Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improved BloodHound Enterprise Solution #11445

Merged
merged 71 commits into from
Dec 3, 2024
Merged

Improved BloodHound Enterprise Solution #11445

Show file tree
Hide file tree
Changes from 51 commits
Commits
Show all changes
71 commits
Select commit Hold shift + click to select a range
b389b0b
test commit
ghodum Oct 24, 2024
a878168
added func zip
ghodum Oct 25, 2024
be01381
updated zip
ghodum Oct 25, 2024
aea8652
First working deployment scripts
ghodum Oct 25, 2024
ac71c0d
Added blog storage for timestamps/cursor
ghodum Oct 29, 2024
6686f6c
Updated function with timestamp cursor functionality
ghodum Oct 29, 2024
97c2798
Added workbooks. Registered in Solution_BloodHoundEnterprise.json.
daviditkin Oct 30, 2024
2e5bb57
Added event_details column to hold extra event information.
daviditkin Oct 30, 2024
8f105b5
Custom table schema mods. All workbook json is gallery export. Trac…
daviditkin Oct 30, 2024
0308b98
Updated data connector template
ghodum Oct 30, 2024
1c8fe58
Initial wiring of connector code to ingest bhe data. WARN: Currently…
daviditkin Oct 31, 2024
e4cfe2d
Merge branch 'feature-bhe-solution' of github.com:daviditkin/Azure-Se…
daviditkin Oct 31, 2024
dc29545
Batching supported.
daviditkin Nov 1, 2024
bad35d7
zipped up new build
daviditkin Nov 1, 2024
1eb5f25
new funcapp zip
daviditkin Nov 1, 2024
6ea8c17
fix workbooks, update funcapp zip
daviditkin Nov 4, 2024
099fce4
Set timezone to UTC for bhe compliant time parameters.
daviditkin Nov 4, 2024
3416226
Using persisted last ingest time and last analysis time to avoid inge…
daviditkin Nov 5, 2024
86e10fa
latest greatest
daviditkin Nov 5, 2024
6c55e77
Removed dry run. latest funcapp zip
daviditkin Nov 5, 2024
579370b
Working mainTemplate.zip. Edited by hand! Currently cant be generated…
daviditkin Nov 5, 2024
68953ed
Merge branch 'Azure:master' into feature-bhe-solution
daviditkin Nov 6, 2024
212b90f
Added label / description strings for workbooks. Not sure why this i…
daviditkin Nov 16, 2024
e080f4a
Working mainTemplate. commit to make sure I don't loose changes as I…
daviditkin Nov 16, 2024
000fbef
No validation errors. apiversion warnings.
daviditkin Nov 16, 2024
6871b37
Fix circular refs. Fix Workbook version and ids.
daviditkin Nov 17, 2024
08be141
Remove Hide Filter and update version of workbook template.
daviditkin Nov 17, 2024
e3254b8
handle bhe either as url or just domain
daviditkin Nov 17, 2024
54e534a
run connector twice a day
daviditkin Nov 17, 2024
eb67b0e
Updated solution version to 4.0.0 and major update and prev existing …
daviditkin Nov 17, 2024
9c89eb6
Solution to 3.0.0. Old solution was 2.0.0 and this is a major change.
daviditkin Nov 18, 2024
ed0cefc
remove daviditkin github repo replace with MS Azure/Azure-Sentinel. V…
daviditkin Nov 18, 2024
8901654
revert to prev deploy 3.0.0.zip and create new 3.1.0.zip
daviditkin Nov 18, 2024
e1b42c3
Merge branch 'Azure:master' into feature-bhe-solution
daviditkin Nov 18, 2024
56ea5a7
Analytic rules now version 1.1.0
daviditkin Nov 18, 2024
b8df61f
rmove unneeded file local.settings.json
daviditkin Nov 18, 2024
f1e0aa9
Revert "rmove unneeded file local.settings.json"
daviditkin Nov 18, 2024
c57d1fc
Remove local.settings.json. Causing some validation problems.
daviditkin Nov 20, 2024
c6a29a8
Queries use created_at when comparing with time_range.
daviditkin Nov 20, 2024
0738fc3
update solution version in Data/Solution...
daviditkin Nov 20, 2024
7c98198
upade to schema version.
daviditkin Nov 20, 2024
5785a81
Updates to improve valiation
daviditkin Nov 20, 2024
ff4c9f0
trying to simplify to pass validation. Not applying workarounds to m…
daviditkin Nov 20, 2024
35f102b
Revert "trying to simplify to pass validation. Not applying workarou…
daviditkin Nov 21, 2024
b8a68fd
Add BloodHoundLogs_CL.json to .script/tests/KqlvalidationsTests/Custo…
daviditkin Nov 21, 2024
460245b
Add workbook information into WorkbooksMetadata.json file.
daviditkin Nov 21, 2024
be3a50c
Typo in title. Removed metadata for deleted workbook.
daviditkin Nov 21, 2024
8df388e
added workbook screenshots
daviditkin Nov 22, 2024
f3b2384
Fixes to attack path workbooks
daviditkin Nov 22, 2024
7bef934
reapply workaround modifications
daviditkin Nov 22, 2024
c7d4cdd
trying to make it validate
daviditkin Nov 22, 2024
e37baf9
Update uri concat.
daviditkin Nov 26, 2024
2a0a69a
Adding preview images in /Workbooks/Images/Preview and added to Workb…
daviditkin Nov 26, 2024
050341b
update names of preview images
daviditkin Nov 26, 2024
ac35a7b
minor forgot file
daviditkin Nov 26, 2024
88fb011
correct incorrect KqlvalidationTests/CustomTables json format.
daviditkin Nov 26, 2024
5db1ad7
removed locale from our documentation uris
daviditkin Nov 26, 2024
73214b0
added compiled executable to funcignore. Static linked go has azure …
daviditkin Nov 26, 2024
0e9b4ee
Remove function from pushed repo. Shouldn't be there and has locale …
daviditkin Nov 26, 2024
b597a49
Modified column headers
daviditkin Nov 27, 2024
2022111
use arg_max(updated_at) to get latest records group by all the princi…
daviditkin Nov 27, 2024
6408454
increase size / length. Though should not be needed since deduping r…
daviditkin Nov 27, 2024
9560875
remove endTime on query.
daviditkin Nov 27, 2024
8a16180
date time tooltip.
daviditkin Nov 27, 2024
5932e06
Added back arg_max...
daviditkin Nov 27, 2024
041c6c0
Percentage values shows as %
daviditkin Nov 27, 2024
b9a00a4
transform of attack path uses BHE PathTitle: field.
daviditkin Nov 29, 2024
e1d7bd3
fix bhe-funcap zip and remove debugging code
daviditkin Nov 29, 2024
cae008b
forgot to update 3.1.0.zip.
daviditkin Nov 29, 2024
12ffb5f
Solution packaged
v-prasadboke Dec 2, 2024
79e6e01
Merge branch 'master' into pr/11445
v-prasadboke Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 0 additions & 121 deletions .script/tests/KqlvalidationsTests/CustomTables/BloodHoundEnterprise.json
View file
Open in desktop

This file was deleted.

126 changes: 126 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/BloodHoundLogs_CL.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
{
"name": "BloodHoundLogs_CL",
"properties": {
"schema": {
"name": "BloodHoundLogs_CL",
"columns": [
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "domain_sid",
"type": "string"
},
{
"name": "exposure_index",
"type": "real"
},
{
"name": "tier_zero_count",
"type": "real"
},
{
"name": "domain_id",
"type": "string"
},
{
"name": "non_tier_zero_principal",
"type": "string"
},
{
"name": "tier_zero_principal",
"type": "string"
},
{
"name": "group",
"type": "string"
},
{
"name": "principal",
"type": "string"
},
{
"name": "path_id",
"type": "string"
},
{
"name": "user",
"type": "string"
},
{
"name": "finding_id",
"type": "string"
},
{
"name": "path_title",
"type": "string"
},
{
"name": "path_type",
"type": "string"
},
{
"name": "exposure",
"type": "real"
},
{
"name": "finding_count",
"type": "real"
},
{
"name": "principal_count",
"type": "real"
},
{
"name": "id",
"type": "long"
},
{
"name": "created_at",
"type": "datetime"
},
{
"name": "updated_at",
"type": "datetime"
},
{
"name": "deleted_at",
"type": "datetime"
},
{
"name": "deleted_at_v",
"type": "boolean"
},
{
"name": "severity",
"type": "string"
},
{
"name": "domain_impact_value",
"type": "real"
},
{
"name": "domain_name",
"type": "string"
},
{
"name": "domain_type",
"type": "string"
},
{
"name": "data_type",
"type": "string"
},
{
"name": "event_type",
"type": "string"
},
{
"name": "event_details",
"type": "string"
}
]
}
}
}
3 changes: 2 additions & 1 deletion .vscode/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@
},
"githubPullRequests.ignoredPullRequestBranches": [
"master"
]
],
"azureFunctions.projectSubpath": "Solutions/BloodHound Enterprise/Data Connectors"
}
5 changes: 5 additions & 0 deletions Solutions/BloodHound Enterprise/.vscode/extensions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"recommendations": [
"ms-azuretools.vscode-azurefunctions"
]
}
6 changes: 6 additions & 0 deletions Solutions/BloodHound Enterprise/.vscode/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"azureFunctions.deploySubpath": "Data Connectors",
"azureFunctions.projectLanguage": "Custom",
"azureFunctions.projectRuntime": "~4",
"debug.internalConsoleOptions": "neverOpen"
}
15 changes: 15 additions & 0 deletions Solutions/BloodHound Enterprise/.vscode/tasks.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"version": "2.0.0",
"tasks": [
{
"type": "func",
"label": "func: host start",
"command": "host start",
"problemMatcher": "$func-watch",
"isBackground": true,
"options": {
"cwd": "${workspaceFolder}/Data Connectors"
}
}
]
}
10 changes: 5 additions & 5 deletions Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseCriticalAttackPaths.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,24 +7,24 @@ status: Available
requiredDataConnectors:
- connectorId: BloodHoundEnterprise
dataTypes:
- BloodHoundEnterprise
- BloodHoundLogs_CL
queryFrequency: 7d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics: []
relevantTechniques: []
query: |
BloodHoundEnterprise
query: |-
BloodHoundLogs_CL
| where data_type == "posture"
| where created_at > ago (7d)
| summarize min_critical_risk_count = min(critical_risk_count), arg_max(created_at, current_critical_risk_count = critical_risk_count) by domain_name
| summarize min_critical_risk_count = min(finding_count), arg_max(created_at, current_critical_risk_count = finding_count) by domain_name
| extend difference = current_critical_risk_count - min_critical_risk_count
| where difference > 0
entityMappings:
- entityType: DNS
fieldMappings:
- identifier: DomainName
displayName: domain_name
version: 1.0.1
version: 1.1.0
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseExposure.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ status: Available
requiredDataConnectors:
- connectorId: BloodHoundEnterprise
dataTypes:
- BloodHoundEnterprise
- BloodHoundLogs_CL
queryFrequency: 7d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics: []
relevantTechniques: []
query: |
BloodHoundEnterprise
query: |-
BloodHoundLogs_CL
| where data_type == "posture"
| where created_at > ago (7d)
| summarize min(exposure_index), arg_max(created_at, exposure_index) by domain_name
Expand All @@ -26,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: DomainName
displayName: domain_name
version: 1.0.1
version: 1.1.0
kind: Scheduled
8 changes: 4 additions & 4 deletions Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseTierZeroAssets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ status: Available
requiredDataConnectors:
- connectorId: BloodHoundEnterprise
dataTypes:
- BloodHoundEnterprise
- BloodHoundLogs_CL
queryFrequency: 7d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics: []
relevantTechniques: []
query: |
BloodHoundEnterprise
query: |-
BloodHoundLogs_CL
| where data_type == "posture"
| where created_at > ago (7d)
| summarize min_tier_zero = min(tier_zero_count), max_tier_zero = arg_max(created_at, current_tier_zero = tier_zero_count) by domain_name
Expand All @@ -26,5 +26,5 @@ entityMappings:
fieldMappings:
- identifier: DomainName
displayName: domain_name
version: 1.0.1
version: 1.1.0
kind: Scheduled
14 changes: 14 additions & 0 deletions Solutions/BloodHound Enterprise/Data Connectors/.funcignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
a.git*
.vscode
azurite
__azurite_db*__.json
__blobstorage__
__queuestorage__
local.settings.json
test
deployment
azuredeploy*
1Password*
prev-*
handler.go
*.zip
3 changes: 3 additions & 0 deletions Solutions/BloodHound Enterprise/Data Connectors/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
.vscode
azurite
handler
Loading
Loading