wagov / wasocautomationplaybook Goto Github PK

• Space in name

Actions may be a little too sparse. Additional actions could include identifying which account/application/device is responsible for the alert and using that info to pivot?

Current actions

Automation Rule Name needs to be fixed to match naming schema.

Automation Rule Name needs to be fixed to match naming schema.

For testing duplication and overwriting of automation rules in Sentinel

• The KQL should have "search" not "Search".
• The recommendations that involve steps to take should be suggestions, not directives (Otherwise if our directions are exhaustive, we may have missed something, which they then may not think is needed), such as:
  "Follow Standard Operating Procedures for dealing with X, these may include steps such as:
• Blah
• Blah
• Blah"

Testing the initial deployment of the collated rules.

Not quite sure about my Tasks for this one as I do not have much experience with Exchange. Please review

For testing

I believe "was" should be "were"

Rule is missing and "Log4j vulnerability exploit aka Log4Shell IP IOC" rule was created in its stead.

Not sure that points 1 and 3 are necessary as the alert is supposed to trigger if the sign ins are from different countries

Related to #20

Unsure how to handle Defender for IoT incidents.

Rule appears to be triggered be creation of multiple other login related incidents/alerts

KQL from https://github.com/Azure/Azure-Sentinel/blob/735a9d926d0feb726ecea6fdcbbab09b43fdbb8f/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic%20Rules/IoTExcessiveLoginAttempts.yaml#L8

SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName in ("Excessive Login Attempts","Excessive SMB login attempts","Password Guessing Attempt Detected","Excessive Number of Sessions") 
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques

While I wouldn't normally say to fix the gap caused by MS in its formatting, there is a 15 line gap between the dot points and the KQL example.

Automation Rule Name needs to be fixed to match naming schema.

Third action is missing words:

"If the device(s) are domain controllers and , then the querying of domains could be usual activity and should be confirmed."

Actions may be a little too sparse. Additional actions could include identifying which account/application/device is responsible for the alert and using that info to pivot?

Current actions

This should also cover something along the lines of "..or if the actions or entities are acting outside of normal guidelines/times" for the second action.

Not sure the reason for having this when we have "Admin promotion after Role Management Application Permission Grant"

Related to #19

Unsure how to correctly remediate Defender for IoT incidents

KQL from https://github.com/Azure/Azure-Sentinel/blob/735a9d926d0feb726ecea6fdcbbab09b43fdbb8f/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic%20Rules/IoTDenialofService.yaml#L10

SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName == "Suspicion of Denial Of Service Attack"
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques

• The KQL in Action 2 should have "Search" changed to "search".
• Further, this KQL can be optimised to simply:

search "<entity>"
| summarize count() by $table

(On a quick test 24 hour data set this improved from 58s > 9s to retrieve results)

Needed renaming for automation rule in json.

Not 100% sure of my tasks, please review.

Automation Rule Name needs to be fixed to match naming schema.

These parts could just be merged

Please review the following to determine if the automation steps are appropriate:

Would this be acceptable remediation for backup deletion attempts?

Remove the "in"

Our automation rules have started to spread over multiple pages however the api only calls the content of the first page and then refers to the second page by linking to it (Screenshot attached)

Not sure the reason for having this when we have "Admin promotion after Role Management Application Permission Grant"

Disregard clicked on the wrong one

"priviliged" has been spelled incorrectly in two areas

• Automation name
• First action