![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
"Description": "The rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\n[Microsoft Defender XDR](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n [Microsoft Entra ID](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\r\r\n[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n[Google Cloud Platform IAM](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam)\n\n \n\n[Google Cloud Platform Audit Logs](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api) \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse",
@@ -15,7 +15,7 @@
"Analytic Rules/UserImpersonateByRiskyUser.yaml"
],
"Metadata": "SolutionMetadata.json",
- "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Multi Cloud Attack Coverage Essentials - Resource Abuse",
"Version": "3.0.0",
"TemplateSpec": true,
"Is1PConnector": false,
diff --git a/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/3.0.0.zip b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/3.0.0.zip
new file mode 100644
index 00000000000..3b8c41c30dd
Binary files /dev/null and b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/3.0.0.zip differ
diff --git a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/createUiDefinition.json b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/createUiDefinition.json
similarity index 74%
rename from Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/createUiDefinition.json
rename to Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/createUiDefinition.json
index ec2b26023b2..94dc3f88f6a 100644
--- a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/createUiDefinition.json
+++ b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Multi%20Cloud%20Attack%20Coverage%20Essentials-Resource%20Abuse/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\n[Microsoft Defender XDR](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n [Microsoft Entra ID](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\r\r\n[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n[Google Cloud Platform IAM](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam)\n\n \n\n[Google Cloud Platform Audit Logs](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api) \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse\n\n**Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Multi%20Cloud%20Attack%20Coverage%20Essentials%20-%20Resource%20Abuse/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.\n\n **Pre-requisites:**\n\n This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Cv-sudkharat%40microsoft.com%7C8ec0502d0fb449debbc108dbe9849194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638360527889561785%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyqFj%2FfDBffyAPs4haVuOLs0g3vFY6jt%2B8pe%2F9gk0%2B0%3D&reserved=0) and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution. \n\n[Microsoft Defender XDR](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoft365defenderazure-sentinel-solution-microsoft365defender)\n\n [Microsoft Entra ID](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-azureactivedirectoryazure-sentinel-solution-azureactivedirectory)\r\r\n[Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices)\n\n[Google Cloud Platform IAM](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpiamazure-sentinel-solution-gcpiam)\n\n \n\n[Google Cloud Platform Audit Logs](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-gcpauditlogs-apiazure-sentinel-solution-gcpauditlogs-api) \n\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption\n\n**Keywords:** Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse\n\n**Analytic Rules:** 9\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/mainTemplate.json b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/mainTemplate.json
similarity index 81%
rename from Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/mainTemplate.json
rename to Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/mainTemplate.json
index 2598bd1d724..5ebab0eaabe 100644
--- a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/mainTemplate.json
+++ b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Package/mainTemplate.json
@@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"metadata": {
"author": "Microsoft - support@microsoft.com",
- "comments": "Solution template for Multi Cloud Attack Coverage Essentials-Resource Abuse"
+ "comments": "Solution template for Multi Cloud Attack Coverage Essentials - Resource Abuse"
},
"parameters": {
"location": {
@@ -32,64 +32,73 @@
"variables": {
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "_solutionName": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "_solutionName": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"_solutionVersion": "3.0.0",
"solutionId": "azuresentinel.azure-sentinel-solution-multicloudattackcoverage",
"_solutionId": "[variables('solutionId')]",
- "analyticRuleVersion1": "1.0.0",
- "analyticRulecontentId1": "1f40ed57-f54b-462f-906a-ac3a89cc90d4",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.0.0",
- "analyticRulecontentId2": "5c847e47-0a07-4c01-ab99-5817ad6cb11e",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "analyticRuleVersion3": "1.0.0",
- "analyticRulecontentId3": "58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.0.1",
- "analyticRulecontentId4": "122fbc6a-57ab-4aa7-b9a9-51ac4970cac1",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
- "analyticRuleVersion5": "1.0.0",
- "analyticRulecontentId5": "188db479-d50a-4a9c-a041-644bae347d1f",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
- "analyticRuleVersion6": "1.0.0",
- "analyticRulecontentId6": "b51fe620-62ad-4ed2-9d40-5c97c0a8231f",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
- "analyticRuleVersion7": "1.0.2",
- "analyticRulecontentId7": "60f31001-018a-42bf-8045-a92e1f361b7b",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
- "analyticRuleVersion8": "1.0.0",
- "analyticRulecontentId8": "11c3d541-5fa5-49df-8218-d1c98584473b",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
- "analyticRuleVersion9": "1.0.1",
- "analyticRulecontentId9": "f4a28082-2808-4783-9736-33c1ae117475",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.0",
+ "_analyticRulecontentId1": "1f40ed57-f54b-462f-906a-ac3a89cc90d4",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1f40ed57-f54b-462f-906a-ac3a89cc90d4')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1f40ed57-f54b-462f-906a-ac3a89cc90d4')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1f40ed57-f54b-462f-906a-ac3a89cc90d4','-', '1.0.0')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.0",
+ "_analyticRulecontentId2": "5c847e47-0a07-4c01-ab99-5817ad6cb11e",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5c847e47-0a07-4c01-ab99-5817ad6cb11e')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5c847e47-0a07-4c01-ab99-5817ad6cb11e')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5c847e47-0a07-4c01-ab99-5817ad6cb11e','-', '1.0.0')))]"
+ },
+ "analyticRuleObject3": {
+ "analyticRuleVersion3": "1.0.0",
+ "_analyticRulecontentId3": "58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7')]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7')))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7','-', '1.0.0')))]"
+ },
+ "analyticRuleObject4": {
+ "analyticRuleVersion4": "1.0.1",
+ "_analyticRulecontentId4": "122fbc6a-57ab-4aa7-b9a9-51ac4970cac1",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '122fbc6a-57ab-4aa7-b9a9-51ac4970cac1')]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('122fbc6a-57ab-4aa7-b9a9-51ac4970cac1')))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','122fbc6a-57ab-4aa7-b9a9-51ac4970cac1','-', '1.0.1')))]"
+ },
+ "analyticRuleObject5": {
+ "analyticRuleVersion5": "1.0.0",
+ "_analyticRulecontentId5": "188db479-d50a-4a9c-a041-644bae347d1f",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '188db479-d50a-4a9c-a041-644bae347d1f')]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('188db479-d50a-4a9c-a041-644bae347d1f')))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','188db479-d50a-4a9c-a041-644bae347d1f','-', '1.0.0')))]"
+ },
+ "analyticRuleObject6": {
+ "analyticRuleVersion6": "1.0.0",
+ "_analyticRulecontentId6": "b51fe620-62ad-4ed2-9d40-5c97c0a8231f",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b51fe620-62ad-4ed2-9d40-5c97c0a8231f')]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b51fe620-62ad-4ed2-9d40-5c97c0a8231f')))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b51fe620-62ad-4ed2-9d40-5c97c0a8231f','-', '1.0.0')))]"
+ },
+ "analyticRuleObject7": {
+ "analyticRuleVersion7": "1.0.2",
+ "_analyticRulecontentId7": "60f31001-018a-42bf-8045-a92e1f361b7b",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '60f31001-018a-42bf-8045-a92e1f361b7b')]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('60f31001-018a-42bf-8045-a92e1f361b7b')))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','60f31001-018a-42bf-8045-a92e1f361b7b','-', '1.0.2')))]"
+ },
+ "analyticRuleObject8": {
+ "analyticRuleVersion8": "1.0.0",
+ "_analyticRulecontentId8": "11c3d541-5fa5-49df-8218-d1c98584473b",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '11c3d541-5fa5-49df-8218-d1c98584473b')]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('11c3d541-5fa5-49df-8218-d1c98584473b')))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','11c3d541-5fa5-49df-8218-d1c98584473b','-', '1.0.0')))]"
+ },
+ "analyticRuleObject9": {
+ "analyticRuleVersion9": "1.0.1",
+ "_analyticRulecontentId9": "f4a28082-2808-4783-9736-33c1ae117475",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f4a28082-2808-4783-9736-33c1ae117475')]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f4a28082-2808-4783-9736-33c1ae117475')))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f4a28082-2808-4783-9736-33c1ae117475','-', '1.0.1')))]"
+ },
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
"SystemAlertId": "SystemAlertId",
"_SystemAlertId": "[variables('SystemAlertId')]",
@@ -104,7 +113,7 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -113,13 +122,13 @@
"description": "BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -170,6 +179,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
@@ -179,40 +189,39 @@
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
- "AwsUser": "UserIdentityUserName",
- "AzureUser": "UserPrincipalName",
"UserAgent": "UserAgent",
- "AzureClientAppUsed": "ClientAppUsed"
+ "AzureClientAppUsed": "ClientAppUsed",
+ "AzureUser": "UserPrincipalName",
+ "AwsUser": "UserIdentityUserName"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -234,18 +243,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-Cloud Password Spray detection",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -254,13 +263,13 @@
"description": "Cross-CloudSuspiciousComputeResourcecreationinGCP_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -311,15 +320,16 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
@@ -329,57 +339,56 @@
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
],
"customDetails": {
- "GCPVMType": "VMType",
"AWSAlertUserName": "AWSAlertUserNameEntity",
+ "AWSresourceType": "AWSresourceType",
+ "GCPVMType": "VMType",
"AWSAPICallCount": "APICallCount",
- "GCPUserAgent": "GCPUserUA",
"AWSArn": "Arn",
- "GCPProjectId": "[variables('_ProjectId')]",
"AWSInstanceType": "InstanceType",
"CorrelationWith": "GCPAuditLogs",
+ "AWSAPICallName": "APICallName",
"GCPVMName": "VMName",
- "AWSresourceType": "AWSresourceType",
- "AWSAPICallName": "APICallName"
+ "GCPProjectId": "[variables('_ProjectId')]",
+ "GCPUserAgent": "GCPUserUA"
},
"alertDetailsOverride": {
+ "alertSeverityColumnName": "Severity",
+ "alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' assocated with GCP compute activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDynamicProperties": [
{
- "alertProperty": "AlertLink",
- "value": "AWSAlertLink"
+ "value": "AWSAlertLink",
+ "alertProperty": "AlertLink"
},
{
- "alertProperty": "ProviderName",
- "value": "AWS"
+ "value": "AWS",
+ "alertProperty": "ProviderName"
},
{
- "alertProperty": "ProductComponentName",
- "value": "AWSGuarduty"
+ "value": "AWSGuarduty",
+ "alertProperty": "ProductComponentName"
}
- ],
- "alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in GCP compute activity with {{GCPUserUPN}}",
- "alertSeverityColumnName": "Severity"
+ ]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -401,18 +410,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-Cloud Suspicious Compute resource creation in GCP",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -421,13 +430,13 @@
"description": "CrossCloudSuspiciousUserActivityObservedInGCPEnvourment_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId3')]",
+ "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -496,15 +505,16 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "GCPUserIp",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
@@ -514,59 +524,58 @@
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
],
"customDetails": {
- "AlertUserUPN": "AlertUserUPN",
"TimeDiff": "TimeDiff",
- "FirstAlert": "FirstAlert",
+ "AlertName": "AlertName",
+ "SystemAlertId": "[variables('_SystemAlertId')]",
"CorrelationWith": "GCPAuditLogs",
- "MethodName": "MethodName",
"GCPProjctId": "[variables('_GCPProjctId')]",
- "Tactics": "Tactics",
- "Request": "Request",
+ "MethodName": "MethodName",
"ServiceName": "ServiceName",
"LastAlert": "LastAlert",
+ "AlertUserUPN": "AlertUserUPN",
+ "FirstAlert": "FirstAlert",
"GCPCallerUA": "GCPCallerUA",
- "AlertName": "AlertName",
- "SystemAlertId": "[variables('_SystemAlertId')]"
+ "Request": "Request",
+ "Tactics": "Tactics"
},
"alertDetailsOverride": {
+ "alertSeverityColumnName": "AlertSeverity",
+ "alertDisplayNameFormat": "A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from {{ProductName}} With Alert Description '{{Description}}' observed activity in GCP environmeny. It focuses on Microsoft Security, specifically targeting user bhaviour and network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint users suspicious activity to access both Azure and GCP resources. \n\n Microsoft Security ALert Link : '{{AlertLink}}'",
"alertDynamicProperties": [
{
- "alertProperty": "AlertLink",
- "value": "AlertLink"
+ "value": "AlertLink",
+ "alertProperty": "AlertLink"
},
{
- "alertProperty": "ProviderName",
- "value": "ProductName"
+ "value": "ProductName",
+ "alertProperty": "ProviderName"
},
{
- "alertProperty": "ProductComponentName",
- "value": "Microsoft Security"
+ "value": "Microsoft Security",
+ "alertProperty": "ProductComponentName"
}
- ],
- "alertDisplayNameFormat": "A user {{GCPUserUPN}} has been linked to {{AlertName}}, and has potentially suspicious behavior within the GCP environment from, originating from the IP address {{GCPUserIp}}.",
- "alertSeverityColumnName": "AlertSeverity"
+ ]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 3",
+ "parentId": "[variables('analyticRuleObject3').analyticRuleId3]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -588,18 +597,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-Cloud Suspicious user activity observed in GCP Envourment",
- "contentProductId": "[variables('_analyticRulecontentProductId3')]",
- "id": "[variables('_analyticRulecontentProductId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]",
+ "version": "[variables('analyticRuleObject3').analyticRuleVersion3]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -608,13 +617,13 @@
"description": "CrossCloudUnauthorizedCredentialsAccessDetection_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId4')]",
+ "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -660,15 +669,16 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
@@ -678,64 +688,63 @@
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
],
"customDetails": {
- "AzAuthRequirement": "AuthenticationRequirement",
- "alertSeverity": "Severity",
+ "AWSArn": "Arn",
+ "AzureUserAgent": "UserAgent",
+ "AWSAplicationName": "RDSApplication",
+ "AzureUser": "UserPrincipalName",
+ "AWSInstanceId": "[variables('_RDSInstanceId')]",
+ "AWSInstanceType": "RDSactionType",
+ "AWSresourceType": "AWSresourceType",
+ "AzConditionalAccess": "ConditionalAccessStatus",
"AzureClientAppUsed": "ClientAppUsed",
"AzureRiskDetail": "RiskDetail",
- "AzureOperationName": "OperationName",
- "AzureUserAgent": "UserAgent",
+ "alertSeverity": "Severity",
"AWSAlertUserName": "RDSUser",
- "AzConditionalAccess": "ConditionalAccessStatus",
- "AWSresourceType": "AWSresourceType",
- "AWSInstanceId": "[variables('_RDSInstanceId')]",
- "AzureUser": "UserPrincipalName",
- "AWSAplicationName": "RDSApplication",
- "AWSArn": "Arn",
- "AWSInstanceType": "RDSactionType"
+ "AzureOperationName": "OperationName",
+ "AzAuthRequirement": "AuthenticationRequirement"
},
"alertDetailsOverride": {
+ "alertSeverityColumnName": "Severity",
+ "alertDisplayNameFormat": "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}",
"alertDescriptionFormat": "This detection correlates AWS GuardDuty Credential Access alert described '{{AWSAlertDescription}}' related to Amazon Relational Database Service (RDS) activity with Azure portal sign-in activities. It identifies successful and failed logins, anomalous behavior, and malicious IP access. By joining these datasets on network entities and IP addresses, it detects unauthorized credential access attempts across AWS and Azure resources, enhancing cross-cloud security monitoring. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDynamicProperties": [
{
- "alertProperty": "AlertLink",
- "value": "AWSAlertLink"
+ "value": "AWSAlertLink",
+ "alertProperty": "AlertLink"
},
{
- "alertProperty": "ProviderName",
- "value": "AWS"
+ "value": "AWS",
+ "alertProperty": "ProviderName"
},
{
- "alertProperty": "ProductName",
- "value": "AWSGuardDuty"
+ "value": "AWSGuardDuty",
+ "alertProperty": "ProductName"
},
{
- "alertProperty": "ProductComponentName",
- "value": "AWSGuardDuty"
+ "value": "AWSGuardDuty",
+ "alertProperty": "ProductComponentName"
}
- ],
- "alertDisplayNameFormat": "IP address {{IPAddress}} in {{AWSAlertTitle}} seen in Azure Signin Logs with {{UserPrincipalName}}",
- "alertSeverityColumnName": "Severity"
+ ]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 4",
+ "parentId": "[variables('analyticRuleObject4').analyticRuleId4]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -757,18 +766,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]",
"contentKind": "AnalyticsRule",
"displayName": "Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login",
- "contentProductId": "[variables('_analyticRulecontentProductId4')]",
- "id": "[variables('_analyticRulecontentProductId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]",
+ "version": "[variables('analyticRuleObject4').analyticRuleVersion4]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -777,13 +786,13 @@
"description": "SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId5')]",
+ "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -842,6 +851,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
@@ -851,39 +861,38 @@
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
- "AWSUser": "UserIdentityArn",
"UserAgent": "UserAgent",
- "AWSUserUPN": "CTUPN"
+ "AWSUserUPN": "CTUPN",
+ "AWSUser": "UserIdentityArn"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 5",
+ "parentId": "[variables('analyticRuleObject5').analyticRuleId5]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -905,18 +914,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]",
"contentKind": "AnalyticsRule",
"displayName": "Successful AWS Console Login from IP Address Observed Conducting Password Spray",
- "contentProductId": "[variables('_analyticRulecontentProductId5')]",
- "id": "[variables('_analyticRulecontentProductId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]",
+ "version": "[variables('analyticRuleObject5').analyticRuleVersion5]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -925,13 +934,13 @@
"description": "SuspiciousAWSConsolLoginByCredentialAceessAlerts_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId6')]",
+ "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -995,6 +1004,7 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
@@ -1004,40 +1014,39 @@
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
- "AzureUserUPN": "AccountUPN",
"UserAgent": "UserAgent",
- "ComonIp": "SourceIpAddress",
- "AWSUSerUPN": "CTUPN"
+ "AWSUSerUPN": "CTUPN",
+ "AzureUserUPN": "AccountUPN",
+ "ComonIp": "SourceIpAddress"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 6",
+ "parentId": "[variables('analyticRuleObject6').analyticRuleId6]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -1059,18 +1068,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]",
"contentKind": "AnalyticsRule",
"displayName": "Suspicious AWS console logins by credential access alerts",
- "contentProductId": "[variables('_analyticRulecontentProductId6')]",
- "id": "[variables('_analyticRulecontentProductId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]",
+ "version": "[variables('analyticRuleObject6').analyticRuleVersion6]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1079,13 +1088,13 @@
"description": "Unauthorized_user_access_across_AWS_and_Azure_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId7')]",
+ "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1133,15 +1142,16 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "Account",
"fieldMappings": [
{
"columnName": "Name",
@@ -1151,64 +1161,63 @@
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
- ],
- "entityType": "Account"
+ ]
}
],
"customDetails": {
+ "AWSAPICallName": "APICallName",
+ "AzureUserAgent": "UserAgent",
+ "AzureUser": "UserPrincipalName",
+ "AWSresourceType": "AWSresourceType",
+ "AWSInstanceType": "InstanceType",
+ "AWSArn": "Arn",
"AWSAPICallCount": "APICallCount",
- "AzAuthRequirement": "AuthenticationRequirement",
- "alertSeverity": "Severity",
+ "AzConditionalAccess": "ConditionalAccessStatus",
"AzureClientAppUsed": "ClientAppUsed",
"AzureRiskDetail": "RiskDetail",
- "AzureOperationName": "OperationName",
- "AzureUserAgent": "UserAgent",
+ "alertSeverity": "Severity",
"AWSAlertUserName": "AWSAlertUserNameEntity",
- "AzConditionalAccess": "ConditionalAccessStatus",
- "AWSresourceType": "AWSresourceType",
- "AWSAPICallName": "APICallName",
- "AzureUser": "UserPrincipalName",
- "AWSArn": "Arn",
- "AWSInstanceType": "InstanceType"
+ "AzureOperationName": "OperationName",
+ "AzAuthRequirement": "AuthenticationRequirement"
},
"alertDetailsOverride": {
+ "alertSeverityColumnName": "Severity",
+ "alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}",
"alertDescriptionFormat": " This detection compiles and correlates unauthorized user access alerts originating from AWS GuardDuty With Alert Description '{{AWSAlertDescription}}' with Azure portal sign-in activities. It focuses on AWS GuardDuty alerts related to unauthorized user access, specifically targeting network IP associations tied to activities such as logins from malicious IP addresses or instance credential exfiltration attempts. The detection leverages these common network IP advisories to detect and pinpoint unauthorized users attempting to access both AWS and Azure resources. \n\n AWS ALert Link : '{{AWSAlertLink}}' \n\n Find More Details :https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html",
"alertDynamicProperties": [
{
- "alertProperty": "AlertLink",
- "value": "AWSAlertLink"
+ "value": "AWSAlertLink",
+ "alertProperty": "AlertLink"
},
{
- "alertProperty": "ProviderName",
- "value": "AWS"
+ "value": "AWS",
+ "alertProperty": "ProviderName"
},
{
- "alertProperty": "ProductName",
- "value": "AWSGuardDuty"
+ "value": "AWSGuardDuty",
+ "alertProperty": "ProductName"
},
{
- "alertProperty": "ProductComponentName",
- "value": "AWSGuardDuty"
+ "value": "AWSGuardDuty",
+ "alertProperty": "ProductComponentName"
}
- ],
- "alertDisplayNameFormat": "{{AWSNetworkEntity}} from {{AWSAlertTitle}} observed in Azure Singins with {{UserPrincipalName}}",
- "alertSeverityColumnName": "Severity"
+ ]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 7",
+ "parentId": "[variables('analyticRuleObject7').analyticRuleId7]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -1230,18 +1239,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]",
"contentKind": "AnalyticsRule",
"displayName": "Unauthorized user access across AWS and Azure",
- "contentProductId": "[variables('_analyticRulecontentProductId7')]",
- "id": "[variables('_analyticRulecontentProductId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]",
+ "version": "[variables('analyticRuleObject7').analyticRuleVersion7]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1250,13 +1259,13 @@
"description": "UserImpersonateByAAID_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId8')]",
+ "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1295,35 +1304,35 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
- "AWSUser": "UserIdentityArn",
+ "AlertIp": "ipAddress",
"AlertName": "AlertName",
- "AlertIp": "ipAddress"
+ "AWSUser": "UserIdentityArn"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 8",
+ "parentId": "[variables('analyticRuleObject8').analyticRuleId8]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -1345,18 +1354,18 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]",
"contentKind": "AnalyticsRule",
"displayName": "User impersonation by Identity Protection alerts",
- "contentProductId": "[variables('_analyticRulecontentProductId8')]",
- "id": "[variables('_analyticRulecontentProductId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]",
+ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
@@ -1365,13 +1374,13 @@
"description": "UserImpersonateByRiskyUser_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId9')]",
+ "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -1412,36 +1421,36 @@
],
"entityMappings": [
{
+ "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ],
- "entityType": "IP"
+ ]
}
],
"customDetails": {
- "AwsUser": "UserIdentityArn",
- "AzureUser": "UserPrincipalName",
+ "RiskEventTypes": "RiskEventTypes",
"AWSEventName": "EventName",
- "RiskEventTypes": "RiskEventTypes"
+ "AzureUser": "UserPrincipalName",
+ "AwsUser": "UserIdentityArn"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]",
"properties": {
- "description": "Multi Cloud Attack Coverage Essentials-Resource Abuse Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "description": "Multi Cloud Attack Coverage Essentials - Resource Abuse Analytics Rule 9",
+ "parentId": "[variables('analyticRuleObject9').analyticRuleId9]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]",
"source": {
"kind": "Solution",
- "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -1463,12 +1472,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId9')]",
+ "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]",
"contentKind": "AnalyticsRule",
"displayName": "High-Risk Cross-Cloud User Impersonation",
- "contentProductId": "[variables('_analyticRulecontentProductId9')]",
- "id": "[variables('_analyticRulecontentProductId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]",
+ "version": "[variables('analyticRuleObject9').analyticRuleVersion9]"
}
},
{
@@ -1479,7 +1488,7 @@
"version": "3.0.0",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
- "displayName": "Multi Cloud Attack Coverage Essentials-Resource Abuse",
+ "displayName": "Multi Cloud Attack Coverage Essentials - Resource Abuse",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
"descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.
\nPre-requisites:
\nThis is a domain solution and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution.
\n\n\n\n\nGoogle Cloud Platform Audit Logs
\nThis content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption
\nKeywords: Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse
\nAnalytic Rules: 9
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", @@ -1490,7 +1499,7 @@ "parentId": "[variables('_solutionId')]", "source": { "kind": "Solution", - "name": "Multi Cloud Attack Coverage Essentials-Resource Abuse", + "name": "Multi Cloud Attack Coverage Essentials - Resource Abuse", "sourceId": "[variables('_solutionId')]" }, "author": { @@ -1508,48 +1517,48 @@ "criteria": [ { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } ] }, diff --git a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/ReleaseNotes.md b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/ReleaseNotes.md similarity index 100% rename from Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/ReleaseNotes.md rename to Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/ReleaseNotes.md diff --git a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/SolutionMetadata.json b/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/SolutionMetadata.json similarity index 100% rename from Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/SolutionMetadata.json rename to Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/SolutionMetadata.json diff --git a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/3.0.0.zip b/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/3.0.0.zip deleted file mode 100644 index 9c3481e945e..00000000000 Binary files a/Solutions/Multi Cloud Attack Coverage Essentials-Resource Abuse/Package/3.0.0.zip and /dev/null differ