\n| where isnotempty(DestinationDnsDomain)\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize count() by SourceIP\r\n| top 500 by count_ \r\n);\r\n// Filtering datasource to Tops and Plot Time chart\r\nInfobloxInsightEvents\r\n| where Detected >= ago(Lookback)\r\n| where ThreatIndicator has_cs '{ThreatIndicator}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where SourceIP in ((Top))\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\r\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP", + "size": 0, + "showAnalytics": true, + "title": "Source IPs for {ThreatIndicator}", + "color": "amethyst", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "barchart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Allow", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Block", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 500, + "filter": true + }, + "chartSettings": { + "createOtherGroup": 15 + } + }, + "customWidth": "30", + "conditionalVisibility": { + "parameterName": "ThreatIndicator", + "comparison": "isNotEqualTo" + }, + "name": "Source IPs for {ThreatIndicator}" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where Detected >= ago(30d)\r\n| where ThreatIndicator has_cs '{ThreatIndicator}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| order by Detected desc", + "size": 0, + "showAnalytics": true, + "title": "Events for {ThreatIndicator}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Allow", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Block", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 500, + "filter": true, + "sortBy": [ + { + "itemKey": "SourceIP", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "SourceIP", + "sortOrder": 2 + } + ] + }, + "customWidth": "70", + "conditionalVisibility": { + "parameterName": "ThreatIndicator", + "comparison": "isNotEqualTo" + }, + "name": "Events for {ThreatIndicator}", + "styleSettings": { + "margin": "0 20px 0 0" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Lookback = 30d;\r\nInfobloxInsightEvents\r\n| where Detected >= ago(Lookback)\r\n| where ThreatIndicator has_cs '{ThreatIndicator}'\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\r\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction", + "size": 0, + "showAnalytics": true, + "title": "Action Trend for {ThreatIndicator}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "timechart", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Allow", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Block", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 500, + "filter": true + }, + "chartSettings": { + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "N/A", + "color": "gray" + }, + { + "seriesName": "Block", + "color": "green" + }, + { + "seriesName": "Allow - No Log", + "color": "red" + }, + { + "seriesName": "Log", + "color": "lightBlue" + } + ] + } + }, + "customWidth": "30", + "conditionalVisibility": { + "parameterName": "ThreatIndicator", + "comparison": "isNotEqualTo" + }, + "name": "Action Trend for {ThreatIndicator}" + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "view", + "comparison": "isEqualTo", + "value": "Indicators" + }, + { + "parameterName": "InfobloxInsightID", + "comparison": "isNotEqualTo" + } + ], + "name": "Indicators" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Events\r\n---\r\nDNS security events associated with this insight.\r\n" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(ThreatLevel)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by ThreatLevel\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Threat Level", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "High", + "color": "red" + }, + { + "seriesName": "Medium", + "color": "orange" + }, + { + "seriesName": "Low", + "color": "yellow" + }, + { + "seriesName": "Info", + "color": "lightBlue" + }, + { + "seriesName": "N/A", + "color": "gray" + } + ] + } + }, + "customWidth": "33", + "name": "Threat Level" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(ThreatClass)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by ThreatClass\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Threat Classes", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Threat Classes" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(ThreatProperty)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by ThreatProperty\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Threat Families", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Threat Families" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by SourceUserName\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Users", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Users" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(DeviceName)\r\n| where Detected >= ago(30d)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by DeviceName\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Device Names", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Device Names" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(SourceIP)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by SourceIP\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Source IPs", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Source IPs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(InfobloxB1Network)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by InfobloxB1Network", + "size": 4, + "title": "Sources", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Sources" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(InfobloxB1PolicyName)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by InfobloxB1PolicyName", + "size": 4, + "title": "Policies", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Policies" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(InfobloxB1PolicyAction)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by InfobloxB1PolicyAction\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Actions", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "Block", + "color": "green" + }, + { + "seriesName": "Log", + "color": "lightBlue" + }, + { + "seriesName": "Allow - No Log", + "color": "red" + } + ] + } + }, + "customWidth": "33", + "name": "Actions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(DNSResponse)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by DNSResponse\r\n\r\n\r\n\r\n", + "size": 4, + "title": "DNS Responses", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "DNS Responses" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(DeviceRegion)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by DeviceRegion\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Device Regions", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "Device Regions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| where isnotempty(DeviceCountry)\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| summarize Count = count() by DeviceCountry\r\n\r\n\r\n\r\n", + "size": 4, + "title": "Device Countries", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "High", + "color": "red" + }, + { + "seriesName": "Medium", + "color": "orange" + }, + { + "seriesName": "Low", + "color": "yellow" + }, + { + "seriesName": "Info", + "color": "lightBlue" + }, + { + "seriesName": "N/A", + "color": "gray" + } + ] + } + }, + "customWidth": "33", + "name": "Device Countries" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where Detected >= ago(30d)\r\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\r\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\r\n| order by Detected desc", + "size": 0, + "showAnalytics": true, + "title": "Events", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatLevel", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "N/A", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Info", + "representation": "lightBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InfobloxB1PolicyAction", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Allow", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Block", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "Events" + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "view", + "comparison": "isEqualTo", + "value": "Events" + }, + { + "parameterName": "InfobloxInsightID", + "comparison": "isNotEqualTo" + } + ], + "name": "Events" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "InfobloxInsightComments\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| distinct CommentChanger, Comment, DateChanged, Status\r\n| order by DateChanged desc\r\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\r\n| project ['Date Time'], Status, User, Comment", + "size": 0, + "title": "Comments", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "name": "Comments" + } + ] + }, + "conditionalVisibilities": [ + { + "parameterName": "view", + "comparison": "isEqualTo", + "value": "Comments" + }, + { + "parameterName": "InfobloxInsightID", + "comparison": "isNotEqualTo" + } + ], + "name": "Comments" + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 17" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "6" + }, + "name": "group - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.
\r\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\r\n", + "style": "info" + }, + "name": "text - 4" + }, + { + "type": 1, + "content": { + "json": "# Infoblox Config Insights" + }, + "name": "text - 5" + }, + { + "type": 1, + "content": { + "json": "## Steps to view Config Insights Details using this workbook\r\n- This workbook is intended to view the available config insights and view their details.\r\n- Select the **Resource Group** and **Subscription ID**.\r\n- Select TimeRange.\r\n- From the **Config Insights** panel, select any config Insight.\r\n- You will be able to see the config details of the selected Insight.\r\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\r\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\r\n- You can check the status of the playbook to identify the Config Insight Details status.\r\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\r\n
\r\n
\r\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\r\n", + "style": "upsell" + }, + "name": "text - 3" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "7783c2b4-a6e6-4117-92ec-a9a751f01465", + "version": "KqlParameterItem/1.0", + "name": "SubscriptionId", + "label": "Subscription ID", + "type": 2, + "isRequired": true, + "query": "Resources\r\n| distinct subscriptionId", + "typeSettings": { + "resourceTypeFilter": { + "microsoft.operationalinsights/workspaces": true + }, + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": null + }, + { + "id": "4a15b858-69b6-4198-abfd-6af5f187d813", + "version": "KqlParameterItem/1.0", + "name": "SentinelResourceGroup1", + "label": "Resource Group", + "type": 2, + "isRequired": true, + "query": "Resources\r\n| summarize Count = count() by subscriptionId, resourceGroup\r\n| where subscriptionId == ('{SubscriptionId}')\r\n| order by Count desc\r\n| extend Rank = row_number()\r\n| project resourceGroup", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": "" + }, + { + "id": "f70e5d0e-2eff-4bca-9489-90ab64378887", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + } + ], + "allowCustom": false + }, + "value": { + "durationMs": 1209600000 + }, + "label": "Time Range" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "parameters - 1 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\r\nunion isfuzzy = true\r\ndummy_table,\r\nInfoblox_Config_Insights_CL\r\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\r\n| extend ConfigInsightDetails = \"GET CONFIG INSIGHT DETAILS\"\r\n| project-rename ['Date Time'] = TimeGenerated\r\n| project ['Date Time'],\r\n['Policy Analytics ID'] = policyAnalyticsId_g,\r\n['Insight Type'] = column_ifexists(\"insightType_s\",\"\"),\r\n[\"Config Insight Details\"] = column_ifexists(\"ConfigInsightDetails\",\"\")\r\n", + "size": 0, + "showAnalytics": true, + "title": "Config Insights", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "Policy Analytics ID", + "exportParameterName": "ConfigInsightId", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Config Insight Details", + "formatter": 7, + "formatOptions": { + "linkTarget": "ArmAction", + "linkIsContextBlade": true, + "armActionContext": { + "path": "/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01", + "headers": [], + "params": [], + "body": "{\r\n \"config_insight_id\": \"{ConfigInsightId}\"\r\n}", + "httpMethod": "POST", + "description": "# Actions can potentially modify resources.\n## Please use caution and include a confirmation message in this description when authoring this command." + } + } + } + ], + "rowLimit": 10000, + "sortBy": [ + { + "itemKey": "Policy Analytics ID", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Policy Analytics ID", + "sortOrder": 1 + } + ] + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\r\nunion isfuzzy = true\r\ndummy_table,\r\nInfoblox_Config_Insight_Details_CL\r\n| where analyticInsightId_g == \"{ConfigInsightId}\"\r\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\r\n| extend ParsedJson = parse_json(feeds_s)\r\n| mv-expand ParsedJson\r\n| project-rename ['Date Time'] = TimeGenerated\r\n| project ['Date Time'], \r\n['Insight Type'] = insightType_s,\r\n['Rule Type'] = ParsedJson.ruleType, \r\n['Rule Name'] = ParsedJson.ruleName, \r\n['Feed Name'] = ParsedJson.feedName, \r\n['Current Action'] = ParsedJson.currentAction, \r\n['Recommended Action'] = ParsedJson.recommendedAction, \r\n['Status'] = ParsedJson.status", + "size": 0, + "showAnalytics": true, + "title": "Config Insights Detail for Config ID: {ConfigInsightId}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + } + }, + "conditionalVisibility": { + "parameterName": "ConfigInsightId", + "comparison": "isNotEqualTo" + }, + "name": "query - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "8" + }, + "name": "group - 16" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ + { + "id": "a4b4e975-fa7c-46a3-b669-850aacc88134", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "Guide", + "type": 10, + "isRequired": true, + "typeSettings": { + "showDefault": false + }, + "jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]" + }, + { + "id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38", + "version": "KqlParameterItem/1.0", + "name": "Subscription", + "type": 6, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": [ + "value::all" + ] + }, + { + "id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6", + "version": "KqlParameterItem/1.0", + "name": "Workspace", + "type": 5, + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)", + "crossComponentResources": [ + "{Subscription}" + ], + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "value": [ + "value::all" + ] + }, + { + "id": "15b2c181-7397-43c1-900a-28e175ae8a6f", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + } + ], + "allowCustom": true + }, + "timeContextFromParameter": "TimeRange", + "label": "Time Range" + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Parameter Selectors" + }, + { + "type": 1, + "content": { + "json": "  Please take time to answer a quick survey,\r\n[ click here. ](https://forms.office.com/r/n9beey85aP)" + }, + "name": "Survey" + }, + { + "type": 1, + "content": { + "json": "# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\n---\n\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\n" + }, + "customWidth": "79", + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "Workbook Overview" + }, + { + "type": 1, + "content": { + "json": "![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) " + }, + "customWidth": "20", + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "Microsoft Sentinel Logo" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "18c690d7-7cbd-46c1-b677-1f72692d40cd", + "cellValue": "TAB", + "linkTarget": "parameter", + "linkLabel": "Indicators Ingestion", + "subTarget": "Indicators", + "preText": "Alert rules", + "style": "link" + }, + { + "id": "f88dcf47-af98-4684-9de3-1ee5f48f68fc", + "cellValue": "TAB", + "linkTarget": "parameter", + "linkLabel": "Indicators Search", + "subTarget": "Observed", + "style": "link" + } + ] + }, + "name": "Tabs link" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ", + "size": 0, + "showAnalytics": true, + "title": "Indicators Imported into Sentinel by Indicator Type and Date", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked", + "size": 0, + "showAnalytics": true, + "title": "Indicators Imported into Sentinel by Indicator Provider and Date", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "showAnalytics": true, + "title": "Active Indicators by Indicator Type", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "showAnalytics": true, + "title": "Active Indicators by Indicator Source", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart", + "size": 0, + "showAnalytics": true, + "title": "Active Indicators by Confidence Score", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Uniqueness of Threat Intelligence Sources", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Source", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "View", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ActiveIndicators", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 12" + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 6" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TAB", + "comparison": "isEqualTo", + "value": "Indicators" + }, + "name": "Indicators Ingestion" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "9aec751b-07bd-43ba-80b9-f711887dce45", + "version": "KqlParameterItem/1.0", + "name": "Indicator", + "label": "Search Indicator in Events", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "Threat Research Parameters" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "50", + "name": "text - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileOriginUrl', '') has \"{Indicator}\"\r\nor column_ifexists('FQDN', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessSHA256', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('Name', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteUrl', '') has \"{Indicator}\"\r\nor column_ifexists('RecipientEmailAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SenderMailFromAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('Url', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileHashValue', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSenderAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DomainName', '') has \"{Indicator}\"\r\nor column_ifexists('AADEmail', '') has \"{Indicator}\"\r\nor column_ifexists('Account', '') has \"{Indicator}\"\r\nor column_ifexists('AccountName', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUpn', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Caller', '') has \"{Indicator}\"\r\nor column_ifexists('CompromisedEntity', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserID', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserName', '') has \"{Indicator}\"\r\nor column_ifexists('DisplayName', '') has \"{Indicator}\"\r\nor column_ifexists('Email_s', '') has \"{Indicator}\"\r\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessAccountUpn', '') has \"{Indicator}\" \r\nor column_ifexists('MailboxOwnerUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Owner', '') has \"{Indicator}\"\r\nor column_ifexists('RequesterUpn', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIdentity', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserID', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserName', '') has \"{Indicator}\"\r\nor column_ifexists('SubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUser', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUserName', '') has \"{Indicator}\"\r\nor column_ifexists('Upn', '') has \"{Indicator}\"\r\nor column_ifexists('User_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserId', '') has \"{Indicator}\" \r\nor column_ifexists('UserId_', '') has \"{Indicator}\"\r\nor column_ifexists('UserId_s_s', '') has \"{Indicator}\" \r\nor column_ifexists('userName', '') has \"{Indicator}\"\r\nor column_ifexists('UserName', '') has \"{Indicator}\" \r\nor column_ifexists('UserName_s', '') has \"{Indicator}\"\r\nor column_ifexists('userPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName', '') has \"{Indicator}\"\r\nor column_ifexists('Computer', '') has \"{Indicator}\"\r\nor column_ifexists('FileHash', '') has \"{Indicator}\"\r\nor column_ifexists('FilePath', '') has \"{Indicator}\"\r\nor column_ifexists('Process', '') has \"{Indicator}\"\r\nor column_ifexists('CommandLine', '') has \"{Indicator}\"\r\nor column_ifexists('NewProcessName', '') has \"{Indicator}\"\r\nor column_ifexists('ParentProcessName', '') has \"{Indicator}\"\r\n| summarize count() by Table_Name \r\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\r\n| sort by ['Logs Count'] desc", + "size": 0, + "showAnalytics": true, + "title": "Indicators Observed", + "noDataMessage": "No indicators observed within these thresholds", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "Type", + "exportParameterName": "Type", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Data Table", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "Log", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Logs Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileOriginUrl', '') has \"{Indicator}\"\r\nor column_ifexists('FQDN', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessSHA256', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('Name', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteUrl', '') has \"{Indicator}\"\r\nor column_ifexists('RecipientEmailAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SenderMailFromAddress', '') has \"{Indicator}\" \r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('Url', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('FileHashValue', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSenderAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DomainName', '') has \"{Indicator}\"\r\nor column_ifexists('AADEmail', '') has \"{Indicator}\"\r\nor column_ifexists('Account', '') has \"{Indicator}\"\r\nor column_ifexists('AccountName', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUpn', '') has \"{Indicator}\"\r\nor column_ifexists('AccountUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Caller', '') has \"{Indicator}\"\r\nor column_ifexists('CompromisedEntity', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserID', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationUserName', '') has \"{Indicator}\"\r\nor column_ifexists('DisplayName', '') has \"{Indicator}\"\r\nor column_ifexists('Email_s', '') has \"{Indicator}\"\r\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('InitiatingProcessAccountUpn', '') has \"{Indicator}\" \r\nor column_ifexists('MailboxOwnerUPN', '') has \"{Indicator}\"\r\nor column_ifexists('Owner', '') has \"{Indicator}\"\r\nor column_ifexists('RequesterUpn', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIdentity', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserID', '') has \"{Indicator}\"\r\nor column_ifexists('SourceUserName', '') has \"{Indicator}\"\r\nor column_ifexists('SubjectUserName', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUser', '') has \"{Indicator}\"\r\nor column_ifexists('TargetUserName', '') has \"{Indicator}\"\r\nor column_ifexists('Upn', '') has \"{Indicator}\"\r\nor column_ifexists('User_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserId', '') has \"{Indicator}\" \r\nor column_ifexists('UserId_', '') has \"{Indicator}\"\r\nor column_ifexists('UserId_s_s', '') has \"{Indicator}\" \r\nor column_ifexists('userName', '') has \"{Indicator}\"\r\nor column_ifexists('UserName', '') has \"{Indicator}\" \r\nor column_ifexists('UserName_s', '') has \"{Indicator}\"\r\nor column_ifexists('userPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName_s', '') has \"{Indicator}\"\r\nor column_ifexists('UserPrincipalName', '') has \"{Indicator}\"\r\nor column_ifexists('Computer', '') has \"{Indicator}\"\r\nor column_ifexists('FileHash', '') has \"{Indicator}\"\r\nor column_ifexists('FilePath', '') has \"{Indicator}\"\r\nor column_ifexists('Process', '') has \"{Indicator}\"\r\nor column_ifexists('CommandLine', '') has \"{Indicator}\"\r\nor column_ifexists('NewProcessName', '') has \"{Indicator}\"\r\nor column_ifexists('ParentProcessName', '') has \"{Indicator}\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\r\n| render areachart", + "size": 0, + "showAnalytics": true, + "title": "Indicators Observed over Time", + "noDataMessage": "No indicators observed within these thresholds", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Data Table", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "Log", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Logs Count", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 4 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let tiObservables = ThreatIntelligenceIndicator\r\n | where TimeGenerated < now()\r\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\r\nlet alertEntity = SecurityAlert \r\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n | mvexpand(Entities)\r\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(isnotempty(Entities.Value), Entities.Value,\r\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))))\r\n | where isnotempty(entity) \r\n | project entity, SystemAlertId, AlertTime;\r\nlet IncidentAlerts = SecurityIncident\r\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\r\n | mv-expand AlertIds\r\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\r\nlet AlertsWithTiObservables = alertEntity\r\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\r\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\r\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\r\nIncidentsWithAlertsWithTiObservables\r\n| where Indicator contains '{Indicator}' or Indicator == \"*\"\r\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\r\n| sort by Incidents, Alerts desc", + "size": 0, + "showAnalytics": true, + "title": "Threat Intelligence Alerts", + "noDataMessage": "No indicators observed within these thresholds", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Botnet", + "representation": "Command and Control", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "MaliciousUrl", + "representation": "Initial_Access", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Malware", + "representation": "Execution", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Phishing", + "representation": "Exfiltration", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "Pre attack", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Source", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Incidents", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "Alerts", + "formatter": 4, + "formatOptions": { + "palette": "orange" + } + } + ], + "filter": true + } + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated < now()\r\n| project-rename ['Date Time'] = TimeGenerated\r\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP", + "size": 0, + "showAnalytics": true, + "title": "Threat Intelligence Indicator", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 6" + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 6" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TAB", + "comparison": "isEqualTo", + "value": "Observed" + }, + "name": "Indicators Observed" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Parameter", + "comparison": "isEqualTo", + "value": "7" + }, + "name": "group - 7" + } + ], + "fromTemplateId": "sentinel-Infoblox | Infoblox Workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json index 9a8a25a9036..d28de412666 100644 --- a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json +++ b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json @@ -50,7 +50,6 @@ ], "Hunting Queries" : [ - "Hunting Queries/Appspot Phishing Abuse.yaml", "Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml", "Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml", "Hunting Queries/EmailDelivered-ToInbox.yaml", @@ -120,7 +119,93 @@ "Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml", "Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml", "Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml", - "Hunting Queries/Ransomware/LaZagneCredTheft.yaml" + "Hunting Queries/Ransomware/LaZagneCredTheft.yaml", + "Hunting Queries/Email Queries/Attachment/ATP policy status check.yaml", + "Hunting Queries/Email Queries/Attachment/JNLP attachment.yaml", + "Hunting Queries/Email Queries/Attachment/Safe attachment detection.yaml", + "Hunting Queries/Email Queries/Authentication/Authentication failures.yaml", + "Hunting Queries/Email Queries/Authentication/Spoof attempts with auth failure.yaml", + "Hunting Queries/Email Queries/General/Audit Email Preview-Download action.yaml", + "Hunting Queries/Email Queries/General/Hunt for TABL changes.yaml", + "Hunting Queries/Email Queries/General/Local time to UTC time conversion.yaml", + "Hunting Queries/Email Queries/General/MDO daily detection summary report.yaml", + "Hunting Queries/Email Queries/General/Mail item accessed.yaml", + "Hunting Queries/Email Queries/General/Malicious email senders.yaml", + "Hunting Queries/Email Queries/General/New TABL Items.yaml", + "Hunting Queries/Email Queries/Hunting/Emails containing links to IP addresses.yaml", + "Hunting Queries/Email Queries/Hunting/Good emails from senders with bad patterns.yaml", + "Hunting Queries/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml", + "Hunting Queries/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml", + "Hunting Queries/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml", + "Hunting Queries/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml", + "Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML", + "Hunting Queries/Email Queries/Mailflow/Detections by detection methods.yaml", + "Hunting Queries/Email Queries/Mailflow/Mail reply to new domain.yaml", + "Hunting Queries/Email Queries/Mailflow/Mailflow by directionality.yaml", + "Hunting Queries/Email Queries/Mailflow/Malicious emails detected per day.yaml", + "Hunting Queries/Email Queries/Mailflow/Sender recipient contact establishment.yaml", + "Hunting Queries/Email Queries/Mailflow/Top 100 malicious email senders.yaml", + "Hunting Queries/Email Queries/Mailflow/Top 100 senders.yaml", + "Hunting Queries/Email Queries/Mailflow/Zero day threats.yaml", + "Hunting Queries/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml", + "Hunting Queries/Email Queries/Malware/Email containing malware sent by an internal sender.yaml", + "Hunting Queries/Email Queries/Malware/Email malware detection report.yaml", + "Hunting Queries/Email Queries/Malware/Malware detections by detection methods.yaml", + "Hunting Queries/Email Queries/Overrides/Admin overrides.yaml", + "Hunting Queries/Email Queries/Overrides/Top policies performing admin overrides.yaml", + "Hunting Queries/Email Queries/Overrides/Top policies performing user overrides.yaml", + "Hunting Queries/Email Queries/Overrides/User overrides.yaml", + "Hunting Queries/Email Queries/Phish/Appspot phishing abuse.yaml", + "Hunting Queries/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml", + "Hunting Queries/Email Queries/QR code/Campaign with randomly named attachments.yaml", + "Hunting Queries/Email Queries/QR code/Campaign with suspicious keywords.yaml", + "Hunting Queries/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml", + "Hunting Queries/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml", + "Hunting Queries/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml", + "Hunting Queries/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml", + "Hunting Queries/Email Queries/QR code/Hunting for sender patterns.yaml", + "Hunting Queries/Email Queries/QR code/Hunting for user signals-clusters.yaml", + "Hunting Queries/Email Queries/QR code/Inbound emails with QR code URLs.yaml", + "Hunting Queries/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml", + "Hunting Queries/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml", + "Hunting Queries/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml", + "Hunting Queries/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml", + "Hunting Queries/Email Queries/Quarantine/Group quarantine release.yaml", + "Hunting Queries/Email Queries/Quarantine/High Confidence Phish Released.yaml", + "Hunting Queries/Email Queries/Quarantine/Quarantine Release Email Details.yaml", + "Hunting Queries/Email Queries/Quarantine/Quarantine release trend.yaml", + "Hunting Queries/Email Queries/Remediation/Email remediation action list.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Referral phish emails.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml", + "Hunting Queries/Email Queries/Submissions/Admin reported submissions.yaml", + "Hunting Queries/Email Queries/Submissions/Status of submissions.yaml", + "Hunting Queries/Email Queries/Submissions/Top submitters of admin submissions.yaml", + "Hunting Queries/Email Queries/Submissions/Top submitters of user submissions.yaml", + "Hunting Queries/Email Queries/Submissions/User reported submissions.yaml", + "Hunting Queries/Email Queries/Top Attacks/Attacked more than x times average.yaml", + "Hunting Queries/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top external malicious senders.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top targeted users.yaml", + "Hunting Queries/Email Queries/URL Click/End user malicious clicks.yaml", + "Hunting Queries/Email Queries/URL Click/URL click count by click action.yaml", + "Hunting Queries/Email Queries/URL Click/URL click on ZAP Email.yaml", + "Hunting Queries/Email Queries/URL Click/URL clicks actions by URL.yaml", + "Hunting Queries/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml", + "Hunting Queries/Email Queries/URL Click/User clicked through events.yaml", + "Hunting Queries/Email Queries/URL Click/User clicks on malicious inbound emails.yaml", + "Hunting Queries/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml", + "Hunting Queries/Email Queries/URL/Phishing Email Url Redirector.yaml", + "Hunting Queries/Email Queries/URL/SafeLinks URL detections.yaml", + "Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml" ], "Workbooks" : [ "Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json", @@ -128,7 +213,7 @@ "Workbooks/MicrosoftDefenderForIdentity.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR", - "Version": "3.0.8", + "Version": "3.0.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML index dd318b0cc97..4715198ab2d 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML @@ -21,13 +21,4 @@ query: | //Change the Count of how many times the email with the same subject has come in | where CountRecipientEmailAddress >= 15 | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML index d9d07c4dc99..751943f717c 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML @@ -21,13 +21,4 @@ query: | //Change the Count of how many times the email with the same subject has come in | where CountSenderFromAddress >= 10 | project SenderFromAddress, CountSenderFromAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML index 14598526b24..c4b5a3cc2b8 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML @@ -21,13 +21,4 @@ query: | //Change the Count of how many times the email with the same subject has come in | where CountRecipientEmailAddress >= 15 | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML index b20bec892db..0bc133fcb8d 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML @@ -24,13 +24,4 @@ query: | | summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"), Emails = count(DeliveryLocation == "Inbox/folder"), JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML index 67be8db65a9..91c700ddd0a 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML @@ -17,13 +17,4 @@ query: | | where ActionType == "ClickAllowed" //| where ActionType <> "ClickAllowed" | project AccountUpn, ActionType, Url -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.9.zip b/Solutions/Microsoft Defender XDR/Package/3.0.9.zip index 0a34beca1d0..a2a65b33794 100644 Binary files a/Solutions/Microsoft Defender XDR/Package/3.0.9.zip and b/Solutions/Microsoft Defender XDR/Package/3.0.9.zip differ diff --git a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json index bbb3385e88f..d95e38b9d57 100644 --- a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json +++ b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender XDR](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.\n\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on [GitHub](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender). This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 40, **Hunting Queries:** 71\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender XDR](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.\n\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on [GitHub](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender). This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 40, **Hunting Queries:** 156\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -758,13 +758,13 @@ { "name": "huntingquery1", "type": "Microsoft.Common.Section", - "label": "Appspot Phishing Abuse", + "label": "Spoofing attempts from Specific Domains", "elements": [ { "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query helps surface phishing campaigns associated with Appspot abuse.These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.\nThis campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800\nReference - https://twitter.com/MsftSecIntel/status/1374148156301004800 This hunting query depends on MicrosoftThreatProtection data connector (EmailUrlInfo EmailEvents Parser or Table)" + "text": "This query identifies potential phishing or spoofing attempts originating from specific domains with authentication failures. This hunting query depends on OfficeATP data connector (EmailEvents Parser or Table)" } } ] @@ -772,13 +772,13 @@ { "name": "huntingquery2", "type": "Microsoft.Common.Section", - "label": "Spoofing attempts from Specific Domains", + "label": "Determine Successfully Delivered Phishing Emails by top IP Addresses", "elements": [ { "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies potential phishing or spoofing attempts originating from specific domains with authentication failures. This hunting query depends on OfficeATP data connector (EmailEvents Parser or Table)" + "text": "This query identifies phishing emails sent that were successfully delivered, by top IP addressess. cutoff default value is 5, adjust the value as needed. This hunting query depends on OfficeATP data connector (EmailEvents Parser or Table)" } } ] @@ -786,13 +786,13 @@ { "name": "huntingquery3", "type": "Microsoft.Common.Section", - "label": "Determine Successfully Delivered Phishing Emails by top IP Addresses", + "label": "Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.", "elements": [ { "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies phishing emails sent that were successfully delivered, by top IP addressess. cutoff default value is 5, adjust the value as needed. This hunting query depends on OfficeATP data connector (EmailEvents Parser or Table)" + "text": "This query identifies threats which got successfully delivered to Inbox/Junk folder. This hunting query depends on OfficeATP data connector (EmailEvents Parser or Table)" } } ] @@ -800,13 +800,13 @@ { "name": "huntingquery4", "type": "Microsoft.Common.Section", - "label": "Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.", + "label": "Deimos Component Execution", "elements": [ { "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query identifies threats which got successfully delivered to Inbox/Junk folder. This hunting query depends on OfficeATP data connector (EmailEvents Parser or Table)" + "text": "Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" } } ] @@ -814,13 +814,13 @@ { "name": "huntingquery5", "type": "Microsoft.Common.Section", - "label": "Deimos Component Execution", + "label": "LemonDuck Registration Function", "elements": [ { "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" + "text": "LemonDuck is a malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" } } ] @@ -828,13 +828,13 @@ { "name": "huntingquery6", "type": "Microsoft.Common.Section", - "label": "LemonDuck Registration Function", + "label": "Devices with Log4j vulnerability alerts and additional other alert related context", "elements": [ { "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "LemonDuck is a malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" + "text": "Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J. This hunting query depends on MicrosoftThreatProtection data connector (AlertInfo AlertEvidence Parser or Table)" } } ] @@ -842,13 +842,13 @@ { "name": "huntingquery7", "type": "Microsoft.Common.Section", - "label": "Devices with Log4j vulnerability alerts and additional other alert related context", + "label": "Alerts Related to Log4j Vulnerability", "elements": [ { "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J. This hunting query depends on MicrosoftThreatProtection data connector (AlertInfo AlertEvidence Parser or Table)" + "text": "Microsoft has observed attackers exploiting vulnerabilities associated with Log4J. This hunting query depends on MicrosoftThreatProtection data connector (AlertInfo Parser or Table)" } } ] @@ -856,13 +856,13 @@ { "name": "huntingquery8", "type": "Microsoft.Common.Section", - "label": "Alerts Related to Log4j Vulnerability", + "label": "Malicious Use of MSBuild as LOLBin", "elements": [ { "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Microsoft has observed attackers exploiting vulnerabilities associated with Log4J. This hunting query depends on MicrosoftThreatProtection data connector (AlertInfo Parser or Table)" + "text": "Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -870,13 +870,13 @@ { "name": "huntingquery9", "type": "Microsoft.Common.Section", - "label": "Malicious Use of MSBuild as LOLBin", + "label": "Qakbot Reconnaissance Activities", "elements": [ { "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query searches for reconnaissance and beaconing activities after code injection occurs in Qakbot infections. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -884,13 +884,13 @@ { "name": "huntingquery10", "type": "Microsoft.Common.Section", - "label": "Qakbot Reconnaissance Activities", + "label": "Judgement Panda Exfil Activity", "elements": [ { "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for reconnaissance and beaconing activities after code injection occurs in Qakbot infections. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml.\nQuestions via Twitter: @janvonkirchheim. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -898,13 +898,13 @@ { "name": "huntingquery11", "type": "Microsoft.Common.Section", - "label": "Judgement Panda Exfil Activity", + "label": "C2-NamedPipe", "elements": [ { "name": "huntingquery11-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml.\nQuestions via Twitter: @janvonkirchheim. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" } } ] @@ -912,13 +912,13 @@ { "name": "huntingquery12", "type": "Microsoft.Common.Section", - "label": "C2-NamedPipe", + "label": "Recon with Rundll", "elements": [ { "name": "huntingquery12-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" + "text": "This query detects suspicious rundll.exe activity associated with Trickbot campaigns. This hunting query depends on MicrosoftThreatProtection data connector (DeviceNetworkEvents Parser or Table)" } } ] @@ -926,13 +926,13 @@ { "name": "huntingquery13", "type": "Microsoft.Common.Section", - "label": "Recon with Rundll", + "label": "DopplePaymer Procdump", "elements": [ { "name": "huntingquery13-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects suspicious rundll.exe activity associated with Trickbot campaigns. This hunting query depends on MicrosoftThreatProtection data connector (DeviceNetworkEvents Parser or Table)" + "text": "Detects the use of ProcDump to dump credentials from LSASS memory by DoppelPaymer ransomware operators. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -940,13 +940,13 @@ { "name": "huntingquery14", "type": "Microsoft.Common.Section", - "label": "DopplePaymer Procdump", + "label": "Credential Harvesting Using LaZagne", "elements": [ { "name": "huntingquery14-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detects the use of ProcDump to dump credentials from LSASS memory by DoppelPaymer ransomware operators. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "Detects the use of LaZagne to steal credentials from the SAM database by Ryuk ransomware operators. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -954,13 +954,13 @@ { "name": "huntingquery15", "type": "Microsoft.Common.Section", - "label": "Credential Harvesting Using LaZagne", + "label": "LSASS Credential Dumping with Procdump", "elements": [ { "name": "huntingquery15-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detects the use of LaZagne to steal credentials from the SAM database by Ryuk ransomware operators. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "Detects the use of Procdump to dump credentials from LSASS memory. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -968,13 +968,13 @@ { "name": "huntingquery16", "type": "Microsoft.Common.Section", - "label": "LSASS Credential Dumping with Procdump", + "label": "Doppelpaymer Stop Services", "elements": [ { "name": "huntingquery16-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detects the use of Procdump to dump credentials from LSASS memory. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query searches for attempts to stop security services, which is a common tactic used by DoppelPaymer ransomware operators. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -982,13 +982,13 @@ { "name": "huntingquery17", "type": "Microsoft.Common.Section", - "label": "Doppelpaymer Stop Services", + "label": "Qakbot Campaign Self Deletion", "elements": [ { "name": "huntingquery17-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for attempts to stop security services, which is a common tactic used by DoppelPaymer ransomware operators. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query detects if an instance of Qakbot has attempted to overwrite its original binary. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -996,13 +996,13 @@ { "name": "huntingquery18", "type": "Microsoft.Common.Section", - "label": "Qakbot Campaign Self Deletion", + "label": "Detect Suspicious Commands Initiated by Webserver Processes", "elements": [ { "name": "huntingquery18-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects if an instance of Qakbot has attempted to overwrite its original binary. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "Detect suspicious commands initiated by web server processes used for network discovery and user/owner discovery. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1010,13 +1010,13 @@ { "name": "huntingquery19", "type": "Microsoft.Common.Section", - "label": "Detect Suspicious Commands Initiated by Webserver Processes", + "label": "Anomalous Payload Delivered from ISO files", "elements": [ { "name": "huntingquery19-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Detect suspicious commands initiated by web server processes used for network discovery and user/owner discovery. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceEvents Parser or Table)" } } ] @@ -1024,13 +1024,13 @@ { "name": "huntingquery20", "type": "Microsoft.Common.Section", - "label": "Anomalous Payload Delivered from ISO files", + "label": "Bitsadmin Activity", "elements": [ { "name": "huntingquery20-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceEvents Parser or Table)" + "text": "This query searches for use of bitsadmin.exe for file transfer, which can be used for legitimate purposes or as part of a malware downloader. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1038,13 +1038,13 @@ { "name": "huntingquery21", "type": "Microsoft.Common.Section", - "label": "Bitsadmin Activity", + "label": "Detect Malicious use of MSIExec", "elements": [ { "name": "huntingquery21-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for use of bitsadmin.exe for file transfer, which can be used for legitimate purposes or as part of a malware downloader. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query detects possible download and execution using Msiexec. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1052,13 +1052,13 @@ { "name": "huntingquery22", "type": "Microsoft.Common.Section", - "label": "Detect Malicious use of MSIExec", + "label": "Detect Malicious use of Msiexec Mimikatz", "elements": [ { "name": "huntingquery22-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects possible download and execution using Msiexec. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query searches for malicious use of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1066,13 +1066,13 @@ { "name": "huntingquery23", "type": "Microsoft.Common.Section", - "label": "Detect Malicious use of Msiexec Mimikatz", + "label": "Office Apps Launching Wscipt", "elements": [ { "name": "huntingquery23-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for malicious use of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "The query searches for Office applications launching wscript.exe to run a JSE file. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1080,13 +1080,13 @@ { "name": "huntingquery24", "type": "Microsoft.Common.Section", - "label": "Office Apps Launching Wscipt", + "label": "PowerShell Downloads", "elements": [ { "name": "huntingquery24-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The query searches for Office applications launching wscript.exe to run a JSE file. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "The query searches for PowerShell execution events that could involve a download. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1094,13 +1094,13 @@ { "name": "huntingquery25", "type": "Microsoft.Common.Section", - "label": "PowerShell Downloads", + "label": "Detect Suspicious Mshta Usage", "elements": [ { "name": "huntingquery25-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The query searches for PowerShell execution events that could involve a download. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query detects when mshta.exe has been run, which might include illegitimate usage by attackers. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1108,13 +1108,13 @@ { "name": "huntingquery26", "type": "Microsoft.Common.Section", - "label": "Detect Suspicious Mshta Usage", + "label": "Files Copied to USB Drives", "elements": [ { "name": "huntingquery26-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects when mshta.exe has been run, which might include illegitimate usage by attackers. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents DeviceFileEvents Parser or Table)" } } ] @@ -1122,13 +1122,13 @@ { "name": "huntingquery27", "type": "Microsoft.Common.Section", - "label": "Files Copied to USB Drives", + "label": "Suspicious DLLs in spool Folder", "elements": [ { "name": "huntingquery27-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query lists files copied to USB external drives with USB drive information based on FileCreated events associated with most recent USBDriveMount events befor file creations. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents DeviceFileEvents Parser or Table)" + "text": "Look for the creation of suspicious DLL files spawned in the \\spool\\ folder along with DLLs that were recently loaded afterwards from \\Old. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents DeviceImageLoadEvents Parser or Table)" } } ] @@ -1136,13 +1136,13 @@ { "name": "huntingquery28", "type": "Microsoft.Common.Section", - "label": "Suspicious DLLs in spool Folder", + "label": "Suspicious Files in spool Folder", "elements": [ { "name": "huntingquery28-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Look for the creation of suspicious DLL files spawned in the \\spool\\ folder along with DLLs that were recently loaded afterwards from \\Old. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents DeviceImageLoadEvents Parser or Table)" + "text": "Monitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" } } ] @@ -1150,13 +1150,13 @@ { "name": "huntingquery29", "type": "Microsoft.Common.Section", - "label": "Suspicious Files in spool Folder", + "label": "Suspicious Spoolsv Child Process", "elements": [ { "name": "huntingquery29-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Monitor for creation of suspicious files in the /spools/driver/ folder. This is a broad-based search that will surface any creation or modification of files in the folder targeted by this exploit. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" + "text": "Surfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675 This hunting query depends on MicrosoftThreatProtection data connector (DeviceImageLoadEvents DeviceProcessEvents Parser or Table)" } } ] @@ -1164,13 +1164,13 @@ { "name": "huntingquery30", "type": "Microsoft.Common.Section", - "label": "Suspicious Spoolsv Child Process", + "label": "Suspicious Tomcat Confluence Process Launch", "elements": [ { "name": "huntingquery30-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Surfaces suspicious spoolsv.exe behavior likely related to CVE-2021-1675 This hunting query depends on MicrosoftThreatProtection data connector (DeviceImageLoadEvents DeviceProcessEvents Parser or Table)" + "text": "The query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1178,13 +1178,13 @@ { "name": "huntingquery31", "type": "Microsoft.Common.Section", - "label": "Suspicious Tomcat Confluence Process Launch", + "label": "MosaicLoader", "elements": [ { "name": "huntingquery31-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The query checks for suspicious Tomcat process launches associated with likely exploitation of Confluence - CVE-2022-26134. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection. This hunting query depends on MicrosoftThreatProtection data connector (DeviceRegistryEvents Parser or Table)" } } ] @@ -1192,13 +1192,13 @@ { "name": "huntingquery32", "type": "Microsoft.Common.Section", - "label": "MosaicLoader", + "label": "PrintNightmare CVE-2021-1675 usage Detection", "elements": [ { "name": "huntingquery32-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks Malware Hides Itself Among Windows Defender Exclusions to Evade Detection. This hunting query depends on MicrosoftThreatProtection data connector (DeviceRegistryEvents Parser or Table)" + "text": "This query looks for any file creations in the print spooler drivers folder. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" } } ] @@ -1206,13 +1206,13 @@ { "name": "huntingquery33", "type": "Microsoft.Common.Section", - "label": "PrintNightmare CVE-2021-1675 usage Detection", + "label": "Unusual Volume of file deletion by users", "elements": [ { "name": "huntingquery33-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for any file creations in the print spooler drivers folder. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" + "text": "This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here. This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents AADSignInEventsBeta Parser or Table)" } } ] @@ -1220,13 +1220,13 @@ { "name": "huntingquery34", "type": "Microsoft.Common.Section", - "label": "Unusual Volume of file deletion by users", + "label": "Detect MaiSniper", "elements": [ { "name": "huntingquery34-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for users performing file deletion activities. Spikes in file deletion observed from risky sign-in sessions are flagged here. This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents AADSignInEventsBeta Parser or Table)" + "text": "This query searches for usage of MailSniper Exchange attack tool. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents Parser or Table)" } } ] @@ -1234,13 +1234,13 @@ { "name": "huntingquery35", "type": "Microsoft.Common.Section", - "label": "Detect MaiSniper", + "label": "Account Brute Force", "elements": [ { "name": "huntingquery35-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for usage of MailSniper Exchange attack tool. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents Parser or Table)" + "text": "This hunting query searches for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. This hunting query depends on MicrosoftThreatProtection data connector (DeviceLogonEvents Parser or Table)" } } ] @@ -1248,13 +1248,13 @@ { "name": "huntingquery36", "type": "Microsoft.Common.Section", - "label": "Account Brute Force", + "label": "Service Accounts Performing Remote PS", "elements": [ { "name": "huntingquery36-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query searches for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded. This hunting query depends on MicrosoftThreatProtection data connector (DeviceLogonEvents Parser or Table)" + "text": "This query searches for any Service Accounts Performing Remote PowerShell. This hunting query depends on MicrosoftThreatProtection data connector (DeviceLogonEvents DeviceEvents Parser or Table)" } } ] @@ -1262,13 +1262,13 @@ { "name": "huntingquery37", "type": "Microsoft.Common.Section", - "label": "Service Accounts Performing Remote PS", + "label": "Local Admin Group Changes", "elements": [ { "name": "huntingquery37-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for any Service Accounts Performing Remote PowerShell. This hunting query depends on MicrosoftThreatProtection data connector (DeviceLogonEvents DeviceEvents Parser or Table)" + "text": "This hunting query searches for changes to the local administrators group. This hunting query depends on MicrosoftThreatProtection data connector (IdentityInfo DeviceEvents Parser or Table)" } } ] @@ -1276,13 +1276,13 @@ { "name": "huntingquery38", "type": "Microsoft.Common.Section", - "label": "Local Admin Group Changes", + "label": "Scheduled Task Creation", "elements": [ { "name": "huntingquery38-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query searches for changes to the local administrators group. This hunting query depends on MicrosoftThreatProtection data connector (IdentityInfo DeviceEvents Parser or Table)" + "text": "This query searches for any scheduled task creation event. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" } } ] @@ -1290,13 +1290,13 @@ { "name": "huntingquery39", "type": "Microsoft.Common.Section", - "label": "Scheduled Task Creation", + "label": "Check for multiple signs of Ransomware Activity", "elements": [ { "name": "huntingquery39-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for any scheduled task creation event. This hunting query depends on MicrosoftThreatProtection data connector (DeviceEvents Parser or Table)" + "text": "This query checks for multiple signs of ransomware activity to identify affected devices. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1304,13 +1304,13 @@ { "name": "huntingquery40", "type": "Microsoft.Common.Section", - "label": "Check for multiple signs of Ransomware Activity", + "label": "Suspicious Image Load related to IcedId", "elements": [ { "name": "huntingquery40-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query checks for multiple signs of ransomware activity to identify affected devices. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query searches for suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to IcedId ransomware. This hunting query depends on MicrosoftThreatProtection data connector (DeviceImageLoadEvents Parser or Table)" } } ] @@ -1318,13 +1318,13 @@ { "name": "huntingquery41", "type": "Microsoft.Common.Section", - "label": "Suspicious Image Load related to IcedId", + "label": "Clearing of forensic evidence from event logs using wevtutil", "elements": [ { "name": "huntingquery41-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for suspicious load image events by rundll32.exe or regsvr32.exe, a behavior associated with IcedId, which can lead to IcedId ransomware. This hunting query depends on MicrosoftThreatProtection data connector (DeviceImageLoadEvents Parser or Table)" + "text": "This query checks for attempts to clear at least 10 log entries from event logs using wevtutil. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1332,13 +1332,13 @@ { "name": "huntingquery42", "type": "Microsoft.Common.Section", - "label": "Clearing of forensic evidence from event logs using wevtutil", + "label": "Stopping multiple processes using taskkill", "elements": [ { "name": "huntingquery42-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query checks for attempts to clear at least 10 log entries from event logs using wevtutil. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1346,13 +1346,13 @@ { "name": "huntingquery43", "type": "Microsoft.Common.Section", - "label": "Stopping multiple processes using taskkill", + "label": "Potential Ransomware activity related to Cobalt Strike", "elements": [ { "name": "huntingquery43-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query checks for attempts to stop at least 10 separate processes using the taskkill.exe utility. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. This hunting query depends on MicrosoftThreatProtection data connector (AlertInfo AlertEvidence DeviceLogonEvents Parser or Table)" } } ] @@ -1360,13 +1360,13 @@ { "name": "huntingquery44", "type": "Microsoft.Common.Section", - "label": "Potential Ransomware activity related to Cobalt Strike", + "label": "Qakbot Discovery Activies", "elements": [ { "name": "huntingquery44-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for alerts related to suspected ransomware and Cobalt Strike activity, a tool used in numerous ransomware campaigns. This hunting query depends on MicrosoftThreatProtection data connector (AlertInfo AlertEvidence DeviceLogonEvents Parser or Table)" + "text": "This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1374,13 +1374,13 @@ { "name": "huntingquery45", "type": "Microsoft.Common.Section", - "label": "Qakbot Discovery Activies", + "label": "Shadow Copy Deletions", "elements": [ { "name": "huntingquery45-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for injected processes launching discovery activity. Qakbot has been observed leading to ransomware in numerous instances. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This rule detects when Shadow Copies are being deleted. This is a know actions that is performed by threat actors. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1388,13 +1388,13 @@ { "name": "huntingquery46", "type": "Microsoft.Common.Section", - "label": "Shadow Copy Deletions", + "label": "Turning off services using sc exe", "elements": [ { "name": "huntingquery46-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule detects when Shadow Copies are being deleted. This is a know actions that is performed by threat actors. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query checks for attempts to turn off at least 10 existing services using sc.exe. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1402,13 +1402,13 @@ { "name": "huntingquery47", "type": "Microsoft.Common.Section", - "label": "Turning off services using sc exe", + "label": "Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities", "elements": [ { "name": "huntingquery47-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query checks for attempts to turn off at least 10 existing services using sc.exe. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This advanced hunting query detects CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a This hunting query depends on MicrosoftThreatProtection data connector (DeviceTvmSoftwareVulnerabilitiesKB Parser or Table)" } } ] @@ -1416,13 +1416,13 @@ { "name": "huntingquery48", "type": "Microsoft.Common.Section", - "label": "Detect CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities", + "label": "Dropping Payload via certutil", "elements": [ { "name": "huntingquery48-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This advanced hunting query detects CISA Alert (AA22-117A) 2021 Top Routinely Exploited Vulnerabilities https://www.cisa.gov/uscert/ncas/alerts/aa22-117a This hunting query depends on MicrosoftThreatProtection data connector (DeviceTvmSoftwareVulnerabilitiesKB Parser or Table)" + "text": "BazaCall campaign tricks users into calling a fake customer support center, and download a malicious Excel file which contains a macro to infect users' device with BazaLoader. This query searches for a copy of certutil.exe used by the macro. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" } } ] @@ -1430,13 +1430,13 @@ { "name": "huntingquery49", "type": "Microsoft.Common.Section", - "label": "Dropping Payload via certutil", + "label": "Imminent Ransomware", "elements": [ { "name": "huntingquery49-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "BazaCall campaign tricks users into calling a fake customer support center, and download a malicious Excel file which contains a macro to infect users' device with BazaLoader. This query searches for a copy of certutil.exe used by the macro. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" + "text": "Before deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1444,13 +1444,13 @@ { "name": "huntingquery50", "type": "Microsoft.Common.Section", - "label": "Imminent Ransomware", + "label": "Robbinhood Driver", "elements": [ { "name": "huntingquery50-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Before deploying Macaw ransomware in an organization, the attacker will run several commands designed to disable security tools and system recovery tools. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query detects the presence of the Robbinhood ransomware driver. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" } } ] @@ -1458,13 +1458,13 @@ { "name": "huntingquery51", "type": "Microsoft.Common.Section", - "label": "Robbinhood Driver", + "label": "Snip3 Malicious Network Connectivity", "elements": [ { "name": "huntingquery51-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects the presence of the Robbinhood ransomware driver. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" + "text": "This hunting query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware. This hunting query depends on MicrosoftThreatProtection data connector (DeviceNetworkEvents Parser or Table)" } } ] @@ -1472,13 +1472,13 @@ { "name": "huntingquery52", "type": "Microsoft.Common.Section", - "label": "Snip3 Malicious Network Connectivity", + "label": "Java Executing cmd to run Powershell", "elements": [ { "name": "huntingquery52-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks for potentially hollowed processes that may be used to facilitate command-and-control or exfiltration by Snip3 malware. This hunting query depends on MicrosoftThreatProtection data connector (DeviceNetworkEvents Parser or Table)" + "text": "This query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1486,13 +1486,13 @@ { "name": "huntingquery53", "type": "Microsoft.Common.Section", - "label": "Java Executing cmd to run Powershell", + "label": "Clear System Logs", "elements": [ { "name": "huntingquery53-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query finds instances of the Java process being used to execute cmd.exe, and download and execute a PowerShell script. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This hunting query searches for attempts to use fsutil.exe to clear system logs and delete forensic artifacts. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1500,13 +1500,13 @@ { "name": "huntingquery54", "type": "Microsoft.Common.Section", - "label": "Clear System Logs", + "label": "Regsvr32 Rundll32 Image Loads Abnormal Extension", "elements": [ { "name": "huntingquery54-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query searches for attempts to use fsutil.exe to clear system logs and delete forensic artifacts. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents Parser or Table)" } } ] @@ -1514,13 +1514,13 @@ { "name": "huntingquery55", "type": "Microsoft.Common.Section", - "label": "Regsvr32 Rundll32 Image Loads Abnormal Extension", + "label": "Regsvr32 Rundll32 with Anomalous Parent Process", "elements": [ { "name": "huntingquery55-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query is looking for regsvr32.exe or rundll32.exe loading DLL images with other extensions than .dll. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents Parser or Table)" + "text": "This query searches for rundll32.exe or regsvr32.exe being spawned by abnormal processes such as wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents Parser or Table)" } } ] @@ -1528,13 +1528,13 @@ { "name": "huntingquery56", "type": "Microsoft.Common.Section", - "label": "Regsvr32 Rundll32 with Anomalous Parent Process", + "label": "Enumeration of Users & Groups for Lateral Movement", "elements": [ { "name": "huntingquery56-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query searches for rundll32.exe or regsvr32.exe being spawned by abnormal processes such as wscript.exe, powershell.exe, cmd.exe, pwsh.exe, cscript.exe. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents Parser or Table)" + "text": "This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1542,13 +1542,13 @@ { "name": "huntingquery57", "type": "Microsoft.Common.Section", - "label": "Enumeration of Users & Groups for Lateral Movement", + "label": "Detect Potential kerberoast Activities", "elements": [ { "name": "huntingquery57-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query hunts for attempts to list users or groups using Net commands, which are commonly used for lateral movement. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query aim to detect if someone requests service tickets (where count => maxcount). The query requires trimming to set a baseline level for MaxCount. This hunting query depends on MicrosoftThreatProtection data connector (IdentityLogonEvents Parser or Table)" } } ] @@ -1556,13 +1556,13 @@ { "name": "huntingquery58", "type": "Microsoft.Common.Section", - "label": "Detect Potential kerberoast Activities", + "label": "Webserver Executing Suspicious Applications", "elements": [ { "name": "huntingquery58-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query aim to detect if someone requests service tickets (where count => maxcount). The query requires trimming to set a baseline level for MaxCount. This hunting query depends on MicrosoftThreatProtection data connector (IdentityLogonEvents Parser or Table)" + "text": "This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript). This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1570,13 +1570,13 @@ { "name": "huntingquery59", "type": "Microsoft.Common.Section", - "label": "Webserver Executing Suspicious Applications", + "label": "Windows Print Spooler Service Suspicious File Creation", "elements": [ { "name": "huntingquery59-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for common webserver process names and identifies any processes launched using a scripting language (cmd, powershell, wscript, cscript). This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "The query digs in Windows print spooler drivers folder for any file creations. This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" } } ] @@ -1584,13 +1584,13 @@ { "name": "huntingquery60", "type": "Microsoft.Common.Section", - "label": "Windows Print Spooler Service Suspicious File Creation", + "label": "Spoolsv Spawning Rundll32", "elements": [ { "name": "huntingquery60-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The query digs in Windows print spooler drivers folder for any file creations. This behavior is used from PoC Exploit of CVE-2021-34527, CVE-2021-1675 or CVE-2022-21999. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" + "text": "Look for the spoolsv.exe launching rundll32.exe with an empty command line. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1598,13 +1598,13 @@ { "name": "huntingquery61", "type": "Microsoft.Common.Section", - "label": "Spoolsv Spawning Rundll32", + "label": "MITRE - Suspicious Events", "elements": [ { "name": "huntingquery61-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Look for the spoolsv.exe launching rundll32.exe with an empty command line. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This hunting query looks for several different MITRE techniques, grouped by risk level. A weighting is applied to each risk level and a total score calculated per machine. Techniques can be added/removed as required. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1612,13 +1612,13 @@ { "name": "huntingquery62", "type": "Microsoft.Common.Section", - "label": "MITRE - Suspicious Events", + "label": "Remote File Creation with PsExec", "elements": [ { "name": "huntingquery62-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This hunting query looks for several different MITRE techniques, grouped by risk level. A weighting is applied to each risk level and a total score calculated per machine. Techniques can be added/removed as required. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query detects remote file creation events that might indicate an active attack using PsExec. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" } } ] @@ -1626,13 +1626,13 @@ { "name": "huntingquery63", "type": "Microsoft.Common.Section", - "label": "Remote File Creation with PsExec", + "label": "Account Creation", "elements": [ { "name": "huntingquery63-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects remote file creation events that might indicate an active attack using PsExec. This hunting query depends on MicrosoftThreatProtection data connector (DeviceFileEvents Parser or Table)" + "text": "This query looks for the creation of user accounts on a machine using the \"net user\" command. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1640,13 +1640,13 @@ { "name": "huntingquery64", "type": "Microsoft.Common.Section", - "label": "Account Creation", + "label": "Rare Process as a Service", "elements": [ { "name": "huntingquery64-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for the creation of user accounts on a machine using the \"net user\" command. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query looks for rarely seen processes which are launched as a service. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents DeviceImageLoadEvents Parser or Table)" } } ] @@ -1654,13 +1654,13 @@ { "name": "huntingquery65", "type": "Microsoft.Common.Section", - "label": "Rare Process as a Service", + "label": "SAM Name Change CVE-2021-42278", "elements": [ { "name": "huntingquery65-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query looks for rarely seen processes which are launched as a service. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents DeviceImageLoadEvents Parser or Table)" + "text": "The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity. This hunting query depends on MicrosoftThreatProtection data connector (IdentityDirectoryEvents Parser or Table)" } } ] @@ -1668,13 +1668,13 @@ { "name": "huntingquery66", "type": "Microsoft.Common.Section", - "label": "SAM Name Change CVE-2021-42278", + "label": "Disabling Services via Registry", "elements": [ { "name": "huntingquery66-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The following query detects possible CVE-2021-42278 exploitation by finding changes of device names in the network using Microsoft Defender for Identity. This hunting query depends on MicrosoftThreatProtection data connector (IdentityDirectoryEvents Parser or Table)" + "text": "Search for processes modifying the registry to disable security features. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1682,13 +1682,13 @@ { "name": "huntingquery67", "type": "Microsoft.Common.Section", - "label": "Disabling Services via Registry", + "label": "DLLHost.exe WMIC domain discovery", "elements": [ { "name": "huntingquery67-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Search for processes modifying the registry to disable security features. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query checks for dllhost.exe calling WMIC to discover additional hosts and associated domain. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1696,13 +1696,13 @@ { "name": "huntingquery68", "type": "Microsoft.Common.Section", - "label": "DLLHost.exe WMIC domain discovery", + "label": "PowerShell adding exclusion path for Microsoft Defender of ProgramData", "elements": [ { "name": "huntingquery68-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query checks for dllhost.exe calling WMIC to discover additional hosts and associated domain. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "Identify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1710,13 +1710,13 @@ { "name": "huntingquery69", "type": "Microsoft.Common.Section", - "label": "PowerShell adding exclusion path for Microsoft Defender of ProgramData", + "label": "Deletion of data on multiple drives using cipher exe", "elements": [ { "name": "huntingquery69-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identify PowerShell creating an exclusion path of ProgramData directory for Microsoft Defender to not monitor. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1724,13 +1724,13 @@ { "name": "huntingquery70", "type": "Microsoft.Common.Section", - "label": "Deletion of data on multiple drives using cipher exe", + "label": "LaZagne Credential Theft", "elements": [ { "name": "huntingquery70-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query checks for attempts to delete data on multiple drives using cipher.exe. This activity is typically done by ransomware to prevent recovery of data after encryption. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query can be used to locate processes executing credential theft activity, often LaZagne in ransomware compromises. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" } } ] @@ -1738,13 +1738,1203 @@ { "name": "huntingquery71", "type": "Microsoft.Common.Section", - "label": "LaZagne Credential Theft", + "label": "ATP policy status check", "elements": [ { "name": "huntingquery71-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query can be used to locate processes executing credential theft activity, often LaZagne in ransomware compromises. This hunting query depends on MicrosoftThreatProtection data connector (DeviceProcessEvents Parser or Table)" + "text": "This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365. This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery72", + "type": "Microsoft.Common.Section", + "label": "JNLP-File-Attachment", + "elements": [ + { + "name": "huntingquery72-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "JNLP file extensions are an uncommon file type often used to deliver malware. This hunting query depends on MicrosoftThreatProtection data connector (EmailAttachmentInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery73", + "type": "Microsoft.Common.Section", + "label": "Safe Attachments detections", + "elements": [ + { + "name": "huntingquery73-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query provides insights on the detections done by Safe Attachment detections This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery74", + "type": "Microsoft.Common.Section", + "label": "Authentication failures by time and authentication type", + "elements": [ + { + "name": "huntingquery74-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery75", + "type": "Microsoft.Common.Section", + "label": "Spoof attempts with auth failure", + "elements": [ + { + "name": "huntingquery75-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in checking for spoofing attempts on the domain with Authentication failures This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery76", + "type": "Microsoft.Common.Section", + "label": "Audit Email Preview-Download action", + "elements": [ + { + "name": "huntingquery76-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365 This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery77", + "type": "Microsoft.Common.Section", + "label": "Hunt for TABL changes", + "elements": [ + { + "name": "huntingquery77-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365 This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery78", + "type": "Microsoft.Common.Section", + "label": "Local time to UTC time conversion", + "elements": [ + { + "name": "huntingquery78-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery79", + "type": "Microsoft.Common.Section", + "label": "MDO daily detection summary report", + "elements": [ + { + "name": "huntingquery79-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365 This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents AlertEvidence EmailEvents EmailPostDeliveryEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery80", + "type": "Microsoft.Common.Section", + "label": "Mail item accessed", + "elements": [ + { + "name": "huntingquery80-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing emails accessed by end users using cloud app events data This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery81", + "type": "Microsoft.Common.Section", + "label": "Malicious email senders", + "elements": [ + { + "name": "huntingquery81-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for emails from a sender with at least one email in quarantine This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery82", + "type": "Microsoft.Common.Section", + "label": "New TABL Items", + "elements": [ + { + "name": "huntingquery82-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery83", + "type": "Microsoft.Common.Section", + "label": "Emails containing links to IP addresses", + "elements": [ + { + "name": "huntingquery83-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for Emails containing links to IP addresses This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery84", + "type": "Microsoft.Common.Section", + "label": "Good emails from senders with bad patterns", + "elements": [ + { + "name": "huntingquery84-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for good emails from senders with bad patterns This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery85", + "type": "Microsoft.Common.Section", + "label": "Hunt for email conversation take over attempts", + "elements": [ + { + "name": "huntingquery85-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for email conversation take over attempts This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery86", + "type": "Microsoft.Common.Section", + "label": "Hunt for malicious URLs using external IOC source", + "elements": [ + { + "name": "huntingquery86-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunt for emails with malicious URLs based on external IOC source This hunting query depends on MicrosoftThreatProtection data connector (EmailUrlInfo EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery87", + "type": "Microsoft.Common.Section", + "label": "Hunt for malicious attachments using external IOC source", + "elements": [ + { + "name": "huntingquery87-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source This hunting query depends on MicrosoftThreatProtection data connector (EmailAttachmentInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery88", + "type": "Microsoft.Common.Section", + "label": "Inbox rule changes which forward-redirect email", + "elements": [ + { + "name": "huntingquery88-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for Inbox rule changes which forward-redirect email This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery89", + "type": "Microsoft.Common.Section", + "label": "MDO_CountOfRecipientsEmailaddressbySubject", + "elements": [ + { + "name": "huntingquery89-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Count of recipient's email addresses by subject This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery90", + "type": "Microsoft.Common.Section", + "label": "MDO_CountOfSendersEmailaddressbySubject", + "elements": [ + { + "name": "huntingquery90-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Count of sender's email addresses by subject This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery91", + "type": "Microsoft.Common.Section", + "label": "MDO_Countofrecipientsemailaddressesbysubject", + "elements": [ + { + "name": "huntingquery91-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Count of recipient's email addresses by subject This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery92", + "type": "Microsoft.Common.Section", + "label": "MDO_SummaryOfSenders", + "elements": [ + { + "name": "huntingquery92-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Count of all Senders and where they were delivered This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery93", + "type": "Microsoft.Common.Section", + "label": "MDO_URLClickedinEmail", + "elements": [ + { + "name": "huntingquery93-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "URLs clicked in Email This hunting query depends on MicrosoftThreatProtection data connector (UrlClickEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery94", + "type": "Microsoft.Common.Section", + "label": "Detections by detection methods", + "elements": [ + { + "name": "huntingquery94-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing malicious email detections by detection methods This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery95", + "type": "Microsoft.Common.Section", + "label": "Mail reply to new domain", + "elements": [ + { + "name": "huntingquery95-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery96", + "type": "Microsoft.Common.Section", + "label": "Mailflow by directionality", + "elements": [ + { + "name": "huntingquery96-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing inbound / outbound / intra-org emails by domain per day This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery97", + "type": "Microsoft.Common.Section", + "label": "Malicious emails detected per day", + "elements": [ + { + "name": "huntingquery97-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing Malware, Phishing, Spam emails caught per day This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery98", + "type": "Microsoft.Common.Section", + "label": "Sender recipient contact establishment", + "elements": [ + { + "name": "huntingquery98-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in checking the sender-recipient contact establishment status This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery99", + "type": "Microsoft.Common.Section", + "label": "Top 100 malicious email senders", + "elements": [ + { + "name": "huntingquery99-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing top 100 malicious senders This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery100", + "type": "Microsoft.Common.Section", + "label": "Top 100 senders", + "elements": [ + { + "name": "huntingquery100-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing top 100 senders in your organization in last 30 days This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery101", + "type": "Microsoft.Common.Section", + "label": "Zero day threats", + "elements": [ + { + "name": "huntingquery101-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing zero day threats via URL and file detonations This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery102", + "type": "Microsoft.Common.Section", + "label": "Email containing malware accessed on a unmanaged device", + "elements": [ + { + "name": "huntingquery102-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we are looking for emails containing malware accessed on a unmanaged device This hunting query depends on MicrosoftThreatProtection data connector (EmailPostDeliveryEvents CloudAppEvents AADSignInEventsBeta Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery103", + "type": "Microsoft.Common.Section", + "label": "Email containing malware sent by an internal sender", + "elements": [ + { + "name": "huntingquery103-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we are looking for emails containing malware attachment sent by an internal sender This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery104", + "type": "Microsoft.Common.Section", + "label": "Email malware detection report", + "elements": [ + { + "name": "huntingquery104-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing email malware detection cases This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailAttachmentInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery105", + "type": "Microsoft.Common.Section", + "label": "Malware detections by detection methods", + "elements": [ + { + "name": "huntingquery105-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing malware detections by detection methods This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery106", + "type": "Microsoft.Common.Section", + "label": "Admin overrides", + "elements": [ + { + "name": "huntingquery106-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in reviewing malicious emails allowed due to admin overrides This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery107", + "type": "Microsoft.Common.Section", + "label": "Top policies performing admin overrides", + "elements": [ + { + "name": "huntingquery107-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in reviewing top policies for admin overrides (Allow/Block) This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery108", + "type": "Microsoft.Common.Section", + "label": "Top policies performing user overrides", + "elements": [ + { + "name": "huntingquery108-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in reviewing top policies for user overrides (Allow/Block) This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery109", + "type": "Microsoft.Common.Section", + "label": "User overrides", + "elements": [ + { + "name": "huntingquery109-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in reviewing malicious emails allowed due to user overrides This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery110", + "type": "Microsoft.Common.Section", + "label": "Appspot Phishing Abuse", + "elements": [ + { + "name": "huntingquery110-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps surface phishing campaigns associated with Appspot abuse. This hunting query depends on MicrosoftThreatProtection data connector (EmailUrlInfo EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery111", + "type": "Microsoft.Common.Section", + "label": "Phish detections by detection methods", + "elements": [ + { + "name": "huntingquery111-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery112", + "type": "Microsoft.Common.Section", + "label": "Campaign with randomly named attachments", + "elements": [ + { + "name": "huntingquery112-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery113", + "type": "Microsoft.Common.Section", + "label": "Campaign with suspicious keywords", + "elements": [ + { + "name": "huntingquery113-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection, we track emails with suspicious keywords in subjects. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery114", + "type": "Microsoft.Common.Section", + "label": "Custom detection-Emails with QR from non-prevalent senders", + "elements": [ + { + "name": "huntingquery114-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery115", + "type": "Microsoft.Common.Section", + "label": "Emails delivered having URLs from QR codes", + "elements": [ + { + "name": "huntingquery115-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we hunt for inbound emails delivered having URLs from QR codes This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery116", + "type": "Microsoft.Common.Section", + "label": "Emails with QR codes and suspicious keywords in subject", + "elements": [ + { + "name": "huntingquery116-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery117", + "type": "Microsoft.Common.Section", + "label": "Emails with QR codes from non-prevalent sender", + "elements": [ + { + "name": "huntingquery117-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery118", + "type": "Microsoft.Common.Section", + "label": "Hunting for sender patterns", + "elements": [ + { + "name": "huntingquery118-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailAttachmentInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery119", + "type": "Microsoft.Common.Section", + "label": "Hunting for user signals-clusters", + "elements": [ + { + "name": "huntingquery119-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery120", + "type": "Microsoft.Common.Section", + "label": "Inbound emails with QR code URLs", + "elements": [ + { + "name": "huntingquery120-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we summarize volume of inbound emails with QR code URLs in last 30 days This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery121", + "type": "Microsoft.Common.Section", + "label": "Personalized campaigns based on the first few keywords", + "elements": [ + { + "name": "huntingquery121-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection, we track emails with personalized subjects. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery122", + "type": "Microsoft.Common.Section", + "label": "Personalized campaigns based on the last few keywords", + "elements": [ + { + "name": "huntingquery122-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection, we track emails with personalized subjects. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery123", + "type": "Microsoft.Common.Section", + "label": "Risky sign-in attempt from a non-managed device", + "elements": [ + { + "name": "huntingquery123-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery124", + "type": "Microsoft.Common.Section", + "label": "Suspicious sign-in attempts from QR code phishing campaigns", + "elements": [ + { + "name": "huntingquery124-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices. This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents AADSignInEventsBeta Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery125", + "type": "Microsoft.Common.Section", + "label": "Group quarantine release", + "elements": [ + { + "name": "huntingquery125-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery126", + "type": "Microsoft.Common.Section", + "label": "High Confidence Phish Released", + "elements": [ + { + "name": "huntingquery126-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows information about high confidence phish email that has been released from the Quarantine. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery127", + "type": "Microsoft.Common.Section", + "label": "Quarantine Release Email Details", + "elements": [ + { + "name": "huntingquery127-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query shows information about email that has been released from the Quarantine in Defender for Office 365. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery128", + "type": "Microsoft.Common.Section", + "label": "Quarantine release trend", + "elements": [ + { + "name": "huntingquery128-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing quarantine release trend in Defender for Office 365 This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery129", + "type": "Microsoft.Common.Section", + "label": "Listing Email Remediation Actions via Explorer", + "elements": [ + { + "name": "huntingquery129-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Listing Email Remediation Actions performed via Explorer in Defender for Office 365 This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery130", + "type": "Microsoft.Common.Section", + "label": "Display Name - Spoof and Impersonation", + "elements": [ + { + "name": "huntingquery130-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery131", + "type": "Microsoft.Common.Section", + "label": "referral-phish-emails", + "elements": [ + { + "name": "huntingquery131-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Hunting for credential phishing using the \"Referral\" infrastructure using Defender for Office 365 data This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery132", + "type": "Microsoft.Common.Section", + "label": "Spoof and impersonation detections by sender IP", + "elements": [ + { + "name": "huntingquery132-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing count of spoof and impersonation detections done per sender IP This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery133", + "type": "Microsoft.Common.Section", + "label": "Spoof and impersonation phish detections", + "elements": [ + { + "name": "huntingquery133-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing count of phish detections done by spoof detection methods This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery134", + "type": "Microsoft.Common.Section", + "label": "User not covered under display name impersonation", + "elements": [ + { + "name": "huntingquery134-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps to find threats using display name impersonation for users not already protected with User Impersonation This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents IdentityInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery135", + "type": "Microsoft.Common.Section", + "label": "Admin reported submissions", + "elements": [ + { + "name": "huntingquery135-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing admin reported email submissions This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery136", + "type": "Microsoft.Common.Section", + "label": "Status of submissions", + "elements": [ + { + "name": "huntingquery136-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing status of submissions This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery137", + "type": "Microsoft.Common.Section", + "label": "Top submitters of admin submissions", + "elements": [ + { + "name": "huntingquery137-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing top submitters of admin submissions This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery138", + "type": "Microsoft.Common.Section", + "label": "Top submitters of user submissions", + "elements": [ + { + "name": "huntingquery138-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing top submitters of user submissions This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery139", + "type": "Microsoft.Common.Section", + "label": "User reported submissions", + "elements": [ + { + "name": "huntingquery139-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing user reported email submissions This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery140", + "type": "Microsoft.Common.Section", + "label": "Attacked more than x times average", + "elements": [ + { + "name": "huntingquery140-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing count of users attacked more than x times average. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery141", + "type": "Microsoft.Common.Section", + "label": "Malicious mails by sender IPs", + "elements": [ + { + "name": "huntingquery141-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing sender IPs sending malicious email of type Malware or Phish This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery142", + "type": "Microsoft.Common.Section", + "label": "Top 10 URL domains attacking organization", + "elements": [ + { + "name": "huntingquery142-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing list of top 10 URL domains attacking the organization This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery143", + "type": "Microsoft.Common.Section", + "label": "Top 10% of most attacked users", + "elements": [ + { + "name": "huntingquery143-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing the list of top 10% of most attacked users This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery144", + "type": "Microsoft.Common.Section", + "label": "Top external malicious senders", + "elements": [ + { + "name": "huntingquery144-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery145", + "type": "Microsoft.Common.Section", + "label": "Top targeted users", + "elements": [ + { + "name": "huntingquery145-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery146", + "type": "Microsoft.Common.Section", + "label": "End user malicious clicks", + "elements": [ + { + "name": "huntingquery146-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing list of top users click on Phis URLs This hunting query depends on MicrosoftThreatProtection data connector (UrlClickEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery147", + "type": "Microsoft.Common.Section", + "label": "URL click count by click action", + "elements": [ + { + "name": "huntingquery147-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing URL click count by ClickAction This hunting query depends on MicrosoftThreatProtection data connector (UrlClickEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery148", + "type": "Microsoft.Common.Section", + "label": "URL click on ZAP email", + "elements": [ + { + "name": "huntingquery148-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge This hunting query depends on MicrosoftThreatProtection data connector (UrlClickEvents Alertinfo AlertEvidence Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery149", + "type": "Microsoft.Common.Section", + "label": "URL clicks actions by URL", + "elements": [ + { + "name": "huntingquery149-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we are looking URL click actions by URL in the last 7 days This hunting query depends on MicrosoftThreatProtection data connector (UrlClickEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery150", + "type": "Microsoft.Common.Section", + "label": "URLClick details based on malicious URL click alert", + "elements": [ + { + "name": "huntingquery150-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected This hunting query depends on MicrosoftThreatProtection data connector (UrlClickEvents Alertinfo AlertEvidence Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery151", + "type": "Microsoft.Common.Section", + "label": "User clicked through events", + "elements": [ + { + "name": "huntingquery151-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page. This hunting query depends on MicrosoftThreatProtection data connector (UrlClickEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery152", + "type": "Microsoft.Common.Section", + "label": "User clicks on malicious inbound emails", + "elements": [ + { + "name": "huntingquery152-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query provides insights on users who clicked on a suspicious URL This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents UrlClickEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery153", + "type": "Microsoft.Common.Section", + "label": "User clicks on phishing URLs in emails", + "elements": [ + { + "name": "huntingquery153-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps in determining clickthroughs when email delivered because of detection overrides. This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents UrlClickEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery154", + "type": "Microsoft.Common.Section", + "label": "PhishingEmailUrlRedirector (1)", + "elements": [ + { + "name": "huntingquery154-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. This hunting query depends on MicrosoftThreatProtection data connector (EmailUrlInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery155", + "type": "Microsoft.Common.Section", + "label": "SafeLinks URL detections", + "elements": [ + { + "name": "huntingquery155-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query provides insights on the detections done by SafeLinks protection in Defender for Office 365 This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery156", + "type": "Microsoft.Common.Section", + "label": "Total ZAP count", + "elements": [ + { + "name": "huntingquery156-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps reviewing count of total ZAP events This hunting query depends on MicrosoftThreatProtection data connector (EmailPostDeliveryEvents Parser or Table)" } } ] diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json index 941257e4f81..4ac5705ea00 100644 --- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json +++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json @@ -351,358 +351,783 @@ }, "huntingQueryObject1": { "huntingQueryVersion1": "1.1.0", - "_huntingQuerycontentId1": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06808')))]" + "_huntingQuerycontentId1": "cdac93ef-56c0-45bf-9e7f-9cbf0ad034234", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad034234')))]" }, "huntingQueryObject2": { - "huntingQueryVersion2": "1.1.0", - "_huntingQuerycontentId2": "cdac93ef-56c0-45bf-9e7f-9cbf0ad034234", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad034234')))]" + "huntingQueryVersion2": "1.0.1", + "_huntingQuerycontentId2": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06567", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06567')))]" }, "huntingQueryObject3": { "huntingQueryVersion3": "1.0.1", - "_huntingQuerycontentId3": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06567", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06567')))]" + "_huntingQuerycontentId3": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06123", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06123')))]" }, "huntingQueryObject4": { - "huntingQueryVersion4": "1.0.1", - "_huntingQuerycontentId4": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06123", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06123')))]" + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "fe9edc77-1b6c-4f1e-a223-64b580b50187", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fe9edc77-1b6c-4f1e-a223-64b580b50187')))]" }, "huntingQueryObject5": { "huntingQueryVersion5": "1.0.0", - "_huntingQuerycontentId5": "fe9edc77-1b6c-4f1e-a223-64b580b50187", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fe9edc77-1b6c-4f1e-a223-64b580b50187')))]" + "_huntingQuerycontentId5": "147c4c0a-7241-4ce9-9b71-0aecb8a2b59f", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('147c4c0a-7241-4ce9-9b71-0aecb8a2b59f')))]" }, "huntingQueryObject6": { "huntingQueryVersion6": "1.0.0", - "_huntingQuerycontentId6": "147c4c0a-7241-4ce9-9b71-0aecb8a2b59f", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('147c4c0a-7241-4ce9-9b71-0aecb8a2b59f')))]" + "_huntingQuerycontentId6": "8fe88892-3a55-4220-9141-939a8e7a15c5", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8fe88892-3a55-4220-9141-939a8e7a15c5')))]" }, "huntingQueryObject7": { "huntingQueryVersion7": "1.0.0", - "_huntingQuerycontentId7": "8fe88892-3a55-4220-9141-939a8e7a15c5", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8fe88892-3a55-4220-9141-939a8e7a15c5')))]" + "_huntingQuerycontentId7": "e7791695-c103-4d20-a75a-53e90788616b", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e7791695-c103-4d20-a75a-53e90788616b')))]" }, "huntingQueryObject8": { "huntingQueryVersion8": "1.0.0", - "_huntingQuerycontentId8": "e7791695-c103-4d20-a75a-53e90788616b", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e7791695-c103-4d20-a75a-53e90788616b')))]" + "_huntingQuerycontentId8": "1850a459-b009-43d0-a575-8284b737eef8", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1850a459-b009-43d0-a575-8284b737eef8')))]" }, "huntingQueryObject9": { "huntingQueryVersion9": "1.0.0", - "_huntingQuerycontentId9": "1850a459-b009-43d0-a575-8284b737eef8", - "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1850a459-b009-43d0-a575-8284b737eef8')))]" + "_huntingQuerycontentId9": "d6991ef1-b225-4780-b6a6-cfe9b5278f5e", + "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d6991ef1-b225-4780-b6a6-cfe9b5278f5e')))]" }, "huntingQueryObject10": { "huntingQueryVersion10": "1.0.0", - "_huntingQuerycontentId10": "d6991ef1-b225-4780-b6a6-cfe9b5278f5e", - "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d6991ef1-b225-4780-b6a6-cfe9b5278f5e')))]" + "_huntingQuerycontentId10": "d7b7dcad-d806-4a61-b8fc-0d7c9c45bdec", + "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d7b7dcad-d806-4a61-b8fc-0d7c9c45bdec')))]" }, "huntingQueryObject11": { "huntingQueryVersion11": "1.0.0", - "_huntingQuerycontentId11": "d7b7dcad-d806-4a61-b8fc-0d7c9c45bdec", - "huntingQueryTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d7b7dcad-d806-4a61-b8fc-0d7c9c45bdec')))]" + "_huntingQuerycontentId11": "f78255b6-8f91-4cf3-a25c-e1144b7b5425", + "huntingQueryTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f78255b6-8f91-4cf3-a25c-e1144b7b5425')))]" }, "huntingQueryObject12": { "huntingQueryVersion12": "1.0.0", - "_huntingQuerycontentId12": "f78255b6-8f91-4cf3-a25c-e1144b7b5425", - "huntingQueryTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f78255b6-8f91-4cf3-a25c-e1144b7b5425')))]" + "_huntingQuerycontentId12": "76c14475-9a22-4cc1-922c-437d7f614a36", + "huntingQueryTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('76c14475-9a22-4cc1-922c-437d7f614a36')))]" }, "huntingQueryObject13": { "huntingQueryVersion13": "1.0.0", - "_huntingQuerycontentId13": "76c14475-9a22-4cc1-922c-437d7f614a36", - "huntingQueryTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('76c14475-9a22-4cc1-922c-437d7f614a36')))]" + "_huntingQuerycontentId13": "89b31213-4350-4730-8d27-26667ce53894", + "huntingQueryTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('89b31213-4350-4730-8d27-26667ce53894')))]" }, "huntingQueryObject14": { "huntingQueryVersion14": "1.0.0", - "_huntingQuerycontentId14": "89b31213-4350-4730-8d27-26667ce53894", - "huntingQueryTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('89b31213-4350-4730-8d27-26667ce53894')))]" + "_huntingQuerycontentId14": "79f9bb6b-6d31-412e-b3bc-6e5ad1303112", + "huntingQueryTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('79f9bb6b-6d31-412e-b3bc-6e5ad1303112')))]" }, "huntingQueryObject15": { "huntingQueryVersion15": "1.0.0", - "_huntingQuerycontentId15": "79f9bb6b-6d31-412e-b3bc-6e5ad1303112", - "huntingQueryTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('79f9bb6b-6d31-412e-b3bc-6e5ad1303112')))]" + "_huntingQuerycontentId15": "0b985ed8-aacd-41ba-9b17-489be9224159", + "huntingQueryTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0b985ed8-aacd-41ba-9b17-489be9224159')))]" }, "huntingQueryObject16": { "huntingQueryVersion16": "1.0.0", - "_huntingQuerycontentId16": "0b985ed8-aacd-41ba-9b17-489be9224159", - "huntingQueryTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0b985ed8-aacd-41ba-9b17-489be9224159')))]" + "_huntingQuerycontentId16": "abf42310-51c7-4d7f-98d2-e5af09859aab", + "huntingQueryTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('abf42310-51c7-4d7f-98d2-e5af09859aab')))]" }, "huntingQueryObject17": { "huntingQueryVersion17": "1.0.0", - "_huntingQuerycontentId17": "abf42310-51c7-4d7f-98d2-e5af09859aab", - "huntingQueryTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('abf42310-51c7-4d7f-98d2-e5af09859aab')))]" + "_huntingQuerycontentId17": "63ecff0f-3a86-468b-8c9e-a7a88fe33ebb", + "huntingQueryTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('63ecff0f-3a86-468b-8c9e-a7a88fe33ebb')))]" }, "huntingQueryObject18": { "huntingQueryVersion18": "1.0.0", - "_huntingQuerycontentId18": "63ecff0f-3a86-468b-8c9e-a7a88fe33ebb", - "huntingQueryTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('63ecff0f-3a86-468b-8c9e-a7a88fe33ebb')))]" + "_huntingQuerycontentId18": "fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7", + "huntingQueryTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7')))]" }, "huntingQueryObject19": { "huntingQueryVersion19": "1.0.0", - "_huntingQuerycontentId19": "fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7", - "huntingQueryTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fa2f7d8a-6726-465a-aa72-6f6e3d4c99d7')))]" + "_huntingQuerycontentId19": "14694b88-a6e9-4cd1-9c4a-e382bdd82d8d", + "huntingQueryTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('14694b88-a6e9-4cd1-9c4a-e382bdd82d8d')))]" }, "huntingQueryObject20": { "huntingQueryVersion20": "1.0.0", - "_huntingQuerycontentId20": "14694b88-a6e9-4cd1-9c4a-e382bdd82d8d", - "huntingQueryTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('14694b88-a6e9-4cd1-9c4a-e382bdd82d8d')))]" + "_huntingQuerycontentId20": "bba7bbbe-5aa3-4c08-bd23-dd6cd8ccaf20", + "huntingQueryTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bba7bbbe-5aa3-4c08-bd23-dd6cd8ccaf20')))]" }, "huntingQueryObject21": { "huntingQueryVersion21": "1.0.0", - "_huntingQuerycontentId21": "bba7bbbe-5aa3-4c08-bd23-dd6cd8ccaf20", - "huntingQueryTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bba7bbbe-5aa3-4c08-bd23-dd6cd8ccaf20')))]" + "_huntingQuerycontentId21": "7a5597de-7e99-470d-944f-acb163b9cb14", + "huntingQueryTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('7a5597de-7e99-470d-944f-acb163b9cb14')))]" }, "huntingQueryObject22": { "huntingQueryVersion22": "1.0.0", - "_huntingQuerycontentId22": "7a5597de-7e99-470d-944f-acb163b9cb14", - "huntingQueryTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('7a5597de-7e99-470d-944f-acb163b9cb14')))]" + "_huntingQuerycontentId22": "58e6170e-0512-4485-9638-463fdde85b0e", + "huntingQueryTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('58e6170e-0512-4485-9638-463fdde85b0e')))]" }, "huntingQueryObject23": { "huntingQueryVersion23": "1.0.0", - "_huntingQuerycontentId23": "58e6170e-0512-4485-9638-463fdde85b0e", - "huntingQueryTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('58e6170e-0512-4485-9638-463fdde85b0e')))]" + "_huntingQuerycontentId23": "fe912310-32f5-4256-933b-d4b45e7e6e54", + "huntingQueryTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fe912310-32f5-4256-933b-d4b45e7e6e54')))]" }, "huntingQueryObject24": { "huntingQueryVersion24": "1.0.0", - "_huntingQuerycontentId24": "fe912310-32f5-4256-933b-d4b45e7e6e54", - "huntingQueryTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fe912310-32f5-4256-933b-d4b45e7e6e54')))]" + "_huntingQuerycontentId24": "3842e70d-45be-43b1-8206-4ebc4c305f34", + "huntingQueryTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3842e70d-45be-43b1-8206-4ebc4c305f34')))]" }, "huntingQueryObject25": { "huntingQueryVersion25": "1.0.0", - "_huntingQuerycontentId25": "3842e70d-45be-43b1-8206-4ebc4c305f34", - "huntingQueryTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3842e70d-45be-43b1-8206-4ebc4c305f34')))]" + "_huntingQuerycontentId25": "81f02314-2ff5-45cb-a35d-0deb546a0104", + "huntingQueryTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('81f02314-2ff5-45cb-a35d-0deb546a0104')))]" }, "huntingQueryObject26": { "huntingQueryVersion26": "1.0.0", - "_huntingQuerycontentId26": "81f02314-2ff5-45cb-a35d-0deb546a0104", - "huntingQueryTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('81f02314-2ff5-45cb-a35d-0deb546a0104')))]" + "_huntingQuerycontentId26": "f350f0e7-0e52-434c-a113-197883219f00", + "huntingQueryTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f350f0e7-0e52-434c-a113-197883219f00')))]" }, "huntingQueryObject27": { "huntingQueryVersion27": "1.0.0", - "_huntingQuerycontentId27": "f350f0e7-0e52-434c-a113-197883219f00", - "huntingQueryTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f350f0e7-0e52-434c-a113-197883219f00')))]" + "_huntingQuerycontentId27": "0b5b076b-9a1c-440c-a11f-8471a75f46fd", + "huntingQueryTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0b5b076b-9a1c-440c-a11f-8471a75f46fd')))]" }, "huntingQueryObject28": { "huntingQueryVersion28": "1.0.0", - "_huntingQuerycontentId28": "0b5b076b-9a1c-440c-a11f-8471a75f46fd", - "huntingQueryTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0b5b076b-9a1c-440c-a11f-8471a75f46fd')))]" + "_huntingQuerycontentId28": "2d16b6fc-eb63-491c-a2c2-1160e2e41dcf", + "huntingQueryTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2d16b6fc-eb63-491c-a2c2-1160e2e41dcf')))]" }, "huntingQueryObject29": { "huntingQueryVersion29": "1.0.0", - "_huntingQuerycontentId29": "2d16b6fc-eb63-491c-a2c2-1160e2e41dcf", - "huntingQueryTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2d16b6fc-eb63-491c-a2c2-1160e2e41dcf')))]" + "_huntingQuerycontentId29": "084a6349-b3d6-4528-91e4-4de5d52424e5", + "huntingQueryTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('084a6349-b3d6-4528-91e4-4de5d52424e5')))]" }, "huntingQueryObject30": { "huntingQueryVersion30": "1.0.0", - "_huntingQuerycontentId30": "084a6349-b3d6-4528-91e4-4de5d52424e5", - "huntingQueryTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('084a6349-b3d6-4528-91e4-4de5d52424e5')))]" + "_huntingQuerycontentId30": "c5b3e559-7c44-442c-9e73-c753abb02c13", + "huntingQueryTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c5b3e559-7c44-442c-9e73-c753abb02c13')))]" }, "huntingQueryObject31": { "huntingQueryVersion31": "1.0.0", - "_huntingQuerycontentId31": "c5b3e559-7c44-442c-9e73-c753abb02c13", - "huntingQueryTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c5b3e559-7c44-442c-9e73-c753abb02c13')))]" + "_huntingQuerycontentId31": "0efbcea0-1dc0-4844-8a9c-3a1d98fc1697", + "huntingQueryTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0efbcea0-1dc0-4844-8a9c-3a1d98fc1697')))]" }, "huntingQueryObject32": { "huntingQueryVersion32": "1.0.0", - "_huntingQuerycontentId32": "0efbcea0-1dc0-4844-8a9c-3a1d98fc1697", - "huntingQueryTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0efbcea0-1dc0-4844-8a9c-3a1d98fc1697')))]" + "_huntingQuerycontentId32": "8f404352-c4ff-44d1-8d70-c50ee2fad8f8", + "huntingQueryTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8f404352-c4ff-44d1-8d70-c50ee2fad8f8')))]" }, "huntingQueryObject33": { - "huntingQueryVersion33": "1.0.0", - "_huntingQuerycontentId33": "8f404352-c4ff-44d1-8d70-c50ee2fad8f8", - "huntingQueryTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8f404352-c4ff-44d1-8d70-c50ee2fad8f8')))]" + "huntingQueryVersion33": "1.0.1", + "_huntingQuerycontentId33": "2bdd260c-c687-4cb2-9992-87e5ce677678", + "huntingQueryTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2bdd260c-c687-4cb2-9992-87e5ce677678')))]" }, "huntingQueryObject34": { - "huntingQueryVersion34": "1.0.1", - "_huntingQuerycontentId34": "2bdd260c-c687-4cb2-9992-87e5ce677678", - "huntingQueryTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2bdd260c-c687-4cb2-9992-87e5ce677678')))]" + "huntingQueryVersion34": "1.0.0", + "_huntingQuerycontentId34": "e17ddfc6-7478-443b-99ff-286f3d09b8aa", + "huntingQueryTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e17ddfc6-7478-443b-99ff-286f3d09b8aa')))]" }, "huntingQueryObject35": { "huntingQueryVersion35": "1.0.0", - "_huntingQuerycontentId35": "e17ddfc6-7478-443b-99ff-286f3d09b8aa", - "huntingQueryTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e17ddfc6-7478-443b-99ff-286f3d09b8aa')))]" + "_huntingQuerycontentId35": "4095e430-d3f4-426f-92c5-aa5c5e137ca0", + "huntingQueryTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4095e430-d3f4-426f-92c5-aa5c5e137ca0')))]" }, "huntingQueryObject36": { "huntingQueryVersion36": "1.0.0", - "_huntingQuerycontentId36": "4095e430-d3f4-426f-92c5-aa5c5e137ca0", - "huntingQueryTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4095e430-d3f4-426f-92c5-aa5c5e137ca0')))]" + "_huntingQuerycontentId36": "cedc5bfa-01f6-4e54-b87b-1edbe430e27a", + "huntingQueryTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cedc5bfa-01f6-4e54-b87b-1edbe430e27a')))]" }, "huntingQueryObject37": { "huntingQueryVersion37": "1.0.0", - "_huntingQuerycontentId37": "cedc5bfa-01f6-4e54-b87b-1edbe430e27a", - "huntingQueryTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cedc5bfa-01f6-4e54-b87b-1edbe430e27a')))]" + "_huntingQuerycontentId37": "63142c12-5d8b-48cf-a0f6-b523c855497c", + "huntingQueryTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('63142c12-5d8b-48cf-a0f6-b523c855497c')))]" }, "huntingQueryObject38": { "huntingQueryVersion38": "1.0.0", - "_huntingQuerycontentId38": "63142c12-5d8b-48cf-a0f6-b523c855497c", - "huntingQueryTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('63142c12-5d8b-48cf-a0f6-b523c855497c')))]" + "_huntingQuerycontentId38": "1ddee78f-7508-4f4a-9b6b-d2927724217d", + "huntingQueryTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1ddee78f-7508-4f4a-9b6b-d2927724217d')))]" }, "huntingQueryObject39": { "huntingQueryVersion39": "1.0.0", - "_huntingQuerycontentId39": "1ddee78f-7508-4f4a-9b6b-d2927724217d", - "huntingQueryTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1ddee78f-7508-4f4a-9b6b-d2927724217d')))]" + "_huntingQuerycontentId39": "4f669adc-2c00-4bc8-896b-e59f068dcb18", + "huntingQueryTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4f669adc-2c00-4bc8-896b-e59f068dcb18')))]" }, "huntingQueryObject40": { "huntingQueryVersion40": "1.0.0", - "_huntingQuerycontentId40": "4f669adc-2c00-4bc8-896b-e59f068dcb18", - "huntingQueryTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4f669adc-2c00-4bc8-896b-e59f068dcb18')))]" + "_huntingQuerycontentId40": "853bacff-45cf-42f2-b2a6-6727fcf183ef", + "huntingQueryTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('853bacff-45cf-42f2-b2a6-6727fcf183ef')))]" }, "huntingQueryObject41": { "huntingQueryVersion41": "1.0.0", - "_huntingQuerycontentId41": "853bacff-45cf-42f2-b2a6-6727fcf183ef", - "huntingQueryTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('853bacff-45cf-42f2-b2a6-6727fcf183ef')))]" + "_huntingQuerycontentId41": "3dd9ab09-0ea3-4f47-ba10-f84045ab52c3", + "huntingQueryTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3dd9ab09-0ea3-4f47-ba10-f84045ab52c3')))]" }, "huntingQueryObject42": { "huntingQueryVersion42": "1.0.0", - "_huntingQuerycontentId42": "3dd9ab09-0ea3-4f47-ba10-f84045ab52c3", - "huntingQueryTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3dd9ab09-0ea3-4f47-ba10-f84045ab52c3')))]" + "_huntingQuerycontentId42": "4dd31bd5-11a3-4b9c-a7c5-4927ab4f2a77", + "huntingQueryTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4dd31bd5-11a3-4b9c-a7c5-4927ab4f2a77')))]" }, "huntingQueryObject43": { "huntingQueryVersion43": "1.0.0", - "_huntingQuerycontentId43": "4dd31bd5-11a3-4b9c-a7c5-4927ab4f2a77", - "huntingQueryTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4dd31bd5-11a3-4b9c-a7c5-4927ab4f2a77')))]" + "_huntingQuerycontentId43": "74cc0176-3900-440e-b179-45d6a957145a", + "huntingQueryTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('74cc0176-3900-440e-b179-45d6a957145a')))]" }, "huntingQueryObject44": { "huntingQueryVersion44": "1.0.0", - "_huntingQuerycontentId44": "74cc0176-3900-440e-b179-45d6a957145a", - "huntingQueryTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('74cc0176-3900-440e-b179-45d6a957145a')))]" + "_huntingQuerycontentId44": "e18109aa-f252-48ec-b115-1b7c16e1174f", + "huntingQueryTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e18109aa-f252-48ec-b115-1b7c16e1174f')))]" }, "huntingQueryObject45": { "huntingQueryVersion45": "1.0.0", - "_huntingQuerycontentId45": "e18109aa-f252-48ec-b115-1b7c16e1174f", - "huntingQueryTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e18109aa-f252-48ec-b115-1b7c16e1174f')))]" + "_huntingQuerycontentId45": "aa3a8508-c0ff-404d-8d5c-4e7f548b0d86", + "huntingQueryTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('aa3a8508-c0ff-404d-8d5c-4e7f548b0d86')))]" }, "huntingQueryObject46": { "huntingQueryVersion46": "1.0.0", - "_huntingQuerycontentId46": "aa3a8508-c0ff-404d-8d5c-4e7f548b0d86", - "huntingQueryTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('aa3a8508-c0ff-404d-8d5c-4e7f548b0d86')))]" + "_huntingQuerycontentId46": "9674f529-f0e9-4305-862d-479ccc9e28f1", + "huntingQueryTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9674f529-f0e9-4305-862d-479ccc9e28f1')))]" }, "huntingQueryObject47": { "huntingQueryVersion47": "1.0.0", - "_huntingQuerycontentId47": "9674f529-f0e9-4305-862d-479ccc9e28f1", - "huntingQueryTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9674f529-f0e9-4305-862d-479ccc9e28f1')))]" + "_huntingQuerycontentId47": "180bacfd-18de-450a-8e0c-7d2fa399ca49", + "huntingQueryTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('180bacfd-18de-450a-8e0c-7d2fa399ca49')))]" }, "huntingQueryObject48": { "huntingQueryVersion48": "1.0.0", - "_huntingQuerycontentId48": "180bacfd-18de-450a-8e0c-7d2fa399ca49", - "huntingQueryTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('180bacfd-18de-450a-8e0c-7d2fa399ca49')))]" + "_huntingQuerycontentId48": "4d11f63f-5b64-416e-8d77-266e4c6d382e", + "huntingQueryTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4d11f63f-5b64-416e-8d77-266e4c6d382e')))]" }, "huntingQueryObject49": { "huntingQueryVersion49": "1.0.0", - "_huntingQuerycontentId49": "4d11f63f-5b64-416e-8d77-266e4c6d382e", - "huntingQueryTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4d11f63f-5b64-416e-8d77-266e4c6d382e')))]" + "_huntingQuerycontentId49": "846bf25e-3d2d-4122-9b60-adfadd2fc616", + "huntingQueryTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('846bf25e-3d2d-4122-9b60-adfadd2fc616')))]" }, "huntingQueryObject50": { "huntingQueryVersion50": "1.0.0", - "_huntingQuerycontentId50": "846bf25e-3d2d-4122-9b60-adfadd2fc616", - "huntingQueryTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('846bf25e-3d2d-4122-9b60-adfadd2fc616')))]" + "_huntingQuerycontentId50": "4713d763-122d-419c-bf6f-bdef111cd8e2", + "huntingQueryTemplateSpecName50": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4713d763-122d-419c-bf6f-bdef111cd8e2')))]" }, "huntingQueryObject51": { "huntingQueryVersion51": "1.0.0", - "_huntingQuerycontentId51": "4713d763-122d-419c-bf6f-bdef111cd8e2", - "huntingQueryTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4713d763-122d-419c-bf6f-bdef111cd8e2')))]" + "_huntingQuerycontentId51": "b3470e40-39ae-4c28-9282-440038f6f964", + "huntingQueryTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b3470e40-39ae-4c28-9282-440038f6f964')))]" }, "huntingQueryObject52": { "huntingQueryVersion52": "1.0.0", - "_huntingQuerycontentId52": "b3470e40-39ae-4c28-9282-440038f6f964", - "huntingQueryTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b3470e40-39ae-4c28-9282-440038f6f964')))]" + "_huntingQuerycontentId52": "a18e8bcf-e05d-4e45-bc6e-2c5004729fbd", + "huntingQueryTemplateSpecName52": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a18e8bcf-e05d-4e45-bc6e-2c5004729fbd')))]" }, "huntingQueryObject53": { "huntingQueryVersion53": "1.0.0", - "_huntingQuerycontentId53": "a18e8bcf-e05d-4e45-bc6e-2c5004729fbd", - "huntingQueryTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a18e8bcf-e05d-4e45-bc6e-2c5004729fbd')))]" + "_huntingQuerycontentId53": "6284b962-ab0d-46d8-a47f-1eb1ac1be463", + "huntingQueryTemplateSpecName53": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6284b962-ab0d-46d8-a47f-1eb1ac1be463')))]" }, "huntingQueryObject54": { "huntingQueryVersion54": "1.0.0", - "_huntingQuerycontentId54": "6284b962-ab0d-46d8-a47f-1eb1ac1be463", - "huntingQueryTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6284b962-ab0d-46d8-a47f-1eb1ac1be463')))]" + "_huntingQuerycontentId54": "b1f8aac2-766d-47ec-8787-84bc7692ff77", + "huntingQueryTemplateSpecName54": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b1f8aac2-766d-47ec-8787-84bc7692ff77')))]" }, "huntingQueryObject55": { "huntingQueryVersion55": "1.0.0", - "_huntingQuerycontentId55": "b1f8aac2-766d-47ec-8787-84bc7692ff77", - "huntingQueryTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b1f8aac2-766d-47ec-8787-84bc7692ff77')))]" + "_huntingQuerycontentId55": "54ea2379-28e7-48e1-8dfd-aaf8fb1331ba", + "huntingQueryTemplateSpecName55": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('54ea2379-28e7-48e1-8dfd-aaf8fb1331ba')))]" }, "huntingQueryObject56": { "huntingQueryVersion56": "1.0.0", - "_huntingQuerycontentId56": "54ea2379-28e7-48e1-8dfd-aaf8fb1331ba", - "huntingQueryTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('54ea2379-28e7-48e1-8dfd-aaf8fb1331ba')))]" + "_huntingQuerycontentId56": "29683151-e15d-4c0c-845b-892be89bf080", + "huntingQueryTemplateSpecName56": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('29683151-e15d-4c0c-845b-892be89bf080')))]" }, "huntingQueryObject57": { "huntingQueryVersion57": "1.0.0", - "_huntingQuerycontentId57": "29683151-e15d-4c0c-845b-892be89bf080", - "huntingQueryTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('29683151-e15d-4c0c-845b-892be89bf080')))]" + "_huntingQuerycontentId57": "35ca729c-04b4-4f6c-b383-caed1b85226e", + "huntingQueryTemplateSpecName57": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('35ca729c-04b4-4f6c-b383-caed1b85226e')))]" }, "huntingQueryObject58": { "huntingQueryVersion58": "1.0.0", - "_huntingQuerycontentId58": "35ca729c-04b4-4f6c-b383-caed1b85226e", - "huntingQueryTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('35ca729c-04b4-4f6c-b383-caed1b85226e')))]" + "_huntingQuerycontentId58": "761230a3-71ad-4522-bfbc-1dca698ffc42", + "huntingQueryTemplateSpecName58": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('761230a3-71ad-4522-bfbc-1dca698ffc42')))]" }, "huntingQueryObject59": { "huntingQueryVersion59": "1.0.0", - "_huntingQuerycontentId59": "761230a3-71ad-4522-bfbc-1dca698ffc42", - "huntingQueryTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('761230a3-71ad-4522-bfbc-1dca698ffc42')))]" + "_huntingQuerycontentId59": "daa347a4-8251-43a7-9730-32f22aa741ab", + "huntingQueryTemplateSpecName59": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('daa347a4-8251-43a7-9730-32f22aa741ab')))]" }, "huntingQueryObject60": { "huntingQueryVersion60": "1.0.0", - "_huntingQuerycontentId60": "daa347a4-8251-43a7-9730-32f22aa741ab", - "huntingQueryTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('daa347a4-8251-43a7-9730-32f22aa741ab')))]" + "_huntingQuerycontentId60": "3cc2127f-d9ca-46a0-9628-89f702be82b3", + "huntingQueryTemplateSpecName60": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3cc2127f-d9ca-46a0-9628-89f702be82b3')))]" }, "huntingQueryObject61": { "huntingQueryVersion61": "1.0.0", - "_huntingQuerycontentId61": "3cc2127f-d9ca-46a0-9628-89f702be82b3", - "huntingQueryTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3cc2127f-d9ca-46a0-9628-89f702be82b3')))]" + "_huntingQuerycontentId61": "8722489a-d6f1-4b66-98e9-e3dfda902019", + "huntingQueryTemplateSpecName61": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8722489a-d6f1-4b66-98e9-e3dfda902019')))]" }, "huntingQueryObject62": { "huntingQueryVersion62": "1.0.0", - "_huntingQuerycontentId62": "8722489a-d6f1-4b66-98e9-e3dfda902019", - "huntingQueryTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8722489a-d6f1-4b66-98e9-e3dfda902019')))]" + "_huntingQuerycontentId62": "a7214393-9da7-432e-9b41-fb02b4f740bd", + "huntingQueryTemplateSpecName62": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a7214393-9da7-432e-9b41-fb02b4f740bd')))]" }, "huntingQueryObject63": { "huntingQueryVersion63": "1.0.0", - "_huntingQuerycontentId63": "a7214393-9da7-432e-9b41-fb02b4f740bd", - "huntingQueryTemplateSpecName63": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a7214393-9da7-432e-9b41-fb02b4f740bd')))]" + "_huntingQuerycontentId63": "d0585c34-1b03-473c-938d-11fe73f7e053", + "huntingQueryTemplateSpecName63": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d0585c34-1b03-473c-938d-11fe73f7e053')))]" }, "huntingQueryObject64": { "huntingQueryVersion64": "1.0.0", - "_huntingQuerycontentId64": "d0585c34-1b03-473c-938d-11fe73f7e053", - "huntingQueryTemplateSpecName64": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d0585c34-1b03-473c-938d-11fe73f7e053')))]" + "_huntingQuerycontentId64": "96976bb1-1993-45b8-a477-8236ee93976b", + "huntingQueryTemplateSpecName64": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('96976bb1-1993-45b8-a477-8236ee93976b')))]" }, "huntingQueryObject65": { "huntingQueryVersion65": "1.0.0", - "_huntingQuerycontentId65": "96976bb1-1993-45b8-a477-8236ee93976b", - "huntingQueryTemplateSpecName65": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('96976bb1-1993-45b8-a477-8236ee93976b')))]" + "_huntingQuerycontentId65": "1299962c-804e-459a-8d3d-41d68bc45ba2", + "huntingQueryTemplateSpecName65": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1299962c-804e-459a-8d3d-41d68bc45ba2')))]" }, "huntingQueryObject66": { "huntingQueryVersion66": "1.0.0", - "_huntingQuerycontentId66": "1299962c-804e-459a-8d3d-41d68bc45ba2", - "huntingQueryTemplateSpecName66": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1299962c-804e-459a-8d3d-41d68bc45ba2')))]" + "_huntingQuerycontentId66": "06ea5081-cdea-40c8-b829-240ece951243", + "huntingQueryTemplateSpecName66": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('06ea5081-cdea-40c8-b829-240ece951243')))]" }, "huntingQueryObject67": { "huntingQueryVersion67": "1.0.0", - "_huntingQuerycontentId67": "06ea5081-cdea-40c8-b829-240ece951243", - "huntingQueryTemplateSpecName67": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('06ea5081-cdea-40c8-b829-240ece951243')))]" + "_huntingQuerycontentId67": "f086d58b-c44b-4fae-903b-f65ad042a4ee", + "huntingQueryTemplateSpecName67": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f086d58b-c44b-4fae-903b-f65ad042a4ee')))]" }, "huntingQueryObject68": { "huntingQueryVersion68": "1.0.0", - "_huntingQuerycontentId68": "f086d58b-c44b-4fae-903b-f65ad042a4ee", - "huntingQueryTemplateSpecName68": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f086d58b-c44b-4fae-903b-f65ad042a4ee')))]" + "_huntingQuerycontentId68": "88707168-d4a4-4ca7-a516-b2ee0310af1b", + "huntingQueryTemplateSpecName68": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('88707168-d4a4-4ca7-a516-b2ee0310af1b')))]" }, "huntingQueryObject69": { "huntingQueryVersion69": "1.0.0", - "_huntingQuerycontentId69": "88707168-d4a4-4ca7-a516-b2ee0310af1b", - "huntingQueryTemplateSpecName69": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('88707168-d4a4-4ca7-a516-b2ee0310af1b')))]" + "_huntingQuerycontentId69": "cb2fb8f9-89bd-485e-8422-da8cb6c7bc23", + "huntingQueryTemplateSpecName69": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cb2fb8f9-89bd-485e-8422-da8cb6c7bc23')))]" }, "huntingQueryObject70": { "huntingQueryVersion70": "1.0.0", - "_huntingQuerycontentId70": "cb2fb8f9-89bd-485e-8422-da8cb6c7bc23", - "huntingQueryTemplateSpecName70": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cb2fb8f9-89bd-485e-8422-da8cb6c7bc23')))]" + "_huntingQuerycontentId70": "829cf5ba-39d5-4986-814e-d46f8437c27b", + "huntingQueryTemplateSpecName70": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('829cf5ba-39d5-4986-814e-d46f8437c27b')))]" }, "huntingQueryObject71": { "huntingQueryVersion71": "1.0.0", - "_huntingQuerycontentId71": "829cf5ba-39d5-4986-814e-d46f8437c27b", - "huntingQueryTemplateSpecName71": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('829cf5ba-39d5-4986-814e-d46f8437c27b')))]" + "_huntingQuerycontentId71": "518e6938-10ef-4165-af19-82f1287141bc", + "huntingQueryTemplateSpecName71": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('518e6938-10ef-4165-af19-82f1287141bc')))]" + }, + "huntingQueryObject72": { + "huntingQueryVersion72": "1.0.0", + "_huntingQuerycontentId72": "b6392f39-a1f4-4ec8-8689-4cb9d28c295a", + "huntingQueryTemplateSpecName72": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b6392f39-a1f4-4ec8-8689-4cb9d28c295a')))]" + }, + "huntingQueryObject73": { + "huntingQueryVersion73": "1.0.0", + "_huntingQuerycontentId73": "16eda414-1550-4cdc-8512-0769901d3f05", + "huntingQueryTemplateSpecName73": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('16eda414-1550-4cdc-8512-0769901d3f05')))]" + }, + "huntingQueryObject74": { + "huntingQueryVersion74": "1.0.0", + "_huntingQuerycontentId74": "7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422", + "huntingQueryTemplateSpecName74": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422')))]" + }, + "huntingQueryObject75": { + "huntingQueryVersion75": "1.0.0", + "_huntingQuerycontentId75": "5971f2e7-1bb2-4170-aa7a-577ed8a45c72", + "huntingQueryTemplateSpecName75": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('5971f2e7-1bb2-4170-aa7a-577ed8a45c72')))]" + }, + "huntingQueryObject76": { + "huntingQueryVersion76": "1.0.0", + "_huntingQuerycontentId76": "ba1a91ad-1f99-4386-b191-06a76ef213f8", + "huntingQueryTemplateSpecName76": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ba1a91ad-1f99-4386-b191-06a76ef213f8')))]" + }, + "huntingQueryObject77": { + "huntingQueryVersion77": "1.0.0", + "_huntingQuerycontentId77": "bc2d8214-afb6-4876-b210-25b69325b9b2", + "huntingQueryTemplateSpecName77": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bc2d8214-afb6-4876-b210-25b69325b9b2')))]" + }, + "huntingQueryObject78": { + "huntingQueryVersion78": "1.0.0", + "_huntingQuerycontentId78": "712ffdd8-ddce-4372-85dd-063029b418cf", + "huntingQueryTemplateSpecName78": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('712ffdd8-ddce-4372-85dd-063029b418cf')))]" + }, + "huntingQueryObject79": { + "huntingQueryVersion79": "1.0.0", + "_huntingQuerycontentId79": "deb4b2c6-c10e-4044-8cf4-84243e40db73", + "huntingQueryTemplateSpecName79": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('deb4b2c6-c10e-4044-8cf4-84243e40db73')))]" + }, + "huntingQueryObject80": { + "huntingQueryVersion80": "1.0.0", + "_huntingQuerycontentId80": "81ede5df-2ec3-40a5-9dff-1fe6a841079d", + "huntingQueryTemplateSpecName80": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('81ede5df-2ec3-40a5-9dff-1fe6a841079d')))]" + }, + "huntingQueryObject81": { + "huntingQueryVersion81": "1.0.0", + "_huntingQuerycontentId81": "63c799bc-7567-4e4d-97be-e143fcfaa333", + "huntingQueryTemplateSpecName81": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('63c799bc-7567-4e4d-97be-e143fcfaa333')))]" + }, + "huntingQueryObject82": { + "huntingQueryVersion82": "1.0.0", + "_huntingQuerycontentId82": "92b76a34-502e-4a53-93ec-9fc37c3b358c", + "huntingQueryTemplateSpecName82": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('92b76a34-502e-4a53-93ec-9fc37c3b358c')))]" + }, + "huntingQueryObject83": { + "huntingQueryVersion83": "1.0.0", + "_huntingQuerycontentId83": "8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935", + "huntingQueryTemplateSpecName83": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935')))]" + }, + "huntingQueryObject84": { + "huntingQueryVersion84": "1.0.0", + "_huntingQuerycontentId84": "e6259b03-622e-4e11-9c54-94987dad7c14", + "huntingQueryTemplateSpecName84": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e6259b03-622e-4e11-9c54-94987dad7c14')))]" + }, + "huntingQueryObject85": { + "huntingQueryVersion85": "1.0.0", + "_huntingQuerycontentId85": "fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72", + "huntingQueryTemplateSpecName85": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72')))]" + }, + "huntingQueryObject86": { + "huntingQueryVersion86": "1.0.0", + "_huntingQuerycontentId86": "57f95ba7-938d-4a76-b411-c01034c0d167", + "huntingQueryTemplateSpecName86": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('57f95ba7-938d-4a76-b411-c01034c0d167')))]" + }, + "huntingQueryObject87": { + "huntingQueryVersion87": "1.0.0", + "_huntingQuerycontentId87": "0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe", + "huntingQueryTemplateSpecName87": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe')))]" + }, + "huntingQueryObject88": { + "huntingQueryVersion88": "1.0.0", + "_huntingQuerycontentId88": "54569b06-47fc-41ae-9b00-f7d9b61337b6", + "huntingQueryTemplateSpecName88": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('54569b06-47fc-41ae-9b00-f7d9b61337b6')))]" + }, + "huntingQueryObject89": { + "huntingQueryVersion89": "1.0.0", + "_huntingQuerycontentId89": "430a9c0d-f3ce-46a3-a994-92b3ada0d1b2", + "huntingQueryTemplateSpecName89": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('430a9c0d-f3ce-46a3-a994-92b3ada0d1b2')))]" + }, + "huntingQueryObject90": { + "huntingQueryVersion90": "1.0.0", + "_huntingQuerycontentId90": "b95994d1-1008-4c42-a74f-9f2967e39ed6", + "huntingQueryTemplateSpecName90": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b95994d1-1008-4c42-a74f-9f2967e39ed6')))]" + }, + "huntingQueryObject91": { + "huntingQueryVersion91": "1.0.0", + "_huntingQuerycontentId91": "f840db5b-87c9-43c8-a8c3-5b6b83838cd4", + "huntingQueryTemplateSpecName91": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f840db5b-87c9-43c8-a8c3-5b6b83838cd4')))]" + }, + "huntingQueryObject92": { + "huntingQueryVersion92": "1.0.0", + "_huntingQuerycontentId92": "a96c1571-1f7d-48dc-8287-7df5a5f0d987", + "huntingQueryTemplateSpecName92": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a96c1571-1f7d-48dc-8287-7df5a5f0d987')))]" + }, + "huntingQueryObject93": { + "huntingQueryVersion93": "1.0.0", + "_huntingQuerycontentId93": "2c6e7f75-d83c-4344-afdc-83335fe550e6", + "huntingQueryTemplateSpecName93": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2c6e7f75-d83c-4344-afdc-83335fe550e6')))]" + }, + "huntingQueryObject94": { + "huntingQueryVersion94": "1.0.0", + "_huntingQuerycontentId94": "1c51e10e-7f77-40bc-bd37-6aa55cdf94d6", + "huntingQueryTemplateSpecName94": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1c51e10e-7f77-40bc-bd37-6aa55cdf94d6')))]" + }, + "huntingQueryObject95": { + "huntingQueryVersion95": "1.0.0", + "_huntingQuerycontentId95": "da7b973a-0045-4fd6-9161-269369336d24", + "huntingQueryTemplateSpecName95": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('da7b973a-0045-4fd6-9161-269369336d24')))]" + }, + "huntingQueryObject96": { + "huntingQueryVersion96": "1.0.0", + "_huntingQuerycontentId96": "6b478186-da3b-4d71-beaa-aa5b42908499", + "huntingQueryTemplateSpecName96": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6b478186-da3b-4d71-beaa-aa5b42908499')))]" + }, + "huntingQueryObject97": { + "huntingQueryVersion97": "1.0.0", + "_huntingQuerycontentId97": "da932998-81dd-4be4-963c-f4890cb4192e", + "huntingQueryTemplateSpecName97": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('da932998-81dd-4be4-963c-f4890cb4192e')))]" + }, + "huntingQueryObject98": { + "huntingQueryVersion98": "1.0.0", + "_huntingQuerycontentId98": "b2beec6a-2c1c-4319-a191-e70c2ee42857", + "huntingQueryTemplateSpecName98": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b2beec6a-2c1c-4319-a191-e70c2ee42857')))]" + }, + "huntingQueryObject99": { + "huntingQueryVersion99": "1.0.0", + "_huntingQuerycontentId99": "12225f50-9d41-4b78-8269-cc127d98654c", + "huntingQueryTemplateSpecName99": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('12225f50-9d41-4b78-8269-cc127d98654c')))]" + }, + "huntingQueryObject100": { + "huntingQueryVersion100": "1.0.0", + "_huntingQuerycontentId100": "cadf6e78-2a9a-4fb5-b788-30a592d699d3", + "huntingQueryTemplateSpecName100": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cadf6e78-2a9a-4fb5-b788-30a592d699d3')))]" + }, + "huntingQueryObject101": { + "huntingQueryVersion101": "1.0.0", + "_huntingQuerycontentId101": "95b0c7ed-2853-4343-80a9-ab076cf31e51", + "huntingQueryTemplateSpecName101": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('95b0c7ed-2853-4343-80a9-ab076cf31e51')))]" + }, + "huntingQueryObject102": { + "huntingQueryVersion102": "1.0.0", + "_huntingQuerycontentId102": "439f817c-845c-4dda-a8d9-5c1f6831cee9", + "huntingQueryTemplateSpecName102": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('439f817c-845c-4dda-a8d9-5c1f6831cee9')))]" + }, + "huntingQueryObject103": { + "huntingQueryVersion103": "1.0.0", + "_huntingQuerycontentId103": "07c85687-6dee-4266-9345-1e34de85d989", + "huntingQueryTemplateSpecName103": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('07c85687-6dee-4266-9345-1e34de85d989')))]" + }, + "huntingQueryObject104": { + "huntingQueryVersion104": "1.0.0", + "_huntingQuerycontentId104": "23dbd58b-23ce-42ae-b4d1-0dfdd35871ea", + "huntingQueryTemplateSpecName104": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('23dbd58b-23ce-42ae-b4d1-0dfdd35871ea')))]" + }, + "huntingQueryObject105": { + "huntingQueryVersion105": "1.0.0", + "_huntingQuerycontentId105": "a3619c75-a927-4dbb-91cc-9adc55e95bda", + "huntingQueryTemplateSpecName105": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a3619c75-a927-4dbb-91cc-9adc55e95bda')))]" + }, + "huntingQueryObject106": { + "huntingQueryVersion106": "1.0.0", + "_huntingQuerycontentId106": "fd68706e-8e3e-4ccd-9230-1f267bdad4c8", + "huntingQueryTemplateSpecName106": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fd68706e-8e3e-4ccd-9230-1f267bdad4c8')))]" + }, + "huntingQueryObject107": { + "huntingQueryVersion107": "1.0.0", + "_huntingQuerycontentId107": "c73ae295-d120-4f79-aaed-de005f766ad2", + "huntingQueryTemplateSpecName107": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c73ae295-d120-4f79-aaed-de005f766ad2')))]" + }, + "huntingQueryObject108": { + "huntingQueryVersion108": "1.0.0", + "_huntingQuerycontentId108": "fe2cb53e-4eb3-4676-87c1-f80d2813f542", + "huntingQueryTemplateSpecName108": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('fe2cb53e-4eb3-4676-87c1-f80d2813f542')))]" + }, + "huntingQueryObject109": { + "huntingQueryVersion109": "1.0.0", + "_huntingQuerycontentId109": "b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9", + "huntingQueryTemplateSpecName109": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9')))]" + }, + "huntingQueryObject110": { + "huntingQueryVersion110": "1.0.0", + "_huntingQuerycontentId110": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808", + "huntingQueryTemplateSpecName110": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdac93ef-56c0-45bf-9e7f-9cbf0ad06808')))]" + }, + "huntingQueryObject111": { + "huntingQueryVersion111": "1.0.0", + "_huntingQuerycontentId111": "9d59be10-54d9-478b-b669-fb4eb8517cd0", + "huntingQueryTemplateSpecName111": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9d59be10-54d9-478b-b669-fb4eb8517cd0')))]" + }, + "huntingQueryObject112": { + "huntingQueryVersion112": "1.0.0", + "_huntingQuerycontentId112": "25150085-015a-4673-9b67-bc6ad9475500", + "huntingQueryTemplateSpecName112": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('25150085-015a-4673-9b67-bc6ad9475500')))]" + }, + "huntingQueryObject113": { + "huntingQueryVersion113": "1.0.0", + "_huntingQuerycontentId113": "9b086a51-e396-4718-90d7-f7b3646e6581", + "huntingQueryTemplateSpecName113": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9b086a51-e396-4718-90d7-f7b3646e6581')))]" + }, + "huntingQueryObject114": { + "huntingQueryVersion114": "1.0.0", + "_huntingQuerycontentId114": "516046e8-a460-4f7b-86eb-421d3a9cdff1", + "huntingQueryTemplateSpecName114": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('516046e8-a460-4f7b-86eb-421d3a9cdff1')))]" + }, + "huntingQueryObject115": { + "huntingQueryVersion115": "1.0.0", + "_huntingQuerycontentId115": "594fe5a1-53b6-466b-86df-028366c3994e", + "huntingQueryTemplateSpecName115": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('594fe5a1-53b6-466b-86df-028366c3994e')))]" + }, + "huntingQueryObject116": { + "huntingQueryVersion116": "1.0.0", + "_huntingQuerycontentId116": "706b711a-7622-40f1-9ebb-331d1a0ff697", + "huntingQueryTemplateSpecName116": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('706b711a-7622-40f1-9ebb-331d1a0ff697')))]" + }, + "huntingQueryObject117": { + "huntingQueryVersion117": "1.0.0", + "_huntingQuerycontentId117": "f708c866-073a-4107-a60b-ba6f86e54caa", + "huntingQueryTemplateSpecName117": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f708c866-073a-4107-a60b-ba6f86e54caa')))]" + }, + "huntingQueryObject118": { + "huntingQueryVersion118": "1.0.0", + "_huntingQuerycontentId118": "68aa199c-259b-4bb0-8e7a-8ed6f96c5525", + "huntingQueryTemplateSpecName118": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('68aa199c-259b-4bb0-8e7a-8ed6f96c5525')))]" + }, + "huntingQueryObject119": { + "huntingQueryVersion119": "1.0.0", + "_huntingQuerycontentId119": "8c852f12-499f-499b-afc1-25c50aa9b462", + "huntingQueryTemplateSpecName119": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8c852f12-499f-499b-afc1-25c50aa9b462')))]" + }, + "huntingQueryObject120": { + "huntingQueryVersion120": "1.0.0", + "_huntingQuerycontentId120": "f6354c94-3a95-4235-8530-414f016a7bf6", + "huntingQueryTemplateSpecName120": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f6354c94-3a95-4235-8530-414f016a7bf6')))]" + }, + "huntingQueryObject121": { + "huntingQueryVersion121": "1.0.0", + "_huntingQuerycontentId121": "dc7e1eb5-16f5-4ad5-96a1-794970f4b310", + "huntingQueryTemplateSpecName121": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('dc7e1eb5-16f5-4ad5-96a1-794970f4b310')))]" + }, + "huntingQueryObject122": { + "huntingQueryVersion122": "1.0.0", + "_huntingQuerycontentId122": "54d3455d-27e0-4ceb-99f9-375abd620151", + "huntingQueryTemplateSpecName122": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('54d3455d-27e0-4ceb-99f9-375abd620151')))]" + }, + "huntingQueryObject123": { + "huntingQueryVersion123": "1.0.0", + "_huntingQuerycontentId123": "8d298b5c-feca-4add-bd42-e43e0a317a88", + "huntingQueryTemplateSpecName123": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8d298b5c-feca-4add-bd42-e43e0a317a88')))]" + }, + "huntingQueryObject124": { + "huntingQueryVersion124": "1.0.0", + "_huntingQuerycontentId124": "3131d0ba-32c9-483e-a25c-82e26a07e116", + "huntingQueryTemplateSpecName124": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3131d0ba-32c9-483e-a25c-82e26a07e116')))]" + }, + "huntingQueryObject125": { + "huntingQueryVersion125": "1.0.0", + "_huntingQuerycontentId125": "a12cac64-ea6d-46d4-91a6-262b165fb9ad", + "huntingQueryTemplateSpecName125": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a12cac64-ea6d-46d4-91a6-262b165fb9ad')))]" + }, + "huntingQueryObject126": { + "huntingQueryVersion126": "1.0.0", + "_huntingQuerycontentId126": "9e8faa62-7222-48a5-a78f-ef2d22f866dc", + "huntingQueryTemplateSpecName126": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9e8faa62-7222-48a5-a78f-ef2d22f866dc')))]" + }, + "huntingQueryObject127": { + "huntingQueryVersion127": "1.0.0", + "_huntingQuerycontentId127": "6f96f6d7-d972-421e-a59f-6b9a8de81324", + "huntingQueryTemplateSpecName127": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6f96f6d7-d972-421e-a59f-6b9a8de81324')))]" + }, + "huntingQueryObject128": { + "huntingQueryVersion128": "1.0.0", + "_huntingQuerycontentId128": "9f135aef-ad25-4df2-bdab-8399978a36a2", + "huntingQueryTemplateSpecName128": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9f135aef-ad25-4df2-bdab-8399978a36a2')))]" + }, + "huntingQueryObject129": { + "huntingQueryVersion129": "1.0.0", + "_huntingQuerycontentId129": "99713387-9d61-49eb-8edc-f51153d8bb01", + "huntingQueryTemplateSpecName129": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('99713387-9d61-49eb-8edc-f51153d8bb01')))]" + }, + "huntingQueryObject130": { + "huntingQueryVersion130": "1.0.0", + "_huntingQuerycontentId130": "6a570927-8638-4a6f-ac09-72a7d51ffa3c", + "huntingQueryTemplateSpecName130": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('6a570927-8638-4a6f-ac09-72a7d51ffa3c')))]" + }, + "huntingQueryObject131": { + "huntingQueryVersion131": "1.0.0", + "_huntingQuerycontentId131": "cdc4da1c-64a1-4941-be59-1f5cc85481ab", + "huntingQueryTemplateSpecName131": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('cdc4da1c-64a1-4941-be59-1f5cc85481ab')))]" + }, + "huntingQueryObject132": { + "huntingQueryVersion132": "1.0.0", + "_huntingQuerycontentId132": "b3180ac0-6d94-494a-8b8c-fcc84319ea6e", + "huntingQueryTemplateSpecName132": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b3180ac0-6d94-494a-8b8c-fcc84319ea6e')))]" + }, + "huntingQueryObject133": { + "huntingQueryVersion133": "1.0.0", + "_huntingQuerycontentId133": "011c3d48-f6ca-405f-9763-66c7856ad2ba", + "huntingQueryTemplateSpecName133": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('011c3d48-f6ca-405f-9763-66c7856ad2ba')))]" + }, + "huntingQueryObject134": { + "huntingQueryVersion134": "1.0.0", + "_huntingQuerycontentId134": "e90345b3-439c-44e1-a85d-8ae84ad9c65b", + "huntingQueryTemplateSpecName134": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e90345b3-439c-44e1-a85d-8ae84ad9c65b')))]" + }, + "huntingQueryObject135": { + "huntingQueryVersion135": "1.0.0", + "_huntingQuerycontentId135": "71aeb41d-c85c-4569-bb08-6f1cd38bca49", + "huntingQueryTemplateSpecName135": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('71aeb41d-c85c-4569-bb08-6f1cd38bca49')))]" + }, + "huntingQueryObject136": { + "huntingQueryVersion136": "1.0.0", + "_huntingQuerycontentId136": "1c390fd7-2668-4445-9b7d-055f3851be5f", + "huntingQueryTemplateSpecName136": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('1c390fd7-2668-4445-9b7d-055f3851be5f')))]" + }, + "huntingQueryObject137": { + "huntingQueryVersion137": "1.0.0", + "_huntingQuerycontentId137": "2d2351ca-e9a6-4286-b445-a9268189c1dc", + "huntingQueryTemplateSpecName137": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2d2351ca-e9a6-4286-b445-a9268189c1dc')))]" + }, + "huntingQueryObject138": { + "huntingQueryVersion138": "1.0.0", + "_huntingQuerycontentId138": "8c9bc29b-f32a-49fe-8fe8-450479f4130f", + "huntingQueryTemplateSpecName138": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('8c9bc29b-f32a-49fe-8fe8-450479f4130f')))]" + }, + "huntingQueryObject139": { + "huntingQueryVersion139": "1.0.0", + "_huntingQuerycontentId139": "0bd33643-c517-48b1-8211-25a7fbd15a50", + "huntingQueryTemplateSpecName139": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0bd33643-c517-48b1-8211-25a7fbd15a50')))]" + }, + "huntingQueryObject140": { + "huntingQueryVersion140": "1.0.0", + "_huntingQuerycontentId140": "de480ca4-4095-4fef-b3e7-2a3f17f24e78", + "huntingQueryTemplateSpecName140": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('de480ca4-4095-4fef-b3e7-2a3f17f24e78')))]" + }, + "huntingQueryObject141": { + "huntingQueryVersion141": "1.0.0", + "_huntingQuerycontentId141": "a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27", + "huntingQueryTemplateSpecName141": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27')))]" + }, + "huntingQueryObject142": { + "huntingQueryVersion142": "1.0.0", + "_huntingQuerycontentId142": "27ee28e7-423b-48c9-a410-cbc6c8e21d25", + "huntingQueryTemplateSpecName142": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('27ee28e7-423b-48c9-a410-cbc6c8e21d25')))]" + }, + "huntingQueryObject143": { + "huntingQueryVersion143": "1.0.0", + "_huntingQuerycontentId143": "e3b7b5c1-0e50-4dfb-b73a-c226636eaf58", + "huntingQueryTemplateSpecName143": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e3b7b5c1-0e50-4dfb-b73a-c226636eaf58')))]" + }, + "huntingQueryObject144": { + "huntingQueryVersion144": "1.0.0", + "_huntingQuerycontentId144": "9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2", + "huntingQueryTemplateSpecName144": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2')))]" + }, + "huntingQueryObject145": { + "huntingQueryVersion145": "1.0.0", + "_huntingQuerycontentId145": "a1664330-810a-473b-b354-acbaa751a294", + "huntingQueryTemplateSpecName145": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('a1664330-810a-473b-b354-acbaa751a294')))]" + }, + "huntingQueryObject146": { + "huntingQueryVersion146": "1.0.0", + "_huntingQuerycontentId146": "d24e9c4a-b72a-4a85-89cd-83760ae61155", + "huntingQueryTemplateSpecName146": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d24e9c4a-b72a-4a85-89cd-83760ae61155')))]" + }, + "huntingQueryObject147": { + "huntingQueryVersion147": "1.0.0", + "_huntingQuerycontentId147": "3f007cdc-86bf-4657-9015-05101a3e54f5", + "huntingQueryTemplateSpecName147": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('3f007cdc-86bf-4657-9015-05101a3e54f5')))]" + }, + "huntingQueryObject148": { + "huntingQueryVersion148": "1.0.0", + "_huntingQuerycontentId148": "efe27064-6d35-4720-b7f5-e0326695613d", + "huntingQueryTemplateSpecName148": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('efe27064-6d35-4720-b7f5-e0326695613d')))]" + }, + "huntingQueryObject149": { + "huntingQueryVersion149": "1.0.0", + "_huntingQuerycontentId149": "bc46e331-3cb0-483d-9c90-989d2a59457f", + "huntingQueryTemplateSpecName149": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('bc46e331-3cb0-483d-9c90-989d2a59457f')))]" + }, + "huntingQueryObject150": { + "huntingQueryVersion150": "1.0.0", + "_huntingQuerycontentId150": "03e61096-20d0-46eb-b8e0-a507dd00a19f", + "huntingQueryTemplateSpecName150": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('03e61096-20d0-46eb-b8e0-a507dd00a19f')))]" + }, + "huntingQueryObject151": { + "huntingQueryVersion151": "1.0.0", + "_huntingQuerycontentId151": "f075d4c4-cf76-4e5d-9c2d-9ed524286316", + "huntingQueryTemplateSpecName151": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f075d4c4-cf76-4e5d-9c2d-9ed524286316')))]" + }, + "huntingQueryObject152": { + "huntingQueryVersion152": "1.0.0", + "_huntingQuerycontentId152": "891f4865-75e5-4d40-bc24-ebf97da3ca9a", + "huntingQueryTemplateSpecName152": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('891f4865-75e5-4d40-bc24-ebf97da3ca9a')))]" + }, + "huntingQueryObject153": { + "huntingQueryVersion153": "1.0.0", + "_huntingQuerycontentId153": "d823da0e-1334-4a66-8ff4-2c2c40d26295", + "huntingQueryTemplateSpecName153": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('d823da0e-1334-4a66-8ff4-2c2c40d26295')))]" + }, + "huntingQueryObject154": { + "huntingQueryVersion154": "1.0.0", + "_huntingQuerycontentId154": "08aff8c6-b983-43a3-be95-68a10c3d35e6", + "huntingQueryTemplateSpecName154": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('08aff8c6-b983-43a3-be95-68a10c3d35e6')))]" + }, + "huntingQueryObject155": { + "huntingQueryVersion155": "1.0.0", + "_huntingQuerycontentId155": "492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9", + "huntingQueryTemplateSpecName155": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9')))]" + }, + "huntingQueryObject156": { + "huntingQueryVersion156": "1.0.0", + "_huntingQuerycontentId156": "c10b22a0-6021-46f9-bdaf-05bf2350a554", + "huntingQueryTemplateSpecName156": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c10b22a0-6021-46f9-bdaf-05bf2350a554')))]" }, "workbookVersion1": "1.0.0", "workbookContentId1": "MicrosoftDefenderForOffice365detectionsandinsights", @@ -1334,16 +1759,16 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } ], "entityType": "Account" @@ -1351,16 +1776,16 @@ { "fieldMappings": [ { - "columnName": "RecipientEmailAddress", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "RecipientEmailAddress" }, { - "columnName": "RecipientEmailName", - "identifier": "Name" + "identifier": "Name", + "columnName": "RecipientEmailName" }, { - "columnName": "RecipientEmailUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "RecipientEmailUPNSuffix" } ], "entityType": "Account" @@ -1368,16 +1793,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -1385,8 +1810,8 @@ { "fieldMappings": [ { - "columnName": "SourceIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIP" } ], "entityType": "IP" @@ -1394,8 +1819,8 @@ { "fieldMappings": [ { - "columnName": "DestinationIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "DestinationIP" } ], "entityType": "IP" @@ -1499,16 +1924,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -1516,16 +1941,16 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } ], "entityType": "Account" @@ -1629,12 +2054,12 @@ { "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -1642,16 +2067,16 @@ { "fieldMappings": [ { - "columnName": "FileEditUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "FileEditUpn" }, { - "columnName": "FileEditAccount", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileEditAccount" }, { - "columnName": "FileEditDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "FileEditDomain" } ], "entityType": "Account" @@ -1758,16 +2183,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -1775,16 +2200,16 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } ], "entityType": "Account" @@ -1792,12 +2217,12 @@ { "fieldMappings": [ { - "columnName": "HashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "HashAlgorithm" }, { - "columnName": "InitiatingProcessSHA1", - "identifier": "Value" + "identifier": "Value", + "columnName": "InitiatingProcessSHA1" } ], "entityType": "FileHash" @@ -1904,16 +2329,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -1921,16 +2346,16 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } ], "entityType": "Account" @@ -1938,8 +2363,8 @@ { "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } ], "entityType": "IP" @@ -1947,8 +2372,8 @@ { "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } ], "entityType": "URL" @@ -1956,12 +2381,12 @@ { "fieldMappings": [ { - "columnName": "HashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "HashAlgorithm" }, { - "columnName": "InitiatingProcessMD5", - "identifier": "Value" + "identifier": "Value", + "columnName": "InitiatingProcessMD5" } ], "entityType": "FileHash" @@ -2068,16 +2493,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -2085,16 +2510,16 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessAccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "InitiatingProcessAccountUpn" }, { - "columnName": "InitiatingProcessAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "InitiatingProcessAccountName" }, { - "columnName": "InitiatingProcessAccountDomain", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "InitiatingProcessAccountDomain" } ], "entityType": "Account" @@ -2102,12 +2527,12 @@ { "fieldMappings": [ { - "columnName": "HashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "HashAlgorithm" }, { - "columnName": "MD5", - "identifier": "Value" + "identifier": "Value", + "columnName": "MD5" } ], "entityType": "FileHash" @@ -2210,16 +2635,16 @@ { "fieldMappings": [ { - "columnName": "CompromisedEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "CompromisedEntity" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -2322,16 +2747,16 @@ { "fieldMappings": [ { - "columnName": "CompromisedEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "CompromisedEntity" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -2339,8 +2764,8 @@ { "fieldMappings": [ { - "columnName": "PublicIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "PublicIP" } ], "entityType": "IP" @@ -2443,16 +2868,16 @@ { "fieldMappings": [ { - "columnName": "CompromisedEntity", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "CompromisedEntity" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -2460,8 +2885,8 @@ { "fieldMappings": [ { - "columnName": "PublicIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "PublicIP" } ], "entityType": "IP" @@ -2567,16 +2992,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "HostNameDomain" } ], "entityType": "Host" @@ -2584,16 +3009,16 @@ { "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -2601,8 +3026,8 @@ { "fieldMappings": [ { - "columnName": "LocalIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "LocalIP" } ], "entityType": "IP" @@ -2610,8 +3035,8 @@ { "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" } ], "entityType": "Process" @@ -2619,8 +3044,8 @@ { "fieldMappings": [ { - "columnName": "InitiatingProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "InitiatingProcessId" } ], "entityType": "Process" @@ -2628,8 +3053,8 @@ { "fieldMappings": [ { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } ], "entityType": "Process" @@ -2643,16 +3068,16 @@ "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863" }, "incidentConfiguration": { - "createIncident": false, "groupingConfiguration": { - "matchingMethod": "Selected", - "enabled": false, - "reopenClosedIncident": false, - "lookbackDuration": "PT5H", "groupByEntities": [ "Account" - ] - } + ], + "lookbackDuration": "PT5H", + "enabled": false, + "matchingMethod": "Selected", + "reopenClosedIncident": false + }, + "createIncident": false } } }, @@ -2755,16 +3180,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -2849,6 +3274,7 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", + "requiredDataConnectors": [], "tactics": [ "DefenseEvasion", "Persistence" @@ -2861,16 +3287,16 @@ { "fieldMappings": [ { - "columnName": "Dvc", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Dvc" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -2973,16 +3399,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3085,16 +3511,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3197,16 +3623,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3309,16 +3735,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3423,16 +3849,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3535,16 +3961,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3653,16 +4079,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3670,8 +4096,8 @@ { "fieldMappings": [ { - "columnName": "LocalIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "LocalIP" } ], "entityType": "IP" @@ -3679,8 +4105,8 @@ { "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } ], "entityType": "IP" @@ -3688,8 +4114,8 @@ { "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } ], "entityType": "URL" @@ -3798,16 +4224,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -3815,8 +4241,8 @@ { "fieldMappings": [ { - "columnName": "LocalIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "LocalIP" } ], "entityType": "IP" @@ -3824,8 +4250,8 @@ { "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } ], "entityType": "IP" @@ -3833,8 +4259,8 @@ { "fieldMappings": [ { - "columnName": "RemoteUrl", - "identifier": "Url" + "identifier": "Url", + "columnName": "RemoteUrl" } ], "entityType": "URL" @@ -3942,16 +4368,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4058,16 +4484,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4075,12 +4501,12 @@ { "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } ], "entityType": "Process" @@ -4187,16 +4613,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4204,12 +4630,12 @@ { "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } ], "entityType": "Process" @@ -4315,16 +4741,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4332,16 +4758,16 @@ { "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" } ], "entityType": "Account" @@ -4445,16 +4871,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4462,12 +4888,12 @@ { "fieldMappings": [ { - "columnName": "FileName", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileName" }, { - "columnName": "FolderPath", - "identifier": "Directory" + "identifier": "Directory", + "columnName": "FolderPath" } ], "entityType": "File" @@ -4475,12 +4901,12 @@ { "fieldMappings": [ { - "columnName": "FileHashAlgorithm", - "identifier": "Algorithm" + "identifier": "Algorithm", + "columnName": "FileHashAlgorithm" }, { - "columnName": "SHA256", - "identifier": "Value" + "identifier": "Value", + "columnName": "SHA256" } ], "entityType": "FileHash" @@ -4583,16 +5009,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4600,12 +5026,12 @@ { "fieldMappings": [ { - "columnName": "RegistryValueName", - "identifier": "Name" + "identifier": "Name", + "columnName": "RegistryValueName" }, { - "columnName": "RegistryValueData", - "identifier": "Value" + "identifier": "Value", + "columnName": "RegistryValueData" } ], "entityType": "RegistryValue" @@ -4709,8 +5135,8 @@ { "fieldMappings": [ { - "columnName": "UserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "UserId" } ], "entityType": "Account" @@ -4718,12 +5144,12 @@ { "fieldMappings": [ { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "NTDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "NTDomain" } ], "entityType": "Account" @@ -4731,8 +5157,8 @@ { "fieldMappings": [ { - "columnName": "ApplicationId", - "identifier": "AppId" + "identifier": "AppId", + "columnName": "ApplicationId" } ], "entityType": "CloudApplication" @@ -4838,16 +5264,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4951,16 +5377,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -4968,16 +5394,16 @@ { "fieldMappings": [ { - "columnName": "AccountName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" } ], "entityType": "Account" @@ -5080,16 +5506,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5097,12 +5523,12 @@ { "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } ], "entityType": "Process" @@ -5206,16 +5632,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5223,16 +5649,16 @@ { "fieldMappings": [ { - "columnName": "UserAdded", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserAdded" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "laccountdomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "laccountdomain" } ], "entityType": "Account" @@ -5342,16 +5768,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5359,12 +5785,12 @@ { "fieldMappings": [ { - "columnName": "ServiceProcessID", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ServiceProcessID" }, { - "columnName": "ServiceProcessCmdline", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ServiceProcessCmdline" } ], "entityType": "Process" @@ -5467,16 +5893,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5484,16 +5910,16 @@ { "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "AccountDomain" } ], "entityType": "Account" @@ -5501,12 +5927,12 @@ { "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } ], "entityType": "Process" @@ -5609,16 +6035,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5721,16 +6147,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5738,12 +6164,12 @@ { "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } ], "entityType": "Process" @@ -5846,16 +6272,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -5958,16 +6384,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6078,16 +6504,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6095,16 +6521,16 @@ { "fieldMappings": [ { - "columnName": "AccountFullName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountFullName" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" } ], "entityType": "Account" @@ -6112,8 +6538,8 @@ { "fieldMappings": [ { - "columnName": "RemoteIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "RemoteIP" } ], "entityType": "IP" @@ -6220,16 +6646,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6332,16 +6758,16 @@ { "fieldMappings": [ { - "columnName": "DeviceName", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "DeviceName" }, { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "DnsDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "DnsDomain" } ], "entityType": "Host" @@ -6349,16 +6775,16 @@ { "fieldMappings": [ { - "columnName": "AccountUpn", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "AccountUpn" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountDomain", - "identifier": "DnsDomain" + "identifier": "DnsDomain", + "columnName": "AccountDomain" } ], "entityType": "Account" @@ -6366,12 +6792,12 @@ { "fieldMappings": [ { - "columnName": "ProcessId", - "identifier": "ProcessId" + "identifier": "ProcessId", + "columnName": "ProcessId" }, { - "columnName": "ProcessCommandLine", - "identifier": "CommandLine" + "identifier": "CommandLine", + "columnName": "ProcessCommandLine" } ], "entityType": "Process" @@ -6430,7 +6856,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Appspot Phishing Abuse_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -6444,14 +6870,14 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Appspot Phishing Abuse", + "displayName": "Spoofing attempts from Specific Domains", "category": "Hunting Queries", - "query": "EmailUrlInfo\n// Detect URLs with a subdomain on appspot.com\n| where UrlDomain matches regex @'\\b[\\w\\-]+-dot-[\\w\\-\\.]+\\.appspot\\.com\\b'\n// Enrich results with sender and recipient data\n| join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId\n// Phishing attempts from Appspot related campaigns typically contain the recipient's email address in the URI\n// Example 1: https://example-dot-example.appspot.com/#recipient@domain.com\n// Example 2: https://example-dot-example.appspot.com/index.html?user=recipient@domain.com\n| where Url has RecipientEmailAddress\n // Some phishing campaigns pass recipient email as a Base64 encoded string in the URI\n or Url has base64_encode_tostring(RecipientEmailAddress)\n| project-away NetworkMessageId1, ReportId1, Type1, TimeGenerated1, Timestamp1\n| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = SenderIPv4\n| extend URL_0_Url = Url\n| extend MailBox_0_MailboxPrimaryAddress = RecipientEmailAddress\n", + "query": "// Add the list of domains to search for.\nlet DomainList = dynamic([\"contoso.com\"]); \nEmailEvents \n| where TimeGenerated > ago (1d) and DetectionMethods has \"spoof\" and SenderFromDomain in~ (DomainList)\n| project TimeGenerated, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4, ThreatTypes, DetectionMethods, ThreatNames \n| evaluate bag_unpack(AR) \n| where column_ifexists('SPF','') =~ \"fail\" or column_ifexists('DMARC','') =~ \"fail\" or column_ifexists('DKIM','') =~ \"fail\" or column_ifexists('CompAuth','') =~ \"fail\"\n| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = SenderIPv4\n", "version": 2, "tags": [ { "name": "description", - "value": "This query helps surface phishing campaigns associated with Appspot abuse.These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI.\nThis campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800\nReference - https://twitter.com/MsftSecIntel/status/1374148156301004800" + "value": "This query identifies potential phishing or spoofing attempts originating from specific domains with authentication failures." }, { "name": "tactics", @@ -6500,7 +6926,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", - "displayName": "Appspot Phishing Abuse", + "displayName": "Spoofing attempts from Specific Domains", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.1.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.1.0')))]", "version": "1.1.0" @@ -6515,7 +6941,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -6529,14 +6955,14 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Spoofing attempts from Specific Domains", + "displayName": "Determine Successfully Delivered Phishing Emails by top IP Addresses", "category": "Hunting Queries", - "query": "// Add the list of domains to search for.\nlet DomainList = dynamic([\"contoso.com\"]); \nEmailEvents \n| where TimeGenerated > ago (1d) and DetectionMethods has \"spoof\" and SenderFromDomain in~ (DomainList)\n| project TimeGenerated, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4, ThreatTypes, DetectionMethods, ThreatNames \n| evaluate bag_unpack(AR) \n| where column_ifexists('SPF','') =~ \"fail\" or column_ifexists('DMARC','') =~ \"fail\" or column_ifexists('DKIM','') =~ \"fail\" or column_ifexists('CompAuth','') =~ \"fail\"\n| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = SenderIPv4\n", + "query": "// Adjust the cutoff as needed \nlet cutoff = 5;\nEmailEvents\n| where ThreatTypes has \"Malware\" or ThreatTypes has \"Phish\" \n| summarize count() by SenderIPv4 \n| where count_ > cutoff\n| join kind=inner EmailEvents on SenderIPv4 \n| where DeliveryAction =~ \"Delivered\"\n| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = SenderIPv4\n| extend MailBox_0_MailboxPrimaryAddress = RecipientEmailAddress\n", "version": 2, "tags": [ { "name": "description", - "value": "This query identifies potential phishing or spoofing attempts originating from specific domains with authentication failures." + "value": "This query identifies phishing emails sent that were successfully delivered, by top IP addressess. cutoff default value is 5, adjust the value as needed." }, { "name": "tactics", @@ -6585,10 +7011,10 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", - "displayName": "Spoofing attempts from Specific Domains", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.1.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.1.0')))]", - "version": "1.1.0" + "displayName": "Determine Successfully Delivered Phishing Emails by top IP Addresses", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]", + "version": "1.0.1" } }, { @@ -6600,7 +7026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.9", + "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -6614,14 +7040,14 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Determine Successfully Delivered Phishing Emails by top IP Addresses", + "displayName": "Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.", "category": "Hunting Queries", - "query": "// Adjust the cutoff as needed \nlet cutoff = 5;\nEmailEvents\n| where ThreatTypes has \"Malware\" or ThreatTypes has \"Phish\" \n| summarize count() by SenderIPv4 \n| where count_ > cutoff\n| join kind=inner EmailEvents on SenderIPv4 \n| where DeliveryAction =~ \"Delivered\"\n| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = SenderIPv4\n| extend MailBox_0_MailboxPrimaryAddress = RecipientEmailAddress\n", + "query": "EmailEvents\n| where isnotempty(ThreatTypes) and DeliveryLocation in~ (\"Inbox/folder\",\"Junk folder\")\n| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = SenderIPv4\n| extend MailBox_0_MailboxPrimaryAddress = RecipientEmailAddress\n", "version": 2, "tags": [ { "name": "description", - "value": "This query identifies phishing emails sent that were successfully delivered, by top IP addressess. cutoff default value is 5, adjust the value as needed." + "value": "This query identifies threats which got successfully delivered to Inbox/Junk folder." }, { "name": "tactics", @@ -6670,7 +7096,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "contentKind": "HuntingQuery", - "displayName": "Determine Successfully Delivered Phishing Emails by top IP Addresses", + "displayName": "Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.1')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.1')))]", "version": "1.0.1" @@ -6685,7 +7111,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -6699,22 +7125,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.", + "displayName": "Deimos Component Execution", "category": "Hunting Queries", - "query": "EmailEvents\n| where isnotempty(ThreatTypes) and DeliveryLocation in~ (\"Inbox/folder\",\"Junk folder\")\n| extend Name = tostring(split(SenderFromAddress, '@', 0)[0]), UPNSuffix = tostring(split(SenderFromAddress, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = SenderIPv4\n| extend MailBox_0_MailboxPrimaryAddress = RecipientEmailAddress\n", + "query": "DeviceEvents \n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| where ActionType == \"AmsiScriptContent\"\n| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()\"}'\n| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields\n", "version": 2, "tags": [ { "name": "description", - "value": "This query identifies threats which got successfully delivered to Inbox/Junk folder." + "value": "Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising." }, { "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1566" + "value": "Execution,Collection,Exfiltration,Impact" } ] } @@ -6755,10 +7177,10 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "contentKind": "HuntingQuery", - "displayName": "Determine Successfully Delivered Phishing Emails to Inbox/Junk folder.", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]", - "version": "1.0.1" + "displayName": "Deimos Component Execution", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" } }, { @@ -6770,7 +7192,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -6784,18 +7206,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Deimos Component Execution", + "displayName": "LemonDuck Registration Function", "category": "Hunting Queries", - "query": "DeviceEvents \n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| where ActionType == \"AmsiScriptContent\"\n| where AdditionalFields endswith '[mArS.deiMos]::inteRaCt()\"}'\n| project InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, AdditionalFields\n", + "query": "DeviceEvents\n| where ActionType == \"PowerShellCommand\"\n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"\n", "version": 2, "tags": [ { "name": "description", - "value": "Jupyter, otherwise known as SolarMarker, is a malware family and cluster of components known for its info-stealing and backdoor capabilities that mainly proliferates through search engine optimization manipulation and malicious advertising." + "value": "LemonDuck is a malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021." }, { "name": "tactics", - "value": "Execution,Collection,Exfiltration,Impact" + "value": "Execution,Persistence,LateralMovement,CommandAndControl" } ] } @@ -6836,7 +7258,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "contentKind": "HuntingQuery", - "displayName": "Deimos Component Execution", + "displayName": "LemonDuck Registration Function", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", "version": "1.0.0" @@ -6851,7 +7273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -6865,18 +7287,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "LemonDuck Registration Function", + "displayName": "Devices with Log4j vulnerability alerts and additional other alert related context", "category": "Hunting Queries", - "query": "DeviceEvents\n| where ActionType == \"PowerShellCommand\"\n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"\n", + "query": "// Get any devices with Log4J related Alert Activity\nlet DevicesLog4JAlerts = AlertInfo\n| where Title in~('Suspicious script launched',\n'Exploitation attempt against Log4j (CVE-2021-44228)',\n'Suspicious process executed by a network service',\n'Possible target of Log4j exploitation (CVE-2021-44228)',\n'Possible target of Log4j exploitation',\n'Possible Log4j exploitation',\n'Network connection seen in CVE-2021-44228 exploitation',\n'Log4j exploitation detected',\n'Possible exploitation of CVE-2021-44228',\n'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n'Possible source of Log4j exploitation'\n'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\n)\n// Join in evidence information\n| join kind=innerunique AlertEvidence on AlertId\n| where DeviceId != \"\"\n| summarize by DeviceId, Title;\n// Get additional alert activity for each device\nAlertEvidence\n| where DeviceId in(DevicesLog4JAlerts)\n// Add additional info\n| join kind=leftouter AlertInfo on AlertId\n| summarize DeviceAlerts = make_set(Title, 100000), AlertIDs = make_set(AlertId, 100000) by DeviceId, bin(TimeGenerated, 1d)\n", "version": 2, "tags": [ { "name": "description", - "value": "LemonDuck is a malware primarily known for its botnet and cryptocurrency mining objectives. First discovered in 2019, LemonDuck has since adopted more sophisticated behavior and escalated its operations in 2021." + "value": "Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J." }, { "name": "tactics", - "value": "Execution,Persistence,LateralMovement,CommandAndControl" + "value": "InitialAccess,Execution" } ] } @@ -6917,7 +7339,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "contentKind": "HuntingQuery", - "displayName": "LemonDuck Registration Function", + "displayName": "Devices with Log4j vulnerability alerts and additional other alert related context", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", "version": "1.0.0" @@ -6932,7 +7354,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -6946,18 +7368,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Devices with Log4j vulnerability alerts and additional other alert related context", + "displayName": "Alerts Related to Log4j Vulnerability", "category": "Hunting Queries", - "query": "// Get any devices with Log4J related Alert Activity\nlet DevicesLog4JAlerts = AlertInfo\n| where Title in~('Suspicious script launched',\n'Exploitation attempt against Log4j (CVE-2021-44228)',\n'Suspicious process executed by a network service',\n'Possible target of Log4j exploitation (CVE-2021-44228)',\n'Possible target of Log4j exploitation',\n'Possible Log4j exploitation',\n'Network connection seen in CVE-2021-44228 exploitation',\n'Log4j exploitation detected',\n'Possible exploitation of CVE-2021-44228',\n'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n'Possible source of Log4j exploitation'\n'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\n)\n// Join in evidence information\n| join kind=innerunique AlertEvidence on AlertId\n| where DeviceId != \"\"\n| summarize by DeviceId, Title;\n// Get additional alert activity for each device\nAlertEvidence\n| where DeviceId in(DevicesLog4JAlerts)\n// Add additional info\n| join kind=leftouter AlertInfo on AlertId\n| summarize DeviceAlerts = make_set(Title, 100000), AlertIDs = make_set(AlertId, 100000) by DeviceId, bin(TimeGenerated, 1d)\n", + "query": "AlertInfo\n| where Title in~('Suspicious script launched',\n'Exploitation attempt against Log4j (CVE-2021-44228)',\n'Suspicious process executed by a network service',\n'Possible target of Log4j exploitation (CVE-2021-44228)',\n'Possible target of Log4j exploitation',\n'Possible Log4j exploitation',\n'Network connection seen in CVE-2021-44228 exploitation',\n'Log4j exploitation detected',\n'Possible exploitation of CVE-2021-44228',\n'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n'Possible source of Log4j exploitation',\n'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\n)\n", "version": 2, "tags": [ { "name": "description", - "value": "Microsoft has observed threat actors exploiting vulnerabilities associated with Log4J." + "value": "Microsoft has observed attackers exploiting vulnerabilities associated with Log4J." }, { "name": "tactics", - "value": "InitialAccess,Execution" + "value": "InitialAccess" } ] } @@ -6998,7 +7420,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", "contentKind": "HuntingQuery", - "displayName": "Devices with Log4j vulnerability alerts and additional other alert related context", + "displayName": "Alerts Related to Log4j Vulnerability", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.0')))]", "version": "1.0.0" @@ -7013,7 +7435,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -7027,18 +7449,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Alerts Related to Log4j Vulnerability", + "displayName": "Malicious Use of MSBuild as LOLBin", "category": "Hunting Queries", - "query": "AlertInfo\n| where Title in~('Suspicious script launched',\n'Exploitation attempt against Log4j (CVE-2021-44228)',\n'Suspicious process executed by a network service',\n'Possible target of Log4j exploitation (CVE-2021-44228)',\n'Possible target of Log4j exploitation',\n'Possible Log4j exploitation',\n'Network connection seen in CVE-2021-44228 exploitation',\n'Log4j exploitation detected',\n'Possible exploitation of CVE-2021-44228',\n'Possible target of Log4j vulnerability (CVE-2021-44228) scanning',\n'Possible source of Log4j exploitation',\n'Log4j exploitation attempt via cloud application', // Previously titled Exploitation attempt against Log4j\n'Log4j exploitation attempt via email' // Previously titled Log4j Exploitation Attempt\n)\n", + "query": "DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmiprvse.exe\" \n| where FileName =~ \"msbuild.exe\" and ProcessCommandLine has \"programdata\"\n", "version": 2, "tags": [ { "name": "description", - "value": "Microsoft has observed attackers exploiting vulnerabilities associated with Log4J." + "value": "Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2." }, { "name": "tactics", - "value": "InitialAccess" + "value": "CommandAndControl" } ] } @@ -7079,7 +7501,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", "contentKind": "HuntingQuery", - "displayName": "Alerts Related to Log4j Vulnerability", + "displayName": "Malicious Use of MSBuild as LOLBin", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.0')))]", "version": "1.0.0" @@ -7094,7 +7516,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.9", + "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -7108,18 +7530,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Malicious Use of MSBuild as LOLBin", + "displayName": "Qakbot Reconnaissance Activities", "category": "Hunting Queries", - "query": "DeviceProcessEvents \n| where InitiatingProcessFileName =~ \"wmiprvse.exe\" \n| where FileName =~ \"msbuild.exe\" and ProcessCommandLine has \"programdata\"\n", + "query": "DeviceProcessEvents\n| where InitiatingProcessFileName == InitiatingProcessCommandLine\n| where ProcessCommandLine has_any (\n\"whoami /all\",\"cmd /c set\",\"arp -a\",\"ipconfig /all\",\"net view /all\",\"nslookup -querytype=ALL -timeout=10\",\n\"net share\",\"route print\",\"netstat -nao\",\"net localgroup\")\n| summarize dcount(FileName), make_set(ProcessCommandLine, 10000) by DeviceId,bin(TimeGenerated, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine\n| where dcount_FileName >= 8\n", "version": 2, "tags": [ { "name": "description", - "value": "Prior to deploying Macaw ransomware in an organization, the adversary frequently uses MSBuild.exe as a LOLBin to communicate with the C2." + "value": "This query searches for reconnaissance and beaconing activities after code injection occurs in Qakbot infections." }, { "name": "tactics", - "value": "CommandAndControl" + "value": "Discovery" } ] } @@ -7160,7 +7582,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject9')._huntingQuerycontentId9]", "contentKind": "HuntingQuery", - "displayName": "Malicious Use of MSBuild as LOLBin", + "displayName": "Qakbot Reconnaissance Activities", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject9')._huntingQuerycontentId9,'-', '1.0.0')))]", "version": "1.0.0" @@ -7175,7 +7597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -7189,18 +7611,22 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Qakbot Reconnaissance Activities", + "displayName": "Judgement Panda Exfil Activity", "category": "Hunting Queries", - "query": "DeviceProcessEvents\n| where InitiatingProcessFileName == InitiatingProcessCommandLine\n| where ProcessCommandLine has_any (\n\"whoami /all\",\"cmd /c set\",\"arp -a\",\"ipconfig /all\",\"net view /all\",\"nslookup -querytype=ALL -timeout=10\",\n\"net share\",\"route print\",\"netstat -nao\",\"net localgroup\")\n| summarize dcount(FileName), make_set(ProcessCommandLine, 10000) by DeviceId,bin(TimeGenerated, 1d), InitiatingProcessFileName, InitiatingProcessCommandLine\n| where dcount_FileName >= 8\n", + "query": "DeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where ProcessCommandLine has @\"\\ldifde.exe -f -n \"\n or ProcessCommandLine has @\"\\7za.exe a 1.7z \" \n or ProcessCommandLine endswith @\" eprod.ldf\" \n or ProcessCommandLine has @\"\\aaaa\\procdump64.exe\" \n or ProcessCommandLine has @\"\\aaaa\\netsess.exe\" \n or ProcessCommandLine has @\"\\aaaa\\7za.exe\" \n or ProcessCommandLine has @\"copy .\\1.7z \\\" \n or ProcessCommandLine has @\"copy \\client\\c$\\aaaa\\\" \n or FolderPath == @\"C:\\Users\\Public\\7za.exe\"\n| top 100 by TimeGenerated desc\n", "version": 2, "tags": [ { "name": "description", - "value": "This query searches for reconnaissance and beaconing activities after code injection occurs in Qakbot infections." + "value": "Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml.\nQuestions via Twitter: @janvonkirchheim." }, { "name": "tactics", - "value": "Discovery" + "value": "Collection" + }, + { + "name": "techniques", + "value": "T1560" } ] } @@ -7241,7 +7667,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "contentKind": "HuntingQuery", - "displayName": "Qakbot Reconnaissance Activities", + "displayName": "Judgement Panda Exfil Activity", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject10')._huntingQuerycontentId10,'-', '1.0.0')))]", "version": "1.0.0" @@ -7256,7 +7682,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -7270,22 +7696,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Judgement Panda Exfil Activity", + "displayName": "C2-NamedPipe", "category": "Hunting Queries", - "query": "DeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where ProcessCommandLine has @\"\\ldifde.exe -f -n \"\n or ProcessCommandLine has @\"\\7za.exe a 1.7z \" \n or ProcessCommandLine endswith @\" eprod.ldf\" \n or ProcessCommandLine has @\"\\aaaa\\procdump64.exe\" \n or ProcessCommandLine has @\"\\aaaa\\netsess.exe\" \n or ProcessCommandLine has @\"\\aaaa\\7za.exe\" \n or ProcessCommandLine has @\"copy .\\1.7z \\\" \n or ProcessCommandLine has @\"copy \\client\\c$\\aaaa\\\" \n or FolderPath == @\"C:\\Users\\Public\\7za.exe\"\n| top 100 by TimeGenerated desc\n", + "query": "// maximum lookback time\nlet minTimeRange = ago(7d);\n// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)\nlet badPipeNames = pack_array(\n '\\\\psexec', // PSexec default pipe\n '\\\\paexec', // PSexec default pipe\n '\\\\remcom', // PSexec default pipe\n '\\\\csexec', // PSexec default pipe\n '\\\\isapi_http', // Uroburos Malware Named Pipe\n '\\\\isapi_dg', // Uroburos Malware Named Pipe\n '\\\\isapi_dg2', // Uroburos Malware Named Pipe\n '\\\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX\n '\\\\ahexec', // Sofacy group malware\n '\\\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ\n '\\\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ\n '\\\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A\n '\\\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A\n '\\\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A\n '\\\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input\n '\\\\NamePipe_MoreWindows', // Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A\n '\\\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0\n '\\\\gruntsvc', // Covenant default named pipe\n '\\\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n '\\\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/\n '\\\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection\n '\\\\userpipe', // ruag apt case\n '\\\\iehelper', // ruag apt case\n '\\\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n '\\\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n '\\\\lsadump', // Cred Dump-Tools Named Pipes\n '\\\\cachedump', // Cred Dump-Tools Named Pipes\n '\\\\wceservicepipe', // Cred Dump-Tools Named Pipes\n '\\\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe\n '\\\\svcctl', // CrackMapExec default named pipe\n '\\\\csexecsvc' // CSEXEC default named pipe\n '\\\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253\n '\\\\MSSE-', // CobaltStrike default named pipe\n '\\\\status_', // CobaltStrike default named pipe\n '\\\\msagent_', // (target) CobaltStrike default named pipe\n '\\\\postex_ssh_', // CobaltStrike default named pipe\n '\\\\postex_', // CobaltStrike default named pipe\n '\\\\Posh' // PoshC2 default named pipe\n);\nDeviceEvents\n| where ActionType == \"NamedPipeEvent\" and Timestamp > minTimeRange\n| extend ParsedFields=parse_json(AdditionalFields)\n| where ParsedFields.FileOperation == \"File created\"\n| where ParsedFields.PipeName has_any (badPipeNames)\n| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName\n", "version": 2, "tags": [ { "name": "description", - "value": "Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml.\nQuestions via Twitter: @janvonkirchheim." + "value": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c" }, { "name": "tactics", - "value": "Collection" - }, - { - "name": "techniques", - "value": "T1560" + "value": "CommandAndControl" } ] } @@ -7326,7 +7748,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject11')._huntingQuerycontentId11]", "contentKind": "HuntingQuery", - "displayName": "Judgement Panda Exfil Activity", + "displayName": "C2-NamedPipe", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject11')._huntingQuerycontentId11,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject11')._huntingQuerycontentId11,'-', '1.0.0')))]", "version": "1.0.0" @@ -7341,7 +7763,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -7355,18 +7777,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "C2-NamedPipe", + "displayName": "Recon with Rundll", "category": "Hunting Queries", - "query": "// maximum lookback time\nlet minTimeRange = ago(7d);\n// this is what should be constantly tweaked with default C2 framework names, search uses has_any (wildcard)\nlet badPipeNames = pack_array(\n '\\\\psexec', // PSexec default pipe\n '\\\\paexec', // PSexec default pipe\n '\\\\remcom', // PSexec default pipe\n '\\\\csexec', // PSexec default pipe\n '\\\\isapi_http', // Uroburos Malware Named Pipe\n '\\\\isapi_dg', // Uroburos Malware Named Pipe\n '\\\\isapi_dg2', // Uroburos Malware Named Pipe\n '\\\\sdlrpc', // Cobra Trojan Named Pipe http://goo.gl/8rOZUX\n '\\\\ahexec', // Sofacy group malware\n '\\\\winsession', // Wild Neutron APT malware https://goo.gl/pivRZJ\n '\\\\lsassw', // Wild Neutron APT malware https://goo.gl/pivRZJ\n '\\\\46a676ab7f179e511e30dd2dc41bd388', // Project Sauron https://goo.gl/eFoP4A\n '\\\\9f81f59bc58452127884ce513865ed20', // Project Sauron https://goo.gl/eFoP4A\n '\\\\e710f28d59aa529d6792ca6ff0ca1b34', // Project Sauron https://goo.gl/eFoP4A\n '\\\\rpchlp_3', // Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input\n '\\\\NamePipe_MoreWindows', // Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A\n '\\\\pcheap_reuse', // Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0\n '\\\\gruntsvc', // Covenant default named pipe\n '\\\\583da945-62af-10e8-4902-a8f205c72b2e', // SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n '\\\\bizkaz', // Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/\n '\\\\atctl', // https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection\n '\\\\userpipe', // ruag apt case\n '\\\\iehelper', // ruag apt case\n '\\\\sdlrpc', // project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n '\\\\comnap', // https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra\n '\\\\lsadump', // Cred Dump-Tools Named Pipes\n '\\\\cachedump', // Cred Dump-Tools Named Pipes\n '\\\\wceservicepipe', // Cred Dump-Tools Named Pipes\n '\\\\jaccdpqnvbrrxlaf', // PoshC2 default named pipe\n '\\\\svcctl', // CrackMapExec default named pipe\n '\\\\csexecsvc' // CSEXEC default named pipe\n '\\\\status_', // CS default named pipes https://github.com/Neo23x0/sigma/issues/253\n '\\\\MSSE-', // CobaltStrike default named pipe\n '\\\\status_', // CobaltStrike default named pipe\n '\\\\msagent_', // (target) CobaltStrike default named pipe\n '\\\\postex_ssh_', // CobaltStrike default named pipe\n '\\\\postex_', // CobaltStrike default named pipe\n '\\\\Posh' // PoshC2 default named pipe\n);\nDeviceEvents\n| where ActionType == \"NamedPipeEvent\" and Timestamp > minTimeRange\n| extend ParsedFields=parse_json(AdditionalFields)\n| where ParsedFields.FileOperation == \"File created\"\n| where ParsedFields.PipeName has_any (badPipeNames)\n| project TimeGenerated, ActionType, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, ParsedFields.FileOperation, ParsedFields.PipeName\n", + "query": "DeviceNetworkEvents\n| where InitiatingProcessFileName =~ \"rundll32.exe\"\n// Empty command line\n| where InitiatingProcessCommandLine has \"rundll32.exe\" and InitiatingProcessCommandLine !contains \" \" \nand InitiatingProcessCommandLine != \"\" \n| summarize DestinationIPCount = dcount(RemoteIP), make_set(RemoteIP, 100000), make_set(RemoteUrl, 100000), \nmake_set(RemotePort, 100000) by InitiatingProcessCommandLine, DeviceId, bin(TimeGenerated, 5m)\n", "version": 2, "tags": [ { "name": "description", - "value": "Detects the creation of a named pipe used by known APT malware.\nReference - https://docs.microsoft.com/openspecs/windows_protocols/ms-wpo/4de75e21-36fd-440a-859b-75accc74487c" + "value": "This query detects suspicious rundll.exe activity associated with Trickbot campaigns." }, { "name": "tactics", - "value": "CommandAndControl" + "value": "Discovery,Collection,CommandAndControl" } ] } @@ -7407,7 +7829,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject12')._huntingQuerycontentId12]", "contentKind": "HuntingQuery", - "displayName": "C2-NamedPipe", + "displayName": "Recon with Rundll", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject12')._huntingQuerycontentId12,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject12')._huntingQuerycontentId12,'-', '1.0.0')))]", "version": "1.0.0" @@ -7422,7 +7844,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -7436,18 +7858,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Recon with Rundll", + "displayName": "DopplePaymer Procdump", "category": "Hunting Queries", - "query": "DeviceNetworkEvents\n| where InitiatingProcessFileName =~ \"rundll32.exe\"\n// Empty command line\n| where InitiatingProcessCommandLine has \"rundll32.exe\" and InitiatingProcessCommandLine !contains \" \" \nand InitiatingProcessCommandLine != \"\" \n| summarize DestinationIPCount = dcount(RemoteIP), make_set(RemoteIP, 100000), make_set(RemoteUrl, 100000), \nmake_set(RemotePort, 100000) by InitiatingProcessCommandLine, DeviceId, bin(TimeGenerated, 5m)\n", + "query": "// Dumping of LSASS memory using procdump\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n// Command lines that include \"lsass\" and -accepteula or -ma flags used in procdump\n| where (ProcessCommandLine has \"lsass\" and (ProcessCommandLine has \"-accepteula\" or\nProcessCommandLine contains \"-ma\"))\n// Omits possible FPs where the full command is just \"procdump.exe lsass\"\nor (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')\n", "version": 2, "tags": [ { "name": "description", - "value": "This query detects suspicious rundll.exe activity associated with Trickbot campaigns." + "value": "Detects the use of ProcDump to dump credentials from LSASS memory by DoppelPaymer ransomware operators." }, { "name": "tactics", - "value": "Discovery,Collection,CommandAndControl" + "value": "CredentialAccess" } ] } @@ -7488,7 +7910,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject13')._huntingQuerycontentId13]", "contentKind": "HuntingQuery", - "displayName": "Recon with Rundll", + "displayName": "DopplePaymer Procdump", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject13')._huntingQuerycontentId13,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject13')._huntingQuerycontentId13,'-', '1.0.0')))]", "version": "1.0.0" @@ -7503,7 +7925,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -7517,14 +7939,14 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "DopplePaymer Procdump", + "displayName": "Credential Harvesting Using LaZagne", "category": "Hunting Queries", - "query": "// Dumping of LSASS memory using procdump\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n// Command lines that include \"lsass\" and -accepteula or -ma flags used in procdump\n| where (ProcessCommandLine has \"lsass\" and (ProcessCommandLine has \"-accepteula\" or\nProcessCommandLine contains \"-ma\"))\n// Omits possible FPs where the full command is just \"procdump.exe lsass\"\nor (FileName in~ ('procdump.exe','procdump64.exe') and ProcessCommandLine has 'lsass')\n", + "query": "// Find credential theft via SAM database export by LaZagne\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where FileName =~ 'reg.exe'\n and ProcessCommandLine has 'save'\n and ProcessCommandLine has 'hklm'\n and ProcessCommandLine has 'sam'\n| project DeviceId, TimeGenerated, InitiatingProcessId,\nInitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine\n", "version": 2, "tags": [ { "name": "description", - "value": "Detects the use of ProcDump to dump credentials from LSASS memory by DoppelPaymer ransomware operators." + "value": "Detects the use of LaZagne to steal credentials from the SAM database by Ryuk ransomware operators." }, { "name": "tactics", @@ -7569,7 +7991,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject14')._huntingQuerycontentId14]", "contentKind": "HuntingQuery", - "displayName": "DopplePaymer Procdump", + "displayName": "Credential Harvesting Using LaZagne", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject14')._huntingQuerycontentId14,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject14')._huntingQuerycontentId14,'-', '1.0.0')))]", "version": "1.0.0" @@ -7584,7 +8006,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -7598,14 +8020,14 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Credential Harvesting Using LaZagne", + "displayName": "LSASS Credential Dumping with Procdump", "category": "Hunting Queries", - "query": "// Find credential theft via SAM database export by LaZagne\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where FileName =~ 'reg.exe'\n and ProcessCommandLine has 'save'\n and ProcessCommandLine has 'hklm'\n and ProcessCommandLine has 'sam'\n| project DeviceId, TimeGenerated, InitiatingProcessId,\nInitiatingProcessFileName, ProcessId, FileName, ProcessCommandLine\n", + "query": "DeviceProcessEvents \n| where (FileName has_any (\"procdump.exe\", \"procdump64.exe\") and ProcessCommandLine has \"lsass\") or \n// Looking for Accepteula flag or Write a dump file with all process memory\n(ProcessCommandLine has \"lsass.exe\" and (ProcessCommandLine has \"-accepteula\" or ProcessCommandLine contains \"-ma\"))\n", "version": 2, "tags": [ { "name": "description", - "value": "Detects the use of LaZagne to steal credentials from the SAM database by Ryuk ransomware operators." + "value": "Detects the use of Procdump to dump credentials from LSASS memory." }, { "name": "tactics", @@ -7650,7 +8072,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject15')._huntingQuerycontentId15]", "contentKind": "HuntingQuery", - "displayName": "Credential Harvesting Using LaZagne", + "displayName": "LSASS Credential Dumping with Procdump", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject15')._huntingQuerycontentId15,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject15')._huntingQuerycontentId15,'-', '1.0.0')))]", "version": "1.0.0" @@ -7665,7 +8087,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]", @@ -7679,18 +8101,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "LSASS Credential Dumping with Procdump", + "displayName": "Doppelpaymer Stop Services", "category": "Hunting Queries", - "query": "DeviceProcessEvents \n| where (FileName has_any (\"procdump.exe\", \"procdump64.exe\") and ProcessCommandLine has \"lsass\") or \n// Looking for Accepteula flag or Write a dump file with all process memory\n(ProcessCommandLine has \"lsass.exe\" and (ProcessCommandLine has \"-accepteula\" or ProcessCommandLine contains \"-ma\"))\n", + "query": "// Attempts to stop services and allow ransomware execution\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where InitiatingProcessFileName startswith \"psexe\" and FileName =~ \"powershell.exe\" and\nProcessCommandLine has \"stop-service\"\nand ProcessCommandLine has \"sql\" and ProcessCommandLine has \"msexchange\"\n", "version": 2, "tags": [ { "name": "description", - "value": "Detects the use of Procdump to dump credentials from LSASS memory." + "value": "This query searches for attempts to stop security services, which is a common tactic used by DoppelPaymer ransomware operators." }, { "name": "tactics", - "value": "CredentialAccess" + "value": "Execution,DefenseEvasion" } ] } @@ -7731,7 +8153,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject16')._huntingQuerycontentId16]", "contentKind": "HuntingQuery", - "displayName": "LSASS Credential Dumping with Procdump", + "displayName": "Doppelpaymer Stop Services", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject16')._huntingQuerycontentId16,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject16')._huntingQuerycontentId16,'-', '1.0.0')))]", "version": "1.0.0" @@ -7746,7 +8168,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.9", + "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]", @@ -7760,18 +8182,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Doppelpaymer Stop Services", + "displayName": "Qakbot Campaign Self Deletion", "category": "Hunting Queries", - "query": "// Attempts to stop services and allow ransomware execution\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where InitiatingProcessFileName startswith \"psexe\" and FileName =~ \"powershell.exe\" and\nProcessCommandLine has \"stop-service\"\nand ProcessCommandLine has \"sql\" and ProcessCommandLine has \"msexchange\"\n", + "query": "DeviceProcessEvents \n| where FileName =~ \"ping.exe\"\n| where InitiatingProcessFileName =~ \"cmd.exe\"\n| where (InitiatingProcessCommandLine has \"calc.exe\") and (InitiatingProcessCommandLine has \"-n 6\") and (InitiatingProcessCommandLine has \"127.0.0.1\")\n| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId\n", "version": 2, "tags": [ { "name": "description", - "value": "This query searches for attempts to stop security services, which is a common tactic used by DoppelPaymer ransomware operators." + "value": "This query detects if an instance of Qakbot has attempted to overwrite its original binary." }, { "name": "tactics", - "value": "Execution,DefenseEvasion" + "value": "DefenseEvasion" } ] } @@ -7812,7 +8234,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject17')._huntingQuerycontentId17]", "contentKind": "HuntingQuery", - "displayName": "Doppelpaymer Stop Services", + "displayName": "Qakbot Campaign Self Deletion", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject17')._huntingQuerycontentId17,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject17')._huntingQuerycontentId17,'-', '1.0.0')))]", "version": "1.0.0" @@ -7827,7 +8249,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]", @@ -7841,18 +8263,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Qakbot Campaign Self Deletion", + "displayName": "Detect Suspicious Commands Initiated by Webserver Processes", "category": "Hunting Queries", - "query": "DeviceProcessEvents \n| where FileName =~ \"ping.exe\"\n| where InitiatingProcessFileName =~ \"cmd.exe\"\n| where (InitiatingProcessCommandLine has \"calc.exe\") and (InitiatingProcessCommandLine has \"-n 6\") and (InitiatingProcessCommandLine has \"127.0.0.1\")\n| project TimeGenerated, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId\n", + "query": "// Suspicious commands launched by web server processes\nDeviceProcessEvents \n| where TimeGenerated > ago(7d)\n// Pivoting on parents or grand parents\nand (((InitiatingProcessParentFileName in(\"w3wp.exe\", \"beasvc.exe\",\n\"httpd.exe\") or InitiatingProcessParentFileName startswith \"tomcat\")\nor InitiatingProcessFileName in(\"w3wp.exe\", \"beasvc.exe\", \"httpd.exe\") or\nInitiatingProcessFileName startswith \"tomcat\"))\n and FileName in~('cmd.exe','powershell.exe')\n| where ProcessCommandLine contains '%temp%'\n or ProcessCommandLine has 'wget'\n or ProcessCommandLine has 'whoami'\n or ProcessCommandLine has 'certutil'\n or ProcessCommandLine has 'systeminfo'\n or ProcessCommandLine has 'ping'\n or ProcessCommandLine has 'ipconfig'\n or ProcessCommandLine has 'timeout'\n| summarize take_any(TimeGenerated), take_any(TimeGenerated), take_any(FileName),\nmake_set(ProcessCommandLine, 100000), take_any(InitiatingProcessFileName),\ntake_any(InitiatingProcessParentFileName) by DeviceId\n", "version": 2, "tags": [ { "name": "description", - "value": "This query detects if an instance of Qakbot has attempted to overwrite its original binary." + "value": "Detect suspicious commands initiated by web server processes used for network discovery and user/owner discovery." }, { "name": "tactics", - "value": "DefenseEvasion" + "value": "Execution,DefenseEvasion,Discovery" } ] } @@ -7893,7 +8315,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject18')._huntingQuerycontentId18]", "contentKind": "HuntingQuery", - "displayName": "Qakbot Campaign Self Deletion", + "displayName": "Detect Suspicious Commands Initiated by Webserver Processes", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject18')._huntingQuerycontentId18,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject18')._huntingQuerycontentId18,'-', '1.0.0')))]", "version": "1.0.0" @@ -7908,7 +8330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.9", + "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]", @@ -7922,18 +8344,22 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Detect Suspicious Commands Initiated by Webserver Processes", + "displayName": "Anomalous Payload Delivered from ISO files", "category": "Hunting Queries", - "query": "// Suspicious commands launched by web server processes\nDeviceProcessEvents \n| where TimeGenerated > ago(7d)\n// Pivoting on parents or grand parents\nand (((InitiatingProcessParentFileName in(\"w3wp.exe\", \"beasvc.exe\",\n\"httpd.exe\") or InitiatingProcessParentFileName startswith \"tomcat\")\nor InitiatingProcessFileName in(\"w3wp.exe\", \"beasvc.exe\", \"httpd.exe\") or\nInitiatingProcessFileName startswith \"tomcat\"))\n and FileName in~('cmd.exe','powershell.exe')\n| where ProcessCommandLine contains '%temp%'\n or ProcessCommandLine has 'wget'\n or ProcessCommandLine has 'whoami'\n or ProcessCommandLine has 'certutil'\n or ProcessCommandLine has 'systeminfo'\n or ProcessCommandLine has 'ping'\n or ProcessCommandLine has 'ipconfig'\n or ProcessCommandLine has 'timeout'\n| summarize take_any(TimeGenerated), take_any(TimeGenerated), take_any(FileName),\nmake_set(ProcessCommandLine, 100000), take_any(InitiatingProcessFileName),\ntake_any(InitiatingProcessParentFileName) by DeviceId\n", + "query": "DeviceEvents\n| where TimeGenerated > ago(30d) \n| where ActionType == 'BrowserLaunchedToOpenUrl' \n| where RemoteUrl endswith \".lnk\"\n| where RemoteUrl !startswith \"C:\"\n| project LNKLaunchTimestamp = TimeGenerated, DeviceName, RemoteUrl\n| parse RemoteUrl with Drive '\\\\' *\n| extend Drive= tostring(Drive)\n| where isnotempty(Drive)\n| join kind=innerunique (\nDeviceProcessEvents\n| where TimeGenerated > ago(30d)\n| where FolderPath !startswith \"C:\"\n| parse FolderPath with Drive '\\\\' *\n| project Drive= tostring(Drive), StartedProcessTimestamp = TimeGenerated, StartedProcessName = FileName, StartedProcessSHA1 = SHA1, StartedProcessCommandline = ProcessCommandLine, StartedProcessPath = FolderPath, DeviceName, StartedProcessParentName = InitiatingProcessFileName, StartedProcessParentCmdline = InitiatingProcessCommandLine, StartedParentProcessFolderPath = InitiatingProcessFolderPath, StartedProcessGrandParent = InitiatingProcessParentFileName, TimeGenerated\n) on DeviceName, Drive\n| where StartedProcessTimestamp between (LNKLaunchTimestamp ..(LNKLaunchTimestamp+1m))\n| project-away Drive1, DeviceName1\n| project-reorder LNKLaunchTimestamp, StartedProcessTimestamp, DeviceName, RemoteUrl, Drive, StartedProcessName, StartedProcessSHA1, StartedProcessPath,StartedProcessCommandline, StartedProcessParentName, StartedProcessParentCmdline, StartedParentProcessFolderPath, StartedProcessGrandParent, TimeGenerated\n", "version": 2, "tags": [ { "name": "description", - "value": "Detect suspicious commands initiated by web server processes used for network discovery and user/owner discovery." + "value": "This query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files." }, { "name": "tactics", - "value": "Execution,DefenseEvasion,Discovery" + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1204" } ] } @@ -7974,7 +8400,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject19')._huntingQuerycontentId19]", "contentKind": "HuntingQuery", - "displayName": "Detect Suspicious Commands Initiated by Webserver Processes", + "displayName": "Anomalous Payload Delivered from ISO files", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject19')._huntingQuerycontentId19,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject19')._huntingQuerycontentId19,'-', '1.0.0')))]", "version": "1.0.0" @@ -7989,7 +8415,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.9", + "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]", @@ -8003,22 +8429,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Anomalous Payload Delivered from ISO files", + "displayName": "Bitsadmin Activity", "category": "Hunting Queries", - "query": "DeviceEvents\n| where TimeGenerated > ago(30d) \n| where ActionType == 'BrowserLaunchedToOpenUrl' \n| where RemoteUrl endswith \".lnk\"\n| where RemoteUrl !startswith \"C:\"\n| project LNKLaunchTimestamp = TimeGenerated, DeviceName, RemoteUrl\n| parse RemoteUrl with Drive '\\\\' *\n| extend Drive= tostring(Drive)\n| where isnotempty(Drive)\n| join kind=innerunique (\nDeviceProcessEvents\n| where TimeGenerated > ago(30d)\n| where FolderPath !startswith \"C:\"\n| parse FolderPath with Drive '\\\\' *\n| project Drive= tostring(Drive), StartedProcessTimestamp = TimeGenerated, StartedProcessName = FileName, StartedProcessSHA1 = SHA1, StartedProcessCommandline = ProcessCommandLine, StartedProcessPath = FolderPath, DeviceName, StartedProcessParentName = InitiatingProcessFileName, StartedProcessParentCmdline = InitiatingProcessCommandLine, StartedParentProcessFolderPath = InitiatingProcessFolderPath, StartedProcessGrandParent = InitiatingProcessParentFileName, TimeGenerated\n) on DeviceName, Drive\n| where StartedProcessTimestamp between (LNKLaunchTimestamp ..(LNKLaunchTimestamp+1m))\n| project-away Drive1, DeviceName1\n| project-reorder LNKLaunchTimestamp, StartedProcessTimestamp, DeviceName, RemoteUrl, Drive, StartedProcessName, StartedProcessSHA1, StartedProcessPath,StartedProcessCommandline, StartedProcessParentName, StartedProcessParentCmdline, StartedParentProcessFolderPath, StartedProcessGrandParent, TimeGenerated\n", + "query": "DeviceProcessEvents\n| where \n (FileName =~ \"bitsadmin.exe\" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')\n and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')\n| extend \n ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')\n| extend \n RemoteUrl = tostring(ParsedCommandLine[-2]),\n LocalFile= tostring(ParsedCommandLine[-1]),\n Direction = iff(ProcessCommandLine has \"/Upload\", 'Upload', 'Download')\n| project-reorder \n TimeGenerated,\n DeviceId,\n DeviceName,\n Direction,\n RemoteUrl,\n LocalFile,\n InitiatingProcessFolderPath,\n InitiatingProcessAccountDomain,\n InitiatingProcessAccountName,\n InitiatingProcessSHA256,\n ProcessCommandLine\n", "version": 2, "tags": [ { "name": "description", - "value": "This query searches for lnk file executions from other locations than C: drive, which can relate to mounted ISO-files." + "value": "This query searches for use of bitsadmin.exe for file transfer, which can be used for legitimate purposes or as part of a malware downloader." }, { "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1204" + "value": "Persistence,CommandAndControl,Exfiltration" } ] } @@ -8059,7 +8481,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject20')._huntingQuerycontentId20]", "contentKind": "HuntingQuery", - "displayName": "Anomalous Payload Delivered from ISO files", + "displayName": "Bitsadmin Activity", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject20')._huntingQuerycontentId20,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject20')._huntingQuerycontentId20,'-', '1.0.0')))]", "version": "1.0.0" @@ -8074,7 +8496,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]", @@ -8088,18 +8510,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Bitsadmin Activity", + "displayName": "Detect Malicious use of MSIExec", "category": "Hunting Queries", - "query": "DeviceProcessEvents\n| where \n (FileName =~ \"bitsadmin.exe\" or column_ifexists('ProcessVersionInfoOriginalFileName','ColumnNotAvailable') =~ 'bitsadmin.exe')\n and ProcessCommandLine has_any ('/Transfer','/AddFile', '/AddFileSet','/AddFileWithRanges')\n| extend \n ParsedCommandLine = parse_command_line(ProcessCommandLine,'windows')\n| extend \n RemoteUrl = tostring(ParsedCommandLine[-2]),\n LocalFile= tostring(ParsedCommandLine[-1]),\n Direction = iff(ProcessCommandLine has \"/Upload\", 'Upload', 'Download')\n| project-reorder \n TimeGenerated,\n DeviceId,\n DeviceName,\n Direction,\n RemoteUrl,\n LocalFile,\n InitiatingProcessFolderPath,\n InitiatingProcessAccountDomain,\n InitiatingProcessAccountName,\n InitiatingProcessSHA256,\n ProcessCommandLine\n", + "query": "//Find possible download and execution using Msiexec\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n//MSIExec\n| where FileName =~ \"msiexec.exe\" and \n//With domain in command line\n(ProcessCommandLine has \"http\" and ProcessCommandLine has \"return\")//Find PowerShell running files from the temp folder\n", "version": 2, "tags": [ { "name": "description", - "value": "This query searches for use of bitsadmin.exe for file transfer, which can be used for legitimate purposes or as part of a malware downloader." + "value": "This query detects possible download and execution using Msiexec." }, { "name": "tactics", - "value": "Persistence,CommandAndControl,Exfiltration" + "value": "Execution,PrivilegeEscalation,CredentialAccess" } ] } @@ -8140,7 +8562,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject21')._huntingQuerycontentId21]", "contentKind": "HuntingQuery", - "displayName": "Bitsadmin Activity", + "displayName": "Detect Malicious use of MSIExec", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject21')._huntingQuerycontentId21,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject21')._huntingQuerycontentId21,'-', '1.0.0')))]", "version": "1.0.0" @@ -8155,7 +8577,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]", @@ -8169,18 +8591,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Detect Malicious use of MSIExec", + "displayName": "Detect Malicious use of Msiexec Mimikatz", "category": "Hunting Queries", - "query": "//Find possible download and execution using Msiexec\nDeviceProcessEvents\n| where TimeGenerated > ago(7d)\n//MSIExec\n| where FileName =~ \"msiexec.exe\" and \n//With domain in command line\n(ProcessCommandLine has \"http\" and ProcessCommandLine has \"return\")//Find PowerShell running files from the temp folder\n", + "query": "DeviceProcessEvents\n| where Timestamp > ago(7d)\n| where InitiatingProcessFileName =~ \"msiexec.exe\"\n//Mimikatz commands\nand (ProcessCommandLine contains \"privilege::\" \nor ProcessCommandLine has \"sekurlsa\" \nor ProcessCommandLine contains \"token::\")\n", "version": 2, "tags": [ { "name": "description", - "value": "This query detects possible download and execution using Msiexec." + "value": "This query searches for malicious use of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool." }, { "name": "tactics", - "value": "Execution,PrivilegeEscalation,CredentialAccess" + "value": "Execution,CredentialAccess,PrivilegeEscalation" } ] } @@ -8221,7 +8643,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject22')._huntingQuerycontentId22]", "contentKind": "HuntingQuery", - "displayName": "Detect Malicious use of MSIExec", + "displayName": "Detect Malicious use of Msiexec Mimikatz", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject22')._huntingQuerycontentId22,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject22')._huntingQuerycontentId22,'-', '1.0.0')))]", "version": "1.0.0" @@ -8236,7 +8658,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.9", + "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]", @@ -8250,18 +8672,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Detect Malicious use of Msiexec Mimikatz", + "displayName": "Office Apps Launching Wscipt", "category": "Hunting Queries", - "query": "DeviceProcessEvents\n| where Timestamp > ago(7d)\n| where InitiatingProcessFileName =~ \"msiexec.exe\"\n//Mimikatz commands\nand (ProcessCommandLine contains \"privilege::\" \nor ProcessCommandLine has \"sekurlsa\" \nor ProcessCommandLine contains \"token::\")\n", + "query": "DeviceProcessEvents \n| where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') \n| where FileName =~ \"wscript.exe\" and ProcessCommandLine has \".jse\" \n", "version": 2, "tags": [ { "name": "description", - "value": "This query searches for malicious use of msiexec.exe, particularly alongside mimikatz, a common credential dumper and privilege escalation tool." + "value": "The query searches for Office applications launching wscript.exe to run a JSE file." }, { "name": "tactics", - "value": "Execution,CredentialAccess,PrivilegeEscalation" + "value": "LateralMovement,Collection,CommandAndControl" } ] } @@ -8302,7 +8724,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject23')._huntingQuerycontentId23]", "contentKind": "HuntingQuery", - "displayName": "Detect Malicious use of Msiexec Mimikatz", + "displayName": "Office Apps Launching Wscipt", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject23')._huntingQuerycontentId23,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject23')._huntingQuerycontentId23,'-', '1.0.0')))]", "version": "1.0.0" @@ -8317,7 +8739,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]", @@ -8331,18 +8753,18 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Office Apps Launching Wscipt", + "displayName": "PowerShell Downloads", "category": "Hunting Queries", - "query": "DeviceProcessEvents \n| where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') \n| where FileName =~ \"wscript.exe\" and ProcessCommandLine has \".jse\" \n", + "query": "DeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where FileName in~ (\"powershell.exe\", \"powershell_ise.exe\")\n| where ProcessCommandLine has \"Net.WebClient\"\n or ProcessCommandLine has \"DownloadFile\"\n or ProcessCommandLine has \"Invoke-WebRequest\"\n or ProcessCommandLine has \"Invoke-Shellcode\"\n or ProcessCommandLine has \"http\"\n or ProcessCommandLine has \"IEX\"\n or ProcessCommandLine has \"Start-BitsTransfer\"\n or ProcessCommandLine has \"mpcmdrun.exe\"\n| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine\n| top 100 by TimeGenerated\n", "version": 2, "tags": [ { "name": "description", - "value": "The query searches for Office applications launching wscript.exe to run a JSE file." + "value": "The query searches for PowerShell execution events that could involve a download." }, { "name": "tactics", - "value": "LateralMovement,Collection,CommandAndControl" + "value": "Execution" } ] } @@ -8383,7 +8805,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('huntingQueryObject24')._huntingQuerycontentId24]", "contentKind": "HuntingQuery", - "displayName": "Office Apps Launching Wscipt", + "displayName": "PowerShell Downloads", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject24')._huntingQuerycontentId24,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject24')._huntingQuerycontentId24,'-', '1.0.0')))]", "version": "1.0.0" @@ -8398,7 +8820,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]", @@ -8412,14 +8834,14 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "PowerShell Downloads", + "displayName": "Detect Suspicious Mshta Usage", "category": "Hunting Queries", - "query": "DeviceProcessEvents\n| where TimeGenerated > ago(7d)\n| where FileName in~ (\"powershell.exe\", \"powershell_ise.exe\")\n| where ProcessCommandLine has \"Net.WebClient\"\n or ProcessCommandLine has \"DownloadFile\"\n or ProcessCommandLine has \"Invoke-WebRequest\"\n or ProcessCommandLine has \"Invoke-Shellcode\"\n or ProcessCommandLine has \"http\"\n or ProcessCommandLine has \"IEX\"\n or ProcessCommandLine has \"Start-BitsTransfer\"\n or ProcessCommandLine has \"mpcmdrun.exe\"\n| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine\n| top 100 by TimeGenerated\n", + "query": "// mshta.exe script launching processes\nDeviceProcessEvents \n| where Timestamp > ago(7d)\nand InitiatingProcessFileName =~ 'mshta.exe'\nand InitiatingProcessCommandLine contains '