![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CTERA_Logo.svg\"){kind=logo}
",
+ "Description": "The CTERA solution allows you to ingest and analyze events from CTERA Edge Filers and Portal to Microsoft Sentinel. It detects ransomware incidents and potentially attacking users, abnormal user and excessive deletions .\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "Data Connectors": [
+ "Data Connectors/CTERA_Data_Connector.json"
+ ],
+ "Workbooks": [
+ "Workbooks/CTERA_Workbook.json"
+ ],
+ "Analytic Rules": [
+ "Analytic Rules/RansomwareUserBlocked.yaml",
+ "Analytic Rules/RansomwareDetected.yaml"
+ ],
+ "Hunting Queries": [
+ "Hunting Queries/MassDeletions.yaml",
+ "Hunting Queries/MassAccessDenied.yaml",
+ "Hunting Queries/MassPermissionChanges.yaml"
+ ],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CTERA",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
\ No newline at end of file
diff --git a/Solutions/CTERA/Hunting Queries/MassAccessDenied.yaml b/Solutions/CTERA/Hunting Queries/MassAccessDenied.yaml
new file mode 100644
index 0000000000..b673ac6319
--- /dev/null
+++ b/Solutions/CTERA/Hunting Queries/MassAccessDenied.yaml
@@ -0,0 +1,40 @@
+id: 26f7d89a-b7b7-47cb-ad11-281f66c17c3d
+name: CTERA Mass Access Denied Detection
+description: 'This query detects access denied events generated by the CTERA Edge Filer'
+requiredDataConnectors:
+ - connectorId: CTERA
+ dataTypes:
+ - Syslog
+tactics:
+ - Defense Evasion
+relevantTechniques:
+ - T1562
+query: |
+ Syslog
+ | where ProcessName == 'gw-audit'
+ | extend
+ TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
+ UserName = extract("user=([^|]*)", 1, SyslogMessage),
+ Operation = extract("op=([^|]*)", 1, SyslogMessage),
+ EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
+ RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
+ Share = extract("share=([^|]*)", 1, SyslogMessage),
+ LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
+ Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
+ | where Operation in ('OpenDenied', 'createDenied', 'OpenDenied', 'setsd', 'AclDenied', 'chown', 'AclDenied', 'deleteDenied')
+ | summarize Count = count() by UserName, bin(Timestamp, 2m)
+ | where Count > 10
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: UserName
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: Timestamp
+ - entityType: File
+ fieldMappings:
+ - identifier: Name
+ columnName: Timestamp
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/CTERA/Hunting Queries/MassDeletions.yaml b/Solutions/CTERA/Hunting Queries/MassDeletions.yaml
new file mode 100644
index 0000000000..7b3ec66861
--- /dev/null
+++ b/Solutions/CTERA/Hunting Queries/MassDeletions.yaml
@@ -0,0 +1,40 @@
+id: 23206903-0c36-4d68-ba4b-169c67355b53
+name: CTERA Mass File Deletions Detection
+description: 'This query detects file deletions generated by the CTERA Edge Filer.'
+requiredDataConnectors:
+ - connectorId: CTERA
+ dataTypes:
+ - Syslog
+tactics:
+ - Impact
+relevantTechniques:
+ - T1485
+query: |
+ Syslog
+ | where ProcessName == 'gw-audit'
+ | extend
+ TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
+ UserName = extract("user=([^|]*)", 1, SyslogMessage),
+ Permission = extract("op=([^|]*)", 1, SyslogMessage),
+ EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
+ RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
+ Share = extract("share=([^|]*)", 1, SyslogMessage),
+ LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
+ Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
+ | where Permission == 'delete'
+ | summarize Count = count() by UserName, bin(Timestamp, 2m)
+ | where Count > 10
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: UserName
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: Timestamp
+ - entityType: File
+ fieldMappings:
+ - identifier: Name
+ columnName: Timestamp
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/CTERA/Hunting Queries/MassPermissionChanges.yaml b/Solutions/CTERA/Hunting Queries/MassPermissionChanges.yaml
new file mode 100644
index 0000000000..3d81fc082a
--- /dev/null
+++ b/Solutions/CTERA/Hunting Queries/MassPermissionChanges.yaml
@@ -0,0 +1,40 @@
+id: 694ce74e-968b-4ca0-ae24-53bcfd87bf0a
+name: CTERA Mass Permission Change Detection
+description: 'This query detects permission changes generated by the CTERA Edge Filer.'
+requiredDataConnectors:
+ - connectorId: CTERA
+ dataTypes:
+ - Syslog
+tactics:
+ - Privilege Escalation
+relevantTechniques:
+ - T1068
+query: |
+ Syslog
+ | where ProcessName == 'gw-audit'
+ | extend
+ TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage),
+ UserName = extract("user=([^|]*)", 1, SyslogMessage),
+ Operation = extract("op=([^|]*)", 1, SyslogMessage),
+ EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage),
+ RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage),
+ Share = extract("share=([^|]*)", 1, SyslogMessage),
+ LocalPath = extract("path=([^|]*)", 1, SyslogMessage),
+ Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage))
+ | where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl')
+ | summarize Count = count() by UserName, bin(Timestamp, 2m)
+ | where Count > 10
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: UserName
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: Timestamp
+ - entityType: File
+ fieldMappings:
+ - identifier: Name
+ columnName: Timestamp
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/CTERA/Package/3.0.0.zip b/Solutions/CTERA/Package/3.0.0.zip
new file mode 100644
index 0000000000..e5a35bf5aa
Binary files /dev/null and b/Solutions/CTERA/Package/3.0.0.zip differ
diff --git a/Solutions/CTERA/Package/createUiDefinition.json b/Solutions/CTERA/Package/createUiDefinition.json
new file mode 100644
index 0000000000..23f1b2c687
--- /dev/null
+++ b/Solutions/CTERA/Package/createUiDefinition.json
@@ -0,0 +1,249 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CTERA/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe CTERA solution allows you to ingest and analyze events from CTERA Edge Filers and Portal to Microsoft Sentinel. It detects ransomware incidents and potentially attacking users, abnormal user and excessive deletions .\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for CTERA. You can get CTERA Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbooks",
+ "label": "Workbooks",
+ "subLabel": {
+ "preValidation": "Configure the workbooks",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Workbooks",
+ "elements": [
+ {
+ "name": "workbooks-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ }
+ },
+ {
+ "name": "workbooks-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+ }
+ }
+ },
+ {
+ "name": "workbook1",
+ "type": "Microsoft.Common.Section",
+ "label": "CTERA Audit Logs Ingestion",
+ "elements": [
+ {
+ "name": "workbook1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Ransom Protect User Blocked",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Detects malicious users blocked by CTERA Ransom Protect AI engine."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Ransom Protect Detected a Ransomware Attack",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time"
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "huntingqueries",
+ "label": "Hunting Queries",
+ "bladeTitle": "Hunting Queries",
+ "elements": [
+ {
+ "name": "huntingqueries-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
+ }
+ },
+ {
+ "name": "huntingqueries-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/hunting"
+ }
+ }
+ },
+ {
+ "name": "huntingquery1",
+ "type": "Microsoft.Common.Section",
+ "label": "CTERA Mass File Deletions Detection",
+ "elements": [
+ {
+ "name": "huntingquery1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query detects file deletions generated by the CTERA Edge Filer. This hunting query depends on CTERA data connector (Syslog Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery2",
+ "type": "Microsoft.Common.Section",
+ "label": "CTERA Mass Access Denied Detection",
+ "elements": [
+ {
+ "name": "huntingquery2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query detects access denied events generated by the CTERA Edge Filer This hunting query depends on CTERA data connector (Syslog Parser or Table)"
+ }
+ }
+ ]
+ },
+ {
+ "name": "huntingquery3",
+ "type": "Microsoft.Common.Section",
+ "label": "CTERA Mass Permission Change Detection",
+ "elements": [
+ {
+ "name": "huntingquery3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query detects permission changes generated by the CTERA Edge Filer. This hunting query depends on CTERA data connector (Syslog Parser or Table)"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/CTERA/Package/mainTemplate.json b/Solutions/CTERA/Package/mainTemplate.json
new file mode 100644
index 0000000000..8276ab25f2
--- /dev/null
+++ b/Solutions/CTERA/Package/mainTemplate.json
@@ -0,0 +1,1140 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "CTERA Networks - support@ctera.com",
+ "comments": "Solution template for CTERA"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "CTERA Audit Logs Ingestion",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@ctera.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "CTERA",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "1password1617200969773.azure-sentinel-solution-1password",
+ "_solutionId": "[variables('solutionId')]",
+ "uiConfigId1": "CTERA",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "CTERA",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "CTERA_Workbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleObject1": {
+ "analyticRuleVersion1": "1.0.0",
+ "_analyticRulecontentId1": "d5d4766b-e547-44da-9d85-48ff393db201",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd5d4766b-e547-44da-9d85-48ff393db201')]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d5d4766b-e547-44da-9d85-48ff393db201')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d5d4766b-e547-44da-9d85-48ff393db201','-', '1.0.0')))]"
+ },
+ "analyticRuleObject2": {
+ "analyticRuleVersion2": "1.0.0",
+ "_analyticRulecontentId2": "7a075edf-1cf2-4038-ba9c-c354db6409de",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a075edf-1cf2-4038-ba9c-c354db6409de')]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a075edf-1cf2-4038-ba9c-c354db6409de')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a075edf-1cf2-4038-ba9c-c354db6409de','-', '1.0.0')))]"
+ },
+ "huntingQueryObject1": {
+ "huntingQueryVersion1": "1.0.0",
+ "_huntingQuerycontentId1": "23206903-0c36-4d68-ba4b-169c67355b53",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('23206903-0c36-4d68-ba4b-169c67355b53')))]"
+ },
+ "huntingQueryObject2": {
+ "huntingQueryVersion2": "1.0.0",
+ "_huntingQuerycontentId2": "26f7d89a-b7b7-47cb-ad11-281f66c17c3d",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('26f7d89a-b7b7-47cb-ad11-281f66c17c3d')))]"
+ },
+ "huntingQueryObject3": {
+ "huntingQueryVersion3": "1.0.0",
+ "_huntingQuerycontentId3": "694ce74e-968b-4ca0-ae24-53bcfd87bf0a",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('694ce74e-968b-4ca0-ae24-53bcfd87bf0a')))]"
+ },
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "CTERA data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "CTERA Syslog",
+ "publisher": "CTERA Networks Ltd",
+ "descriptionMarkdown": "The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution.\n It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations.\n It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity.\n Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.",
+ "additionalRequirementBanner": "None",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "CTERA Events",
+ "baseQuery": "Syslog"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Query to find all denied operations.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission matches regex @\"(?i).*denied.*\"\n| summarize Count = count() by Permission"
+ },
+ {
+ "description": "Query to find all delete operations.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission == \"op=delete\"\n| summarize Count = count() by Permission"
+ },
+ {
+ "description": "Query to summarize operations by user.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by UserName, Permission"
+ },
+ {
+ "description": "Query to summarize operations by a portal tenant.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by TenantName, Permission"
+ },
+ {
+ "description": "Query to find operations performed by a specific user.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where UserName == 'user=specific_user'\n| summarize Count = count() by Permission"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
+ ]
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Syslog",
+ "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "write permission is required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "delete": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Set up your CTERA portal syslog connection and Edge-Filer Syslog connector",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "CTERA Syslog Configuration",
+ "instructionSteps": [
+ {
+ "title": "Portal Syslog connection",
+ "description": "Connect CTERA Portal to syslog server, see instructions https://kb.ctera.com/v1/docs/en/managing-log-settings?highlight=logg"
+ },
+ {
+ "title": "Edge Filer Audit logs",
+ "description": "Enable Audit logs on the desired Edge-filers"
+ },
+ {
+ "title": "Edge-Filer Syslog Service",
+ "description": "Enable Edge-Filer Syslog service, see instructions https://kb.ctera.com/v1/docs/en/setting-up-the-edge-filer-syslog-service-2?highlight=Edge%20Filer%20Syslog"
+ }
+ ]
+ }
+ }
+ ],
+ "title": "Step 1: Connect CTERA Platform to Syslog"
+ },
+ {
+ "description": "Install the Azure Monitor Agent (AMA) on your syslog server to enable data collection.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Install Azure Monitor Agent",
+ "instructionSteps": [
+ {
+ "title": "Log in to Azure Portal",
+ "description": "Use your Azure credentials to log in to the Azure Portal."
+ },
+ {
+ "title": "Navigate to Azure Arc",
+ "description": "In the Azure Portal, go to 'Azure Arc' and select your connected syslog server."
+ },
+ {
+ "title": "Select Extensions",
+ "description": "In the Azure Arc settings for your syslog server, navigate to the 'Extensions' section."
+ },
+ {
+ "title": "Add Extension",
+ "description": "Click on 'Add' and select 'Azure Monitor Agent' from the list of available extensions."
+ },
+ {
+ "title": "Install AMA",
+ "description": "Follow the prompts to install the Azure Monitor Agent on your syslog server. For detailed instructions, refer to the official documentation: [Install Azure Monitor Agent](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal)"
+ }
+ ]
+ }
+ }
+ ],
+ "title": "Step 2: Install Azure Monitor Agent (AMA) on Syslog Server"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "CTERA Syslog",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "CTERA Syslog",
+ "publisher": "CTERA Networks Ltd",
+ "descriptionMarkdown": "The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution.\n It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations.\n It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity.\n Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "CTERA Events",
+ "baseQuery": "Syslog"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Syslog",
+ "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Query to find all denied operations.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission matches regex @\"(?i).*denied.*\"\n| summarize Count = count() by Permission"
+ },
+ {
+ "description": "Query to find all delete operations.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission == \"op=delete\"\n| summarize Count = count() by Permission"
+ },
+ {
+ "description": "Query to summarize operations by user.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by UserName, Permission"
+ },
+ {
+ "description": "Query to summarize operations by a portal tenant.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by TenantName, Permission"
+ },
+ {
+ "description": "Query to find operations performed by a specific user.",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where UserName == 'user=specific_user'\n| summarize Count = count() by Permission"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "write permission is required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "delete": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Set up your CTERA portal syslog connection and Edge-Filer Syslog connector",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "CTERA Syslog Configuration",
+ "instructionSteps": [
+ {
+ "title": "Portal Syslog connection",
+ "description": "Connect CTERA Portal to syslog server, see instructions https://kb.ctera.com/v1/docs/en/managing-log-settings?highlight=logg"
+ },
+ {
+ "title": "Edge Filer Audit logs",
+ "description": "Enable Audit logs on the desired Edge-filers"
+ },
+ {
+ "title": "Edge-Filer Syslog Service",
+ "description": "Enable Edge-Filer Syslog service, see instructions https://kb.ctera.com/v1/docs/en/setting-up-the-edge-filer-syslog-service-2?highlight=Edge%20Filer%20Syslog"
+ }
+ ]
+ }
+ }
+ ],
+ "title": "Step 1: Connect CTERA Platform to Syslog"
+ },
+ {
+ "description": "Install the Azure Monitor Agent (AMA) on your syslog server to enable data collection.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Install Azure Monitor Agent",
+ "instructionSteps": [
+ {
+ "title": "Log in to Azure Portal",
+ "description": "Use your Azure credentials to log in to the Azure Portal."
+ },
+ {
+ "title": "Navigate to Azure Arc",
+ "description": "In the Azure Portal, go to 'Azure Arc' and select your connected syslog server."
+ },
+ {
+ "title": "Select Extensions",
+ "description": "In the Azure Arc settings for your syslog server, navigate to the 'Extensions' section."
+ },
+ {
+ "title": "Add Extension",
+ "description": "Click on 'Add' and select 'Azure Monitor Agent' from the list of available extensions."
+ },
+ {
+ "title": "Install AMA",
+ "description": "Follow the prompts to install the Azure Monitor Agent on your syslog server. For detailed instructions, refer to the official documentation: [Install Azure Monitor Agent](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal)"
+ }
+ ]
+ }
+ }
+ ],
+ "title": "Step 2: Install Azure Monitor Agent (AMA) on Syslog Server"
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]",
+ "additionalRequirementBanner": "None"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('workbookTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "CTERA_Workbook Workbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('workbookVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
+ "location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents."
+ },
+ "properties": {
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Welcome to your CTERA workbook. This area will display relevant graphs and metrics for the CTERA workspace.\\n\\n\\nWe've included relevant graphs of your SMB audit logs collected from the selected filers.\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tSyslog\\r\\n\\t| where ProcessName == 'gw-audit'\\r\\n\\t| extend\\r\\n\\t TenantName = extract(\\\"(\\\\\\\"vportal\\\\\\\":\\\\\\\"[^\\\\\\\"]*\\\\\\\")\\\", 1, SyslogMessage),\\r\\n\\t UserName = extract(\\\"(user=[^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend Permission = extract(\\\"(op=[^|]*)\\\", 1, SyslogMessage)\\r\\n | where Permission matches regex @\\\"(?i).*denied.*\\\" or Permission == \\\"op=delete\\\" // Regex pattern to filter denied operations\\r\\n | summarize Count = count() by Permission\",\"size\":1,\"title\":\"Denied Operations and Deletions Count\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Permission\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1 (Denied Operations and Deletions Count)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tSyslog\\r\\n\\t| where ProcessName == 'gw-audit'\\r\\n\\t| extend user = extract(\\\"user=([^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend operation = extract(\\\"op=([^|]*)\\\", 1, SyslogMessage)\\r\\n | where operation matches regex @\\\"(?i).*denied.*\\\"\\r\\n\\t| summarize operation_count=count() by bin(TimeGenerated, 1m), user\\r\\n\\t| project TimeGenerated, user, operation_count\\r\\n\",\"size\":0,\"title\":\"Denied Operations Count per User\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2 (Denied Operations per User)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tSyslog\\r\\n\\t| where SyslogMessage contains \\\"ctera_audit\\\" and SyslogMessage contains \\\"op=delete\\\"\\r\\n\\t| extend user = extract(\\\"user=([^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend timestamp = extract(\\\"timestamp=([^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend TimeGenerated = todatetime(timestamp)\\r\\n\\t| summarize deletion_count = count() by bin(TimeGenerated, 1m), user\\r\\n\\t| where deletion_count > 1\\r\\n| project TimeGenerated, user, deletion_count\",\"size\":1,\"title\":\"Deleted Operations per User\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 3 (Deleted Operation)\"}],\"fromTemplateId\":\"2941ad84-e8df-4f19-b360-bae6cd104f2f\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "properties": {
+ "description": "@{workbookKey=CTERA_Workbook; logoFileName=CTERA_Logo.svg; description=This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=CTERA Audit Logs Ingestion; templateRelativePath=CTERA_Workbook.json; provider=CTERA}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "Syslog",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "CTERA",
+ "kind": "DataConnector"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "RansomwareUserBlocked_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects malicious users blocked by CTERA Ransom Protect AI engine.",
+ "displayName": "Ransom Protect User Blocked",
+ "enabled": false,
+ "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked\"\n| extend \n Portal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\n EdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\n IP = extract(\"IP:([0-9.]+)\", 1, SyslogMessage),\n User = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\n BlockedTime = extract(\"at ([^ ]+)\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime\n",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "CTERA",
+ "dataTypes": [
+ "Syslog"
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": [
+ "T1486"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "columnName": "User",
+ "identifier": "FullName"
+ }
+ ],
+ "entityType": "Account"
+ },
+ {
+ "fieldMappings": [
+ {
+ "columnName": "IP",
+ "identifier": "Address"
+ }
+ ],
+ "entityType": "IP"
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EdgeFiler": "EdgeFiler"
+ },
+ "alertDetailsOverride": {
+ "alertnameFormat": "CTERA Ransom Protect User Blocked",
+ "alertDescriptionFormat": "CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}."
+ },
+ "incidentConfiguration": {
+ "groupingConfiguration": {
+ "enabled": false,
+ "matchingMethod": "AllEntities",
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H"
+ },
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
+ "properties": {
+ "description": "CTERA Analytics Rule 1",
+ "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Ransom Protect User Blocked",
+ "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "RansomwareDetected_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "apiVersion": "2023-02-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time",
+ "displayName": "Ransom Protect Detected a Ransomware Attack",
+ "enabled": false,
+ "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected\"\n| extend \nPortal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\nEdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\nIP = extract(\"\\\\(IP:([0-9.]+)\\\\)\", 1, SyslogMessage),\nUser = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\nIncidentType = extract(\"Incident type:(\\\\w+)\", 1, SyslogMessage),\nStartTime = extract(\"started at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage),\nEndTime = extract(\"ended at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime\n",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "connectorId": "CTERA",
+ "dataTypes": [
+ "Syslog"
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": [
+ "T1486"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "columnName": "EdgeFiler",
+ "identifier": "HostName"
+ }
+ ],
+ "entityType": "Host"
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "customDetails": {
+ "EdgeFiler": "EdgeFiler"
+ },
+ "alertDetailsOverride": {
+ "alertnameFormat": "CTERA Ransom Protect Detected a Ransomware Attack.",
+ "alertDescriptionFormat": "CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}."
+ },
+ "incidentConfiguration": {
+ "groupingConfiguration": {
+ "enabled": false,
+ "matchingMethod": "AllEntities",
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H"
+ },
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]",
+ "properties": {
+ "description": "CTERA Analytics Rule 2",
+ "parentId": "[variables('analyticRuleObject2').analyticRuleId2]",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Ransom Protect Detected a Ransomware Attack",
+ "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MassDeletions_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CTERA_Hunting_Query_1",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "CTERA Mass File Deletions Detection",
+ "category": "Hunting Queries",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n Permission = extract(\"op=([^|]*)\", 1, SyslogMessage),\n EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Permission == 'delete'\n| summarize Count = count() by UserName, bin(Timestamp, 2m)\n| where Count > 10\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "This query detects file deletions generated by the CTERA Edge Filer."
+ },
+ {
+ "name": "tactics",
+ "value": "Impact"
+ },
+ {
+ "name": "techniques",
+ "value": "T1485"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]",
+ "properties": {
+ "description": "CTERA Hunting Query 1",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "contentKind": "HuntingQuery",
+ "displayName": "CTERA Mass File Deletions Detection",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]",
+ "version": "1.0.0"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MassAccessDenied_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CTERA_Hunting_Query_2",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "CTERA Mass Access Denied Detection",
+ "category": "Hunting Queries",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n Operation = extract(\"op=([^|]*)\", 1, SyslogMessage),\n EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Operation in ('OpenDenied', 'createDenied', 'OpenDenied', 'setsd', 'AclDenied', 'chown', 'AclDenied', 'deleteDenied')\n| summarize Count = count() by UserName, bin(Timestamp, 2m)\n| where Count > 10\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "This query detects access denied events generated by the CTERA Edge Filer"
+ },
+ {
+ "name": "tactics",
+ "value": "DefenseEvasion"
+ },
+ {
+ "name": "techniques",
+ "value": "T1562"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]",
+ "properties": {
+ "description": "CTERA Hunting Query 2",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "contentKind": "HuntingQuery",
+ "displayName": "CTERA Mass Access Denied Detection",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]",
+ "version": "1.0.0"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "MassPermissionChanges_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CTERA_Hunting_Query_3",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "CTERA Mass Permission Change Detection",
+ "category": "Hunting Queries",
+ "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n Operation = extract(\"op=([^|]*)\", 1, SyslogMessage),\n EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl')\n| summarize Count = count() by UserName, bin(Timestamp, 2m)\n| where Count > 10\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "This query detects permission changes generated by the CTERA Edge Filer."
+ },
+ {
+ "name": "tactics",
+ "value": "PrivilegeEscalation"
+ },
+ {
+ "name": "techniques",
+ "value": "T1068"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]",
+ "properties": {
+ "description": "CTERA Hunting Query 3",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "contentKind": "HuntingQuery",
+ "displayName": "CTERA Mass Permission Change Detection",
+ "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]",
+ "version": "1.0.0"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "CTERA",
+ "publisherDisplayName": "CTERA",
+ "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe CTERA solution allows you to ingest and analyze events from CTERA Edge Filers and Portal to Microsoft Sentinel. It detects ransomware incidents and potentially attacking users, abnormal user and excessive deletions .
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 2, Hunting Queries: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CTERA",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "CTERA Networks",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "CTERA",
+ "email": "support@ctera.com",
+ "tier": "Partner",
+ "link": "https://www.ctera.com/"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
+ "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]",
+ "version": "[variables('analyticRuleObject2').analyticRuleVersion2]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]",
+ "version": "[variables('huntingQueryObject1').huntingQueryVersion1]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]",
+ "version": "[variables('huntingQueryObject2').huntingQueryVersion2]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]",
+ "version": "[variables('huntingQueryObject3').huntingQueryVersion3]"
+ }
+ ]
+ },
+ "firstPublishDate": "2024-07-28",
+ "providers": [
+ "CTERA Networks Ltd"
+ ],
+ "categories": {
+ "domains": [
+ "Storage"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/CTERA/Package/testParameters.json b/Solutions/CTERA/Package/testParameters.json
new file mode 100644
index 0000000000..f83f18fc3c
--- /dev/null
+++ b/Solutions/CTERA/Package/testParameters.json
@@ -0,0 +1,32 @@
+{
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ },
+ "workbook1-name": {
+ "type": "string",
+ "defaultValue": "CTERA Audit Logs Ingestion",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ }
+}
diff --git a/Solutions/CTERA/ReleaseNotes.md b/Solutions/CTERA/ReleaseNotes.md
new file mode 100644
index 0000000000..45d77687c1
--- /dev/null
+++ b/Solutions/CTERA/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 21-10-2024 | Initial Solution Release |
\ No newline at end of file
diff --git a/Solutions/CTERA/SolutionMetadata.json b/Solutions/CTERA/SolutionMetadata.json
new file mode 100644
index 0000000000..7c48094a0b
--- /dev/null
+++ b/Solutions/CTERA/SolutionMetadata.json
@@ -0,0 +1,16 @@
+{
+ "publisherId": "CTERA Networks Ltd",
+ "offerId": "microsoft-sentinel-solution-ctera",
+ "firstPublishDate": "2024-07-28",
+ "providers": ["CTERA Networks Ltd"],
+ "categories": {
+ "domains": ["Storage"],
+ "verticals": []
+ },
+ "support": {
+ "name": "CTERA",
+ "tier": "Partner",
+ "email": "support@ctera.com",
+ "link": "https://www.ctera.com/"
+ }
+}
diff --git a/Solutions/CTERA/Workbooks/CTERA_Workbook.json b/Solutions/CTERA/Workbooks/CTERA_Workbook.json
new file mode 100644
index 0000000000..f905e7eda5
--- /dev/null
+++ b/Solutions/CTERA/Workbooks/CTERA_Workbook.json
@@ -0,0 +1,84 @@
+{
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 1,
+ "content": {
+ "json": "Welcome to your CTERA workbook. This area will display relevant graphs and metrics for the CTERA workspace.\n\n\nWe've included relevant graphs of your SMB audit logs collected from the selected filers."
+ },
+ "name": "text - 2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "\tSyslog\r\n\t| where ProcessName == 'gw-audit'\r\n\t| extend\r\n\t TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage),\r\n\t UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\r\n\t| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\r\n | where Permission matches regex @\"(?i).*denied.*\" or Permission == \"op=delete\" // Regex pattern to filter denied operations\r\n | summarize Count = count() by Permission",
+ "size": 1,
+ "title": "Denied Operations and Deletions Count",
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "areachart",
+ "tileSettings": {
+ "showBorder": false,
+ "titleContent": {
+ "columnMatch": "Permission",
+ "formatter": 1
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 12,
+ "formatOptions": {
+ "palette": "auto"
+ },
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "maximumSignificantDigits": 3,
+ "maximumFractionDigits": 2
+ }
+ }
+ }
+ }
+ },
+ "name": "query - 1 (Denied Operations and Deletions Count)"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "\tSyslog\r\n\t| where ProcessName == 'gw-audit'\r\n\t| extend user = extract(\"user=([^|]*)\", 1, SyslogMessage)\r\n\t| extend operation = extract(\"op=([^|]*)\", 1, SyslogMessage)\r\n | where operation matches regex @\"(?i).*denied.*\"\r\n\t| summarize operation_count=count() by bin(TimeGenerated, 1m), user\r\n\t| project TimeGenerated, user, operation_count\r\n",
+ "size": 0,
+ "title": "Denied Operations Count per User",
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "linechart"
+ },
+ "name": "query - 2 (Denied Operations per User)"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "\tSyslog\r\n\t| where SyslogMessage contains \"ctera_audit\" and SyslogMessage contains \"op=delete\"\r\n\t| extend user = extract(\"user=([^|]*)\", 1, SyslogMessage)\r\n\t| extend timestamp = extract(\"timestamp=([^|]*)\", 1, SyslogMessage)\r\n\t| extend TimeGenerated = todatetime(timestamp)\r\n\t| summarize deletion_count = count() by bin(TimeGenerated, 1m), user\r\n\t| where deletion_count > 1\r\n| project TimeGenerated, user, deletion_count",
+ "size": 1,
+ "title": "Deleted Operations per User",
+ "timeContext": {
+ "durationMs": 2592000000
+ },
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "timechart"
+ },
+ "name": "query - 3 (Deleted Operation)"
+ }
+ ],
+ "fallbackResourceIds": [],
+ "fromTemplateId": "2941ad84-e8df-4f19-b360-bae6cd104f2f",
+ "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}
\ No newline at end of file
diff --git a/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png
new file mode 100644
index 0000000000..f652810301
Binary files /dev/null and b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png differ
diff --git a/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png
new file mode 100644
index 0000000000..cf4c9ef91b
Binary files /dev/null and b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png differ
diff --git a/Workbooks/Images/Logos/CTERA_Logo.svg b/Workbooks/Images/Logos/CTERA_Logo.svg
new file mode 100644
index 0000000000..4217888dfc
--- /dev/null
+++ b/Workbooks/Images/Logos/CTERA_Logo.svg
@@ -0,0 +1,228 @@
+
\ No newline at end of file
diff --git a/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png b/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png
new file mode 100644
index 0000000000..f652810301
Binary files /dev/null and b/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png differ
diff --git a/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png b/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png
new file mode 100644
index 0000000000..cf4c9ef91b
Binary files /dev/null and b/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png differ
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index 212b36b449..188453562c 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -8186,5 +8186,24 @@
"templateRelativePath": "TeamCymruScout.json",
"subtitle": "",
"provider": "Team Cymru"
- }
+ },
+ {
+ "workbookKey": "CTERA_Workbook",
+ "logoFileName": "CTERA_Logo.svg",
+ "description": "This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents.",
+ "dataTypesDependencies": [
+ "Syslog"
+ ],
+ "dataConnectorsDependencies": [
+ "CTERA"
+ ],
+ "previewImagesFileNames": [
+ "CTERASMBLogsWorkbookWhite.png",
+ "CTERASMBLogsWorkbookBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "CTERA Audit Logs Ingestion",
+ "templateRelativePath": "CTERA_Workbook.json",
+ "provider": "CTERA"
+ }
]