Page Comparison

XDR SIEM Content includes following: 1. Parsers & Schemas

1. Detection Rules
2. Workbooks
3. Playbooks
4. Watchlists
5. Threat Hunting
6. Automation Rules

...

It is advised to maintain consistency and centralized management of content by using infrastructure as a code (IaC) methods.

...

:eyes: Note : Some of the content like schemas, parsers and standard workbooks are deployed by default in every infrastructure.

Image Modified

...

Detection Rules & Rule Packs

...

You can deploy rules either by using name of rules or by adding rule pack name in configuration file shared in below file path and then running the update environment script.

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-rules/config.tpl.hcl

You can add the file name that you want to deploy as shown in below example:

inputs = {

  # For pre packed rule sets for any log source, use rule_packs.

  rule_packs = [
    "windows/windows-sysmon-pack",
  ]

  # For individual rules, add rule paths from content directory.

  additional_rules = [
    "ioc/security/sysmon/a-variant-of-data-stealer-trojan-activity",
    "ioc/security/sysmon/apt-29-phishing-campaigns",
  ]

  # To exclude any rule for deployment, add rule paths from content directory.

  exclude_rules = [
    "ioc/application/powershell/suspicious-powershell-zipping-activity",
  ]

Image Modified

To add any custom detection rules to your environment refer to Deploying custom rules.

ML Behavior Rules

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-rules/config.tpl.hcl

There are currently 2 Machine Learning Behavior Analytic rules available for deployment (with their respective GUIDs in brackets) 1. Anomalous RDP Login Detections (737a2ce1-70a3-4968-9e90-3e6aca836abf)

1. Anomalous SSH Login Detection (fa118b98-de46-4e94-87f9-8e6d5060b60b)

We utilize the rule’s GUID for deployment via terraform.

1. Open config.hcl and under the machine_learning_behavior_rules field
2. Add in the array of rule GUIDs of suitable Sentinel Machine Learning Behavior Analytic Rules you would like to deploy. inputs = { # Adds Sentinel Machine Learning Behavior Analytics Alert Rules. # We select these ML behaviour rules based on the gallery content's GUID. # Leaving the array empty or by not passing the machine_learning_behavior_rules array, no ML behavior rules will be deployed. machine_learning_behavior_rules = [ "737a2ce1-70a3-4968-9e90-3e6aca836abf", "fa118b98-de46-4e94-87f9-8e6d5060b60b" ]

Image Modified

Fusion Detection Rules

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-rules/config.tpl.hcl

Fusion rules are enabled via the detection rule Advanced multistage attack detection.

1. Open config.hcl and under the fusion_rule field
2. Set fusion_rule = true inputs = { # Setting the fusion_rule flag to true will deploy and enable Fusion via the Advanced multistage attack detection rule in Microsoft Sentinel. # Leaving this flag out or setting it to false would result in the rule not being deployed fusion_rule = true

If you would like to disable the rule, either set the flag to false or comment out the line.

Image Modified

For more information about Fusion rules, refer to Advanced multistage attack detection in Microsoft Sentinel

...

There are 2 types of workbooks: - Default workbooks are available for all customers.

• Custom workbooks are specific to a single environment.

There are 4 default workbooks that are deployed initially with XDR an MDR deployment. 1. Ingestion Monitoring - Provides log ingestion information.

1. SOC Report - Provides SOC metrics like Incident information, MTTA etc.
2. Security Monitoring - Provides information on Critical entities, malicious traffic, detections etc.
3. XDR Updates - Provides information on latest content added or updated.

Image Modified

Default Workbooks

Default workbooks reside in infrastructure-modules/content/workbooks. To enable them, edit the file config.hcl (this is found in the below mentioned file path) and add the watchlist to the default_workbooks array.

  default_workbooks = [
    "Ingestion-Monitoring",
    "Security-Monitoring",
    "SOC-Report",
    "XDR-Updates",
  ]

...

To enable them, edit the file config.hcl (this is found in the below mentioned file path) and add the workbooks to the custom_workbooks array. For example:

  custom_workbooks = [
      "Sample-Workbook",
  ]

Then run the update environment script.

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-workbooks/

...

Incident notification playbook is deployed be default during initial deployment.

Image Modified

There are 2 types of playbooks: - Default Playbooks are available for all customers.

• Custom Playbooks are specific to a single environment.

Default Playbooks

Default playbooks reside in infrastructure-modules/content/playbooks. To enable them, edit the file config.hcl (this is found in the below mentioned file path) and add the playbook basename (without the extension, and without the directory path) to the default_playbooks array. For example:

  default_playbooks = [
    "Block-AADUser",
  ]

...

Default playbooks need certain post-deployment prerequisite permissions in order to execute.

For Basic Auth: 1. Open the Logic app corresponding to the Playbook.

1. In steps performing HTTP calls, head to the Authentication section.
2. Add the username and password.

Image Modified

1. Save your changes.

For Sign In Auth: 1. Open the Logic app corresponding to the Playbook.

1. In steps performing actions on MDE, click on Change Connection at the bottom.

Image Modified

1. Add new connection and click on Sign In.

Image Modified

1. Save your changes.

Custom Playbooks

For additional Custom playbooks, pull out ARM template JSON file of your logic app from Azure portal and place it in the custom-playbooks directory (you may need to create this) in the below mentioned file path.

...

To enable them, edit the file config.hcl (this is found in the below mentioned file path) and add the playbook basename (without the extension, and without the directory path) to the custom_playbooks array. For example:

  custom_playbooks = [
    "a-custom-playbook"
  ]

Then run the update environment script.

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-playbooks/

Reference doc: Using Playbooks in Sentinel

...

Watchlist

...

Image Modified

There are 2 types of watchlists: - Default watchlists are available for all customers.

• Custom watchlists are specific to a single environment.

Default Watchlists

Default watchlists reside in infrastructure-modules/content/watchlist. To enable them, edit the file config.hcl (this is found in the below mentioned file path) and add the watchlist to the default_playbooks array. You may choose the watchlist’s name and description, but you must obtain the watchlist_item_search_key and watchlist_item_properties_file from the respective csv in infrastructure-modules/content/watchlist. For example:

  default_watchlists = [
    {
      watchlist_name = "SecurityIdCorrelation"
      watchlist_description = "The Identity Correlation watchlist lists related user accounts that belong to the same person."
      watchlist_item_search_key = "Email"
      watchlist_item_properties_file = "SecurityIdentityCorrelation.csv"
    },
  ]

...

To enable them, edit the file config.hcl (this is found in the below mentioned file path) and add the watchlist to the custom_watchlists array. For example:

  custom_watchlists = [
    {
      watchlist_name = "SecurityIdCorrelation"
      watchlist_description = "The Identity Correlation watchlist lists related user accounts that belong to the same person."
      watchlist_item_search_key = "Email"
      watchlist_item_properties_file = "SecurityIdentityCorrelation.csv"
    },
  ]

Then run the update environment script.

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-watchlists/

...

There are few default hunting queries readily available to be used inside infrastructure-modules/azure/content/rules/threat-hunting directory.

Image Modified

For any additional custom threat hunting queries to be deployed, refer to the sample hunting queries in the infrastructure-modules/azure/content/rules/threat-hunting directory. Follow the sample queries in the yaml format to construct your own custom hunting queries in the yaml format. Place the hunting query’s yaml file in the custom-threat-hunting-queries directory in the below mentioned file path and run the update environment script. We will utilise the attributes ‘name’, ‘query’, ‘techniques’ and ‘tactics’.

To enable a default hunting query, edit the file config.hcl (this is found in the below mentioned file path) and add the path to the yaml file to the default_threat_hunting_queries array. For default hunting queries, the path is referenced relative to infrastructure-modules/azure/content/rules/threat-hunting. For example:

  default_threat_hunting_queries = [
    "linux/account-manipulation-ssh-authorized-keys-on-linux-via-file-creation.yaml",
    "firewall/port-scan.yaml",
    "application/powershell/dismount-virtual-hard-drive-file-via-powershell.yaml",
  ]

...

To enable a custom hunting query, edit the file config.hcl (this is found in the below mentioned file path) and add the yaml file to the custom_threat_hunting_queries array. For custom hunting queries, the path is referenced relative to the custom-threat-hunting-queries directory. For example:

  custom_threat_hunting_queries = [
    "custom-hunting-query.yaml",
  ]

For more information, refer to the comments in config.hcl.

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-threat-hunting/

...

Default automation rules will be available to be used inside the infrastructure-modules/azure/content/automation-rules directory.

Image Modified

For any additional custom automation rules to be deployed, refer to the sample automation rules in the infrastructure-modules/azure/content/automation-rules directory. Construct your own custom automation rules in the JSON format. Place the JSON file in the custom-automation-rules directory in the below mentioned file path and run the update environment script.

To enable a default automation rule, edit the file config.hcl (this is found in the below mentioned file path) and add the path to the JSON file to the default_automation_rules array. For default automation rules, the path is referenced relative to infrastructure-modules/azure/content/automation-rules. For example:

  default_automation_rules = [
    "Default-Automation-Rule",
  ]

To enable a custom automation rule, edit the file config.hcl (this is found in the below mentioned file path) and add the JSON file to the custom_automation_rules array. For custom automation rules, the path is referenced relative to the custom-automation-rules directory. For example:

  custom_automation_rules = [
    "Custom-Automation-Rule",
  ]

...

For more information, refer to the comments in config.hcl. To design the automation rules, please refer to the terraform documentation to see the supported options and features: Automation rules - azurerm_sentinel_automation_rule

File Path

infrastructure-live/azure/.template/resource-groups/security-log-analytics/services/sentinel-automation-rule/

...