Merge branch 'feat/AZ-1389_update_content' into 'master'

feat(AZ-1389): update content

Closes AZ-1389

See merge request claranet/projects/cloud/azure/terraform/modules/sentinel-content!81

README.md

@@ -15,6 +15,7 @@ __Current log sources supported__ :
 - _azure\_waf_
 - _cef_
 - _cisco\_meraki_
+- _cloudflare_
 - _cyberark\_pam_
 - _darktrace_
 - _entra\_id_
@@ -23,6 +24,7 @@ __Current log sources supported__ :
 - _m365_
 - _okta_
 - _sentinelone_
+- _sophos\_endpoint_
 - _syslog_
 - _ti_
 - _windows\_security_

modules/rules/cloudflare/cloudflare_-_bad_client_ip.json

@@ -0,0 +1,45 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects requests from IP with bad reputation index.",
+        "displayName": "Cloudflare - Bad client IP",
+        "enabled": true,
+        "query": "let ip_reputation = dynamic(['unknown', 'badHost', 'greylist', 'securityScanner', 'scan', 'tor']);\nCloudflare\n| where ClientIPClass in~ (ip_reputation)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            },
+            {
+                "entityType": "URL",
+                "fieldMappings": [
+                    {
+                        "columnName": "UrlCustomEntity",
+                        "identifier": "Url"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "a7ce6135-9d55-4f14-b058-adc2e920a4fa",
+        "templateVersion": "1.0.0"
+    }
+}

modules/rules/cloudflare/cloudflare_-_client_request_from_country_in_blocklist.json

@@ -0,0 +1,45 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects requests from countries which are in blocklist.",
+        "displayName": "Cloudflare - Client request from country in blocklist",
+        "enabled": true,
+        "query": "let bl_countries = dynamic(['cn', 'hk']);\nCloudflare\n| where SrcGeoCountry in~ (bl_countries)\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            },
+            {
+                "entityType": "URL",
+                "fieldMappings": [
+                    {
+                        "columnName": "UrlCustomEntity",
+                        "identifier": "Url"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "40554544-6e4a-4413-8d14-bf2de939c5d9",
+        "templateVersion": "1.0.0"
+    }
+}

modules/rules/cloudflare/cloudflare_-_empty_user_agent.json

@@ -0,0 +1,36 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects requests where user agent is empty.",
+        "displayName": "Cloudflare - Empty user agent",
+        "enabled": true,
+        "query": "Cloudflare\n| where isempty(HttpUserAgentOriginal)\n| extend IPCustomEntity = SrcIpAddr\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "729c6d21-fad9-4a6a-9c7f-482393c95957",
+        "templateVersion": "1.0.0"
+    }
+}

modules/rules/cloudflare/cloudflare_-_multiple_error_requests_from_single_source.json

@@ -0,0 +1,36 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects multiple failure requests from single source in short timeframe.",
+        "displayName": "Cloudflare - Multiple error requests from single source",
+        "enabled": true,
+        "query": "let threshold = 100;\nCloudflare\n| where HttpRequestMethod =~ 'GET'\n| summarize err_cnt = count() by SrcIpAddr, bin(TimeGenerated, 5m)\n| where err_cnt > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Low",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "ef877d68-755f-4cf1-ac1d-f336e395667c",
+        "templateVersion": "1.0.0"
+    }
+}

modules/rules/cloudflare/cloudflare_-_multiple_user_agents_for_single_source.json

@@ -0,0 +1,36 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects requests with different user agents from one source in short timeframe.",
+        "displayName": "Cloudflare - Multiple user agents for single source",
+        "enabled": true,
+        "query": "let threshold = 10;\nCloudflare\n| where isnotempty(HttpUserAgentOriginal)\n| summarize d_ua = dcount(HttpUserAgentOriginal) by SrcIpAddr, bin(TimeGenerated, 3m)\n| where d_ua > threshold\n| extend IPCustomEntity = SrcIpAddr\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "fc50076a-0275-43d5-b9dd-38346c061f67",
+        "templateVersion": "1.0.0"
+    }
+}

modules/rules/cloudflare/cloudflare_-_unexpected_client_request.json

@@ -0,0 +1,36 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects client requests to unusual client request.",
+        "displayName": "Cloudflare - Unexpected client request",
+        "enabled": true,
+        "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI has_any ('/admin', '/admin.php', 'wp-admin', '.htaccess', '/etc/shadow', '/etc/passwd', '/etc/hosts', '/etc/ssh/') \n| extend IPCustomEntity = SrcIpAddr\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "f32142b1-4bcb-45c0-92e4-2ddc18768522",
+        "templateVersion": "1.0.1"
+    }
+}

modules/rules/cloudflare/cloudflare_-_unexpected_post_requests.json

@@ -0,0 +1,37 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects post requests to unusual extensions.",
+        "displayName": "Cloudflare - Unexpected POST requests",
+        "enabled": true,
+        "query": "Cloudflare\n| where HttpRequestMethod in~ ('POST', 'PUT')\n| where tostring(HttpStatusCode) startswith '2'\n| where DstBytes != 0 or SrcBytes != 0\n| extend fe = extract(@'.*(\\.\\w+)$', 1, ClientRequestURI)\n| where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')\n| extend IPCustomEntity = SrcIpAddr\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "Persistence",
+            "CommandAndControl"
+        ],
+        "techniques": [
+            "T1505",
+            "T1071"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "7313352a-09f6-4a84-88bd-6f17f1cbeb8f",
+        "templateVersion": "1.0.0"
+    }
+}

modules/rules/cloudflare/cloudflare_-_unexpected_uri.json

@@ -0,0 +1,36 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects client requests to unusual URI.",
+        "displayName": "Cloudflare - Unexpected URI",
+        "enabled": true,
+        "query": "Cloudflare\n| where HttpRequestMethod =~ 'GET'\n| where DstBytes != 0 or SrcBytes != 0\n| where ClientRequestURI matches regex @'(127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})|(172\\.1[6-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.2[0-9]\\.\\d{1,3}\\.\\d{1,3})|(172\\.3[0-1]\\.\\d{1,3}\\.\\d{1,3})|(192\\.168\\.\\d{1,3}\\.\\d{1,3})'\n| extend IPCustomEntity = SrcIpAddr\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "Medium",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "dcb797cd-a4cd-4306-897b-7991f71d7e27",
+        "templateVersion": "1.0.0"
+    }
+}

modules/rules/cloudflare/cloudflare_-_waf_allowed_threat.json

@@ -0,0 +1,45 @@
+{
+    "kind": "Scheduled",
+    "properties": {
+        "description": "Detects WAF \"Allowed\" action on threat events.",
+        "displayName": "Cloudflare - WAF Allowed threat",
+        "enabled": true,
+        "query": "Cloudflare\n| where isnotempty(WAFRuleID) or isnotempty(WAFRuleMessage)\n| where WAFAction =~ 'Allow'\n| extend IPCustomEntity = SrcIpAddr\n| extend UrlCustomEntity = ClientRequestURI\n",
+        "queryFrequency": "PT1H",
+        "queryPeriod": "PT1H",
+        "severity": "High",
+        "suppressionDuration": "PT1H",
+        "suppressionEnabled": false,
+        "triggerOperator": "GreaterThan",
+        "triggerThreshold": 0,
+        "tactics": [
+            "InitialAccess"
+        ],
+        "techniques": [
+            "T1190",
+            "T1133"
+        ],
+        "entityMappings": [
+            {
+                "entityType": "IP",
+                "fieldMappings": [
+                    {
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
+                    }
+                ]
+            },
+            {
+                "entityType": "URL",
+                "fieldMappings": [
+                    {
+                        "columnName": "UrlCustomEntity",
+                        "identifier": "Url"
+                    }
+                ]
+            }
+        ],
+        "alertRuleTemplateName": "f53fe2a9-96b5-454c-827e-cf1764a67fb0",
+        "templateVersion": "1.0.0"
+    }
+}