From d6696e2d20f23b252450faae41c3151aa6d4e755 Mon Sep 17 00:00:00 2001 From: Pouyan Khabazi Date: Thu, 24 Sep 2020 22:05:32 +0200 Subject: [PATCH] !Deploy Release version 0.6.8 (#105) * Release '0.6.2' (#31) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * cleaning up * Release Update Incident function (#37) * init release update incident function * cleaning up * updating * updating incident function * code cleanup * Cleaning up and ready for release * updating final docs folder * Release Feature playbook configuration (#33) * updating get alert and hunting rule function * updated error handling * Create Get-PlayBook.ps1 * init release for playbook * cleaning up * finishing playbook * adding get alert rule action function * releasing get logic app function * release new- az sen alert action and some codue update * init release playbook function * uppdated gitignore * init release remove azsentinel action rule * fixed compare issue * Merge branch 'development' of github.com:wortell/AZSentinel into feature/playbook * updating pester test result * updating readme * updating readme * updated docs and pester test results * restoring version * Fix/smallconflicts (#40) * updating docs * updating examples * updating pipeline * fixing Subscribtion parameter for playbook (#43) * fixing Subscribtion parameter for playbook (#45) * Fix- get-Azsentinalhuntingrule - Cannot validate argument on parameter "Property" (#50) * fix huntng rule * fixing hunting rule issue * Fix - new-azsentinelalertrule playbook property (#49) * fixing the if statement * fixing the if statement * Feature - get all incidents (#51) * updating get incident * updating get incident function and docs * updating powershell-yaml * updating importmodule error * workaround * removing powershell-yaml depending * fixing logicapp sas token (#52) * Add support for day time periods (#61) * Add missing dot to yml file extension (#59) The Import-AZSentinelAlertRule function is not able to import yml files due to missing dot in the file extension. * adding support for resource provider in set-azsentinel (#69) * New function for enabling and disabling Alert rules (#71) * init release enable and disable function * adding empty test files * updating return message * New feature change the displayName of an alert (#68) * Release Rename Alert rule function * updating rename function * Handle nextLink for Playbooks (#78) When retrieving playbooks not all are being returned. Code copied from Issue #35 Retrieving all incidents. * adding support for alert aggregation (#65) * adding support for alert aggregation, classes created * updaing classes * updated the class and created first rule wih no error * update class and made import function backwards compatible * small changes * tested with import method * updating new function * checking working code, starting cleanup * updating documentation * updating docs and cleaning up * updating build errors * change pester version * updating pester version * Update groupingConfiguration.ps1 (#87) * Fix bug that causes loss of certain incident properties, add option to set incident description (#91) * Feature - Adding support for all alert rule types (#90) * init release * updating docs Co-authored-by: Khabazi * New Functionality to get alert rule templates provided by Microsoft (#94) Co-authored-by: Antonio Ramirez * Update/get az sentinel alert rule templates (#95) * udating Get-AzSentinelAlertRuleTemplates * updated Co-authored-by: Khabazi * Feature/add az sentinel incident comment (#96) * udating Get-AzSentinelAlertRuleTemplates * updated * fixing playbook issue * Add-AzSentinelIncidentComment * release Co-authored-by: Khabazi * fixing class error (#99) * updating example files, ncluding multi rule yaml file (#104) * Fix - Get-AzSentinelAlertRuleAction doesn't return playbookName (#102) * fixing return issue * fixing playbook issue * init release Get-AzSentinelDataConnector function (#103) * Fix - get-azsentinelhuntingrule updated get and remove function (#106) * fixing hunitng rule get and remove issue * cleaning up * updating filters Co-authored-by: pemontto <939704+pemontto@users.noreply.github.com> Co-authored-by: NVolcz Co-authored-by: stehod <34159548+stehod@users.noreply.github.com> Co-authored-by: ThijsLecomte <42153270+ThijsLecomte@users.noreply.github.com> Co-authored-by: Jonathan Holtmann Co-authored-by: Khabazi Co-authored-by: ramirezversion <34833071+ramirezversion@users.noreply.github.com> Co-authored-by: Antonio Ramirez --- AzSentinel/AzSentinel.psd1 | 3 +- AzSentinel/Public/Get-AzSentinelAlertRule.ps1 | 6 +- .../Public/Get-AzSentinelDataConnector.ps1 | 92 ++++++++++++++++++ .../Public/Get-AzSentinelHuntingRule.ps1 | 27 +++--- .../Public/Remove-AzSentinelHuntingRule.ps1 | 4 +- .../docs/Get-AzSentinelDataConnector.md | 93 +++++++++++++++++++ AzSentinel/docs/README.md | 1 + ...> Add-AzSentinelIncidentComment.tests.ps1} | 0 .../Get-AzSentinelDataConnector.tests.ps1 | 0 docs/Get-AzSentinelDataConnector.md | 93 +++++++++++++++++++ docs/README.md | 1 + examples/AlertRules.yaml | 84 +++++++++++++++++ examples/SuspectApplicationConsent.yaml | 2 +- 13 files changed, 386 insertions(+), 20 deletions(-) create mode 100644 AzSentinel/Public/Get-AzSentinelDataConnector.ps1 create mode 100644 AzSentinel/docs/Get-AzSentinelDataConnector.md rename AzSentinel/tests/Unit/public/{Add-AzSentinelIncidentComment.ps1 => Add-AzSentinelIncidentComment.tests.ps1} (100%) create mode 100644 AzSentinel/tests/Unit/public/Get-AzSentinelDataConnector.tests.ps1 create mode 100644 docs/Get-AzSentinelDataConnector.md create mode 100644 examples/AlertRules.yaml diff --git a/AzSentinel/AzSentinel.psd1 b/AzSentinel/AzSentinel.psd1 index 54b50f5..64b58ae 100644 --- a/AzSentinel/AzSentinel.psd1 +++ b/AzSentinel/AzSentinel.psd1 @@ -94,7 +94,8 @@ 'New-AzSentinelAlertRuleAction', 'Remove-AzSentinelAlertRuleAction', 'Get-AzSentinelAlertRuleTemplates', - 'Add-AzSentinelIncidentComment' + 'Add-AzSentinelIncidentComment', + 'Get-AzSentinelDataConnector' ) # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. diff --git a/AzSentinel/Public/Get-AzSentinelAlertRule.ps1 b/AzSentinel/Public/Get-AzSentinelAlertRule.ps1 index 2ef5c6e..4993e10 100644 --- a/AzSentinel/Public/Get-AzSentinelAlertRule.ps1 +++ b/AzSentinel/Public/Get-AzSentinelAlertRule.ps1 @@ -62,7 +62,7 @@ function Get-AzSentinelAlertRule { } Get-LogAnalyticWorkspace @arguments - $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2019-01-01-preview" + $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01" Write-Verbose -Message "Using URI: $($uri)" try { @@ -82,7 +82,7 @@ function Get-AzSentinelAlertRule { [PSCustomObject]$temp = $alertRules.value | Where-Object { $_.properties.displayName -eq $rule } if ($null -ne $temp) { - $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0] + $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $temp.name if ($playbook) { $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1] @@ -140,7 +140,7 @@ function Get-AzSentinelAlertRule { } else { $alertRules.value | ForEach-Object { - $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId ($temp.name)[0] + $playbook = Get-AzSentinelAlertRuleAction @arguments -RuleId $_.name if ($playbook) { $playbookName = ($playbook.properties.logicAppResourceId).Split('/')[-1] diff --git a/AzSentinel/Public/Get-AzSentinelDataConnector.ps1 b/AzSentinel/Public/Get-AzSentinelDataConnector.ps1 new file mode 100644 index 0000000..50a0b5f --- /dev/null +++ b/AzSentinel/Public/Get-AzSentinelDataConnector.ps1 @@ -0,0 +1,92 @@ +#requires -module @{ModuleName = 'Az.Accounts'; ModuleVersion = '1.5.2'} +#requires -version 6.2 + +function Get-AzSentinelDataConnector { + <# + .SYNOPSIS + Get Azure Sentinel Data connector + .DESCRIPTION + With this function you can get Azure Sentinel data connectors that are enabled on the workspace + .PARAMETER SubscriptionId + Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used + .PARAMETER WorkspaceName + Enter the Workspace name + .PARAMETER DataConnectorName + Enter the Connector ID + .EXAMPLE + Get-AzSentinelDataConnector -WorkspaceName "" + List all enabled dataconnector + .EXAMPLE + Get-AzSentinelDataConnector -WorkspaceName "" -DataConnectorName "","" + Get specific dataconnectors + #> + + param ( + [Parameter(Mandatory = $false, + ParameterSetName = "Sub")] + [ValidateNotNullOrEmpty()] + [string] $SubscriptionId, + + [Parameter(Mandatory)] + [ValidateNotNullOrEmpty()] + [string]$WorkspaceName, + + [Parameter(Mandatory = $false, + ValueFromPipeline)] + [ValidateNotNullOrEmpty()] + [string[]]$DataConnectorName + ) + + begin { + precheck + } + + process { + switch ($PsCmdlet.ParameterSetName) { + Sub { + $arguments = @{ + WorkspaceName = $WorkspaceName + SubscriptionId = $SubscriptionId + } + } + default { + $arguments = @{ + WorkspaceName = $WorkspaceName + } + } + } + Get-LogAnalyticWorkspace @arguments + + if ($DataConnectorName) { + $dataConnectors = @() + + foreach ($item in $DataConnectorName){ + + $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/dataConnectors/$($item)?api-version=2020-01-01" + + try { + $result = Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader + + $dataConnectors += $result + } + catch { + Write-Verbose $_ + Write-Error "Unable to get alert rules with error code: $($_.Exception.Message)" -ErrorAction Stop + } + } + return $dataConnectors + } + else { + $uri = "$script:baseUri/providers/Microsoft.SecurityInsights/dataConnectors?api-version=2020-01-01" + + try { + $result = Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader + } + catch { + Write-Verbose $_ + Write-Error "Unable to get alert rules with error code: $($_.Exception.Message)" -ErrorAction Stop + } + return $result.value + } + } +} diff --git a/AzSentinel/Public/Get-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/Get-AzSentinelHuntingRule.ps1 index 8305000..eaf049c 100644 --- a/AzSentinel/Public/Get-AzSentinelHuntingRule.ps1 +++ b/AzSentinel/Public/Get-AzSentinelHuntingRule.ps1 @@ -41,7 +41,7 @@ function Get-AzSentinelHuntingRule { [Parameter(Mandatory = $false, ValueFromPipeline)] - [ValidateNotNullOrEmpty()] + [validateset("Hunting Queries", "Log Management", "General Exploration")] [string]$Filter ) @@ -72,11 +72,10 @@ function Get-AzSentinelHuntingRule { try { if ($Filter) { - $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) | Where-Object $_.Category -eq $Filter + $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader).value | Where-Object { $_.properties.Category -eq $Filter } } else { - $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader) - + $huntingRules = (Invoke-RestMethod -Uri $uri -Method Get -Headers $script:authHeader).value } } catch { @@ -86,11 +85,13 @@ function Get-AzSentinelHuntingRule { $return = @() - if ($huntingRules.value) { - Write-Verbose "Found $($huntingRules.value.count) hunting rules" + if ($huntingRules) { + Write-Verbose "Found $($huntingRules.count) hunting rules" if ($RuleName.Count -ge 1) { foreach ($rule in $RuleName) { - [PSCustomObject]$temp = $huntingRules.value | Where-Object { $_.displayName -eq $rule } + $temp = @() + [PSCustomObject]$temp = $huntingRules | Where-Object { ($_.properties).DisplayName -eq $rule } + if ($null -ne $temp) { $temp.properties | Add-Member -NotePropertyName name -NotePropertyValue $temp.name -Force $temp.properties | Add-Member -NotePropertyName id -NotePropertyValue $temp.id -Force @@ -98,23 +99,23 @@ function Get-AzSentinelHuntingRule { $return += $temp.Properties } - else { - Write-Warning "Unable to find hunting rule: $rule" - } } return $return } else { - $huntingRules.value | ForEach-Object { + $huntingRules | ForEach-Object { + $_.properties | Add-Member -NotePropertyName name -NotePropertyValue $_.name -Force $_.properties | Add-Member -NotePropertyName id -NotePropertyValue $_.id -Force $_.properties | Add-Member -NotePropertyName etag -NotePropertyValue $_.etag -Force - return $_.properties + + $return += $_.properties } + return $return } } else { - Write-Warning "No hunting rules found on $($WorkspaceName)" + Write-Verbose "No hunting rules found on $($WorkspaceName)" } } } diff --git a/AzSentinel/Public/Remove-AzSentinelHuntingRule.ps1 b/AzSentinel/Public/Remove-AzSentinelHuntingRule.ps1 index 3549ee7..d2ed182 100644 --- a/AzSentinel/Public/Remove-AzSentinelHuntingRule.ps1 +++ b/AzSentinel/Public/Remove-AzSentinelHuntingRule.ps1 @@ -64,7 +64,7 @@ function Remove-AzSentinelHuntingRule { if ($RuleName) { # remove defined rules foreach ($rule in $RuleName) { - $item = Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' -RuleName $rule + $item = Get-AzSentinelHuntingRule @arguments -RuleName $rule if ($item) { $uri = "$script:baseUri/savedSearches/$($item.name)?api-version=2017-04-26-preview" @@ -90,7 +90,7 @@ function Remove-AzSentinelHuntingRule { } else { Write-Warning "No hunting rule selected, All hunting rules will be removed one by one!" - Get-AzSentinelHuntingRule @arguments -Filter 'HuntingQueries' | ForEach-Object { + Get-AzSentinelHuntingRule @arguments -Filter "Hunting Queries" | ForEach-Object { $uri = "$script:baseUri/savedSearches/$($_.name)?api-version=2017-04-26-preview" if ($PSCmdlet.ShouldProcess("Do you want to remove: $($_.displayName)")) { try { diff --git a/AzSentinel/docs/Get-AzSentinelDataConnector.md b/AzSentinel/docs/Get-AzSentinelDataConnector.md new file mode 100644 index 0000000..3dc6517 --- /dev/null +++ b/AzSentinel/docs/Get-AzSentinelDataConnector.md @@ -0,0 +1,93 @@ +--- +external help file: AzSentinel-help.xml +Module Name: AzSentinel +online version: +schema: 2.0.0 +--- + +# Get-AzSentinelDataConnector + +## SYNOPSIS +Get Azure Sentinel Data connector + +## SYNTAX + +``` +Get-AzSentinelDataConnector [-SubscriptionId ] -WorkspaceName [-DataConnectorName ] + [] +``` + +## DESCRIPTION +With this function you can get Azure Sentinel data connectors that are enabled on the workspace + +## EXAMPLES + +### EXAMPLE 1 +``` +Get-AzSentinelDataConnector -WorkspaceName "" +List all enabled dataconnector +``` + +### EXAMPLE 2 +``` +Get-AzSentinelDataConnector -WorkspaceName "" -DataConnectorName "","" +Get specific dataconnectors +``` + +## PARAMETERS + +### -SubscriptionId +Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +Enter the Workspace name + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataConnectorName +Enter the Connector ID + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS diff --git a/AzSentinel/docs/README.md b/AzSentinel/docs/README.md index 546131e..7c56fa5 100644 --- a/AzSentinel/docs/README.md +++ b/AzSentinel/docs/README.md @@ -19,3 +19,4 @@ 17. [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md) 18. [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md) 19. [Get-AzSentinelAlertRuleTemplates](Get-AzSentinelAlertRuleTemplates.md) +20. [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md) diff --git a/AzSentinel/tests/Unit/public/Add-AzSentinelIncidentComment.ps1 b/AzSentinel/tests/Unit/public/Add-AzSentinelIncidentComment.tests.ps1 similarity index 100% rename from AzSentinel/tests/Unit/public/Add-AzSentinelIncidentComment.ps1 rename to AzSentinel/tests/Unit/public/Add-AzSentinelIncidentComment.tests.ps1 diff --git a/AzSentinel/tests/Unit/public/Get-AzSentinelDataConnector.tests.ps1 b/AzSentinel/tests/Unit/public/Get-AzSentinelDataConnector.tests.ps1 new file mode 100644 index 0000000..e69de29 diff --git a/docs/Get-AzSentinelDataConnector.md b/docs/Get-AzSentinelDataConnector.md new file mode 100644 index 0000000..3dc6517 --- /dev/null +++ b/docs/Get-AzSentinelDataConnector.md @@ -0,0 +1,93 @@ +--- +external help file: AzSentinel-help.xml +Module Name: AzSentinel +online version: +schema: 2.0.0 +--- + +# Get-AzSentinelDataConnector + +## SYNOPSIS +Get Azure Sentinel Data connector + +## SYNTAX + +``` +Get-AzSentinelDataConnector [-SubscriptionId ] -WorkspaceName [-DataConnectorName ] + [] +``` + +## DESCRIPTION +With this function you can get Azure Sentinel data connectors that are enabled on the workspace + +## EXAMPLES + +### EXAMPLE 1 +``` +Get-AzSentinelDataConnector -WorkspaceName "" +List all enabled dataconnector +``` + +### EXAMPLE 2 +``` +Get-AzSentinelDataConnector -WorkspaceName "" -DataConnectorName "","" +Get specific dataconnectors +``` + +## PARAMETERS + +### -SubscriptionId +Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WorkspaceName +Enter the Workspace name + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DataConnectorName +Enter the Connector ID + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### CommonParameters +This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216). + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS diff --git a/docs/README.md b/docs/README.md index 546131e..7c56fa5 100644 --- a/docs/README.md +++ b/docs/README.md @@ -19,3 +19,4 @@ 17. [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md) 18. [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md) 19. [Get-AzSentinelAlertRuleTemplates](Get-AzSentinelAlertRuleTemplates.md) +20. [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md) diff --git a/examples/AlertRules.yaml b/examples/AlertRules.yaml new file mode 100644 index 0000000..aab69f9 --- /dev/null +++ b/examples/AlertRules.yaml @@ -0,0 +1,84 @@ +Scheduled: + - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee + displayname: Suspect Application Consent + description: | + This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. + This could indicate that permissions to access the listed Azure App were provided to a malicious actor. + Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. + This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth + For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities + severity: High + requiredDataConnectors: + - connectorId: AzureActiveDirectory + dataTypes: + - AuditLogs + queryFrequency: 2H + queryPeriod: 7H + triggerOperator: GreaterThan + triggerThreshold: 3 + tactics: + - Persistence + - LateralMovement + - Collection + playbookName: Playbook01 + query: | + + AzureActivity + | where TimeGenerated >= startofday(ago(7d)) + | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" + | where ActivityStatus == "Succeeded" + | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(7d)), now(), 1d) by Caller + | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) + | where Slope > 0.2 + | join kind=leftsemi ( + // Last day's activity is anomalous + AzureActivity + | where TimeGenerated >= startofday(ago(1d)) + | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" + | where ActivityStatus == "Succeeded" + | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(1d)), now(), 1d) by Caller + | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) + | where Slope >0.2 + ) on Caller + + - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee + displayname: Suspect Application Consent 02 + description: | + This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. + This could indicate that permissions to access the listed Azure App were provided to a malicious actor. + Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. + This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth + For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities + severity: High + requiredDataConnectors: + - connectorId: AzureActiveDirectory + dataTypes: + - AuditLogs + queryFrequency: 2H + queryPeriod: 7H + triggerOperator: GreaterThan + triggerThreshold: 3 + tactics: + - Persistence + - LateralMovement + - Collection + playbookName: Playbook01 + query: | + + AzureActivity + | where TimeGenerated >= startofday(ago(7d)) + | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" + | where ActivityStatus == "Succeeded" + | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(7d)), now(), 1d) by Caller + | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) + | where Slope > 0.2 + | join kind=leftsemi ( + // Last day's activity is anomalous + AzureActivity + | where TimeGenerated >= startofday(ago(1d)) + | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" + | where ActivityStatus == "Succeeded" + | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(1d)), now(), 1d) by Caller + | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) + | where Slope >0.2 + ) on Caller diff --git a/examples/SuspectApplicationConsent.yaml b/examples/SuspectApplicationConsent.yaml index a7ebbad..44cde9e 100644 --- a/examples/SuspectApplicationConsent.yaml +++ b/examples/SuspectApplicationConsent.yaml @@ -1,5 +1,5 @@ id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee -name: Suspect Application Consent +displayName: Suspect Application Consent description: | This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. This could indicate that permissions to access the listed Azure App were provided to a malicious actor.