![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Nasuni/Data%20Connectors/Logo/Nasuni.svg\"){kind=logo}
",
+ "Description": "The [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.",
+ "WorkbookDescription": [],
+ "Workbooks": [],
+ "WorkbookBladeDescription": [],
+ "AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view.",
+ "HuntingQueryBladeDescription": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view.",
+ "PlaybooksBladeDescription": [],
+ "Analytic Rules": [
+ "/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml",
+ "/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml"
+ ],
+ "Playbooks": [],
+ "PlaybookDescription": [],
+ "Parsers": [],
+ "SavedSearches": [],
+ "Hunting Queries": [
+ "/Nasuni/Hunting Queries/FileDeleteEvents.yaml"
+ ],
+ "Data Connectors": [
+ "/Nasuni/Data Connectors/Nasuni Data Connector.json"
+ ],
+ "Watchlists": [],
+ "WatchlistDescription": [],
+ "BasePath": "C:/NasuniLabs/Azure-Sentinel/Solutions",
+ "Version": "3.0.0",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+ }
\ No newline at end of file
diff --git a/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml b/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml
new file mode 100644
index 0000000000..21cb7189ca
--- /dev/null
+++ b/Solutions/Nasuni/Hunting Queries/FileDeleteEvents.yaml
@@ -0,0 +1,59 @@
+id: 64a3477e-d06f-4491-86a5-6f99702e267f
+name: Nasuni File Delete Activity
+description: |
+ 'This query looks for file delete audit events generated by a Nasuni Edge Appliance.'
+requiredDataConnectors:
+ - connectorId: Syslog
+ dataTypes:
+ - Syslog
+tactics:
+ - Impact
+relevantTechniques:
+ - T1485
+query: |
+ Syslog
+ | where SyslogMessage matches regex "(nasuni.)([0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{1})"
+ | extend SyslogMessageJson = extract('{(.*?)}', 0, SyslogMessage)
+ | extend event_details = parse_json(SyslogMessageJson)
+ | extend path_parts = parse_path(tostring(event_details.path))
+ | where event_details.event_type == "AUDIT_UNLINK"
+ | project
+ TimeGenerated
+ ,HostName
+ ,event_type = event_details.event_type
+ ,sAMAccountName = trim(@"(?s)^.*\\\s*", tostring(event_details.username))
+ ,domainName = trim_end(@"[\\]\S*", tostring(event_details.username))
+ ,filename = path_parts.Filename
+ ,directorypath = path_parts.DirectoryPath
+ ,ipaddr = event_details.ipaddr
+ ,sid = event_details.sid
+ ,volume_guid = event_details.volume
+ ,access_point = event_details.resource
+ ,primary_group_name = trim(@"(?s)^.*\\\s*", tostring(event_details.groupname))
+ ,new_path = event_details.newpath
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: ipaddr
+ - entityType: Account
+ fieldMappings:
+ - identifier: Sid
+ columnName: sid
+ - identifier: Name
+ columnName: sAMAccountName
+ - identifier: NTDomain
+ columnName: domainName
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: HostName
+ - entityType: File
+ fieldMappings:
+ - identifier: Name
+ columnName: filename
+ - identifier: Directory
+ columnName: directorypath
+version: 1.0.0
+
+
\ No newline at end of file
diff --git a/Solutions/Nasuni/Package/3.0.0.zip b/Solutions/Nasuni/Package/3.0.0.zip
new file mode 100644
index 0000000000..8a2977ee73
Binary files /dev/null and b/Solutions/Nasuni/Package/3.0.0.zip differ
diff --git a/Solutions/Nasuni/Package/createUiDefinition.json b/Solutions/Nasuni/Package/createUiDefinition.json
new file mode 100644
index 0000000000..8c1847aac3
--- /dev/null
+++ b/Solutions/Nasuni/Package/createUiDefinition.json
@@ -0,0 +1,179 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+ "handler": "Microsoft.Azure.CreateUIDef",
+ "version": "0.1.2-preview",
+ "parameters": {
+ "config": {
+ "isWizard": false,
+ "basics": {
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.\n\n**Data Connectors:** 1, **Analytic Rules:** 2, **Hunting Queries:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "subscription": {
+ "resourceProviders": [
+ "Microsoft.OperationsManagement/solutions",
+ "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "Microsoft.Insights/workbooks",
+ "Microsoft.Logic/workflows"
+ ]
+ },
+ "location": {
+ "metadata": {
+ "hidden": "Hiding location, we get it from the log analytics workspace"
+ },
+ "visible": false
+ },
+ "resourceGroup": {
+ "allowExisting": true
+ }
+ }
+ },
+ "basics": [
+ {
+ "name": "getLAWorkspace",
+ "type": "Microsoft.Solutions.ArmApiControl",
+ "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+ "condition": "[greater(length(resourceGroup().name),0)]",
+ "request": {
+ "method": "GET",
+ "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+ }
+ },
+ {
+ "name": "workspace",
+ "type": "Microsoft.Common.DropDown",
+ "label": "Workspace",
+ "placeholder": "Select a workspace",
+ "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+ "constraints": {
+ "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+ "required": true
+ },
+ "visible": true
+ }
+ ],
+ "steps": [
+ {
+ "name": "dataconnectors",
+ "label": "Data Connectors",
+ "bladeTitle": "Data Connectors",
+ "elements": [
+ {
+ "name": "dataconnectors1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Nasuni. You can get Nasuni Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytics",
+ "label": "Analytics",
+ "subLabel": {
+ "preValidation": "Configure the analytics",
+ "postValidation": "Done"
+ },
+ "bladeTitle": "Analytics",
+ "elements": [
+ {
+ "name": "analytics-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+ }
+ },
+ {
+ "name": "analytics-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+ }
+ }
+ },
+ {
+ "name": "analytic1",
+ "type": "Microsoft.Common.Section",
+ "label": "Ransomware Client Blocked",
+ "elements": [
+ {
+ "name": "analytic1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies malicious clients blocked by the Ransomware Protection service running on a Nasuni Edge Appliance."
+ }
+ }
+ ]
+ },
+ {
+ "name": "analytic2",
+ "type": "Microsoft.Common.Section",
+ "label": "Ransomware Attack Detected",
+ "elements": [
+ {
+ "name": "analytic2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Identifies ransomware attacks detected by the Ransomware Protection service running on a Nasuni Edge Appliance."
+ }
+ }
+ ]
+ }
+ ]
+ },
+ {
+ "name": "huntingqueries",
+ "label": "Hunting Queries",
+ "bladeTitle": "Hunting Queries",
+ "elements": [
+ {
+ "name": "huntingqueries-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
+ }
+ },
+ {
+ "name": "huntingqueries-link",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more",
+ "uri": "https://docs.microsoft.com/azure/sentinel/hunting"
+ }
+ }
+ },
+ {
+ "name": "huntingquery1",
+ "type": "Microsoft.Common.Section",
+ "label": "Nasuni File Delete Activity",
+ "elements": [
+ {
+ "name": "huntingquery1-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This query looks for file delete audit events generated by a Nasuni Edge Appliance. This hunting query depends on Syslog data connector (Syslog Parser or Table)"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "outputs": {
+ "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+ "location": "[location()]",
+ "workspace": "[basics('workspace')]"
+ }
+ }
+}
diff --git a/Solutions/Nasuni/Package/mainTemplate.json b/Solutions/Nasuni/Package/mainTemplate.json
new file mode 100644
index 0000000000..f978b9ed7d
--- /dev/null
+++ b/Solutions/Nasuni/Package/mainTemplate.json
@@ -0,0 +1,808 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "author": "Nasuni - support@nasuni.com",
+ "comments": "Solution template for Nasuni"
+ },
+ "parameters": {
+ "location": {
+ "type": "string",
+ "minLength": 1,
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
+ }
+ },
+ "workspace-location": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
+ }
+ },
+ "workspace": {
+ "defaultValue": "",
+ "type": "string",
+ "metadata": {
+ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
+ }
+ }
+ },
+ "variables": {
+ "email": "support@nasuni.com",
+ "_email": "[variables('email')]",
+ "_solutionName": "Nasuni",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "nasuni.azure-sentinel-solution-nasuni",
+ "_solutionId": "[variables('solutionId')]",
+ "analyticRuleVersion1": "1.0.0",
+ "analyticRulecontentId1": "0c96a5a2-d60d-427d-8399-8df7fe8e6536",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))),variables('analyticRuleVersion1')))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.0",
+ "analyticRulecontentId2": "6c8770fb-c854-403e-a64d-0293ba344d5f",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))),variables('analyticRuleVersion2')))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "huntingQueryVersion1": "1.0.0",
+ "huntingQuerycontentId1": "64a3477e-d06f-4491-86a5-6f99702e267f",
+ "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
+ "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))),variables('huntingQueryVersion1')))]",
+ "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
+ "uiConfigId1": "NasuniEdgeAppliance",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "NasuniEdgeAppliance",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "RansomwareClientBlocked_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId1')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies malicious clients blocked by the Ransomware Protection service running on a Nasuni Edge Appliance.",
+ "displayName": "Ransomware Client Blocked",
+ "enabled": false,
+ "query": "Syslog\n| project TimeGenerated, Computer, SyslogMessage\n| where SyslogMessage has \"The Filer has enforced the mitigation policy on volume\"\n| extend ipaddr = substring(SyslogMessage, indexof(SyslogMessage, \"(\")+1, indexof(SyslogMessage, \")\") - indexof(SyslogMessage,\"(\")-1)\n| extend volume_name = substring(SyslogMessage, indexof(SyslogMessage, \"volume\")+7, indexof(SyslogMessage,\"and\") - (indexof(SyslogMessage, \"volume\")+7))\n| sort by TimeGenerated desc",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "datatypes": [
+ "Syslog"
+ ],
+ "connectorID": "NasuniEdgeAppliance"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": [
+ "T1486"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "columnName": "ipaddr",
+ "identifier": "Address"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "customDetails": {
+ "VolumeName": "volume_name"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Nasuni has blocked a client involved in a ransomware attack from accessing a Nasuni Edge Appliance at {{TimeGenerated}}",
+ "alertDynamicProperties": [],
+ "alertnameFormat": "Nasuni: Ransomware Client Blocked"
+ },
+ "incidentConfiguration": {
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": false
+ },
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "properties": {
+ "description": "Nasuni Analytics Rule 1",
+ "parentId": "[variables('analyticRuleId1')]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Nasuni",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Nasuni",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Nasuni",
+ "tier": "Nasuni Labs",
+ "link": "https://github.com/nasuni-labs/Azure-Sentinel"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Ransomware Client Blocked",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "RansomwareAttackDetected_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId2')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Identifies ransomware attacks detected by the Ransomware Protection service running on a Nasuni Edge Appliance.",
+ "displayName": "Ransomware Attack Detected",
+ "enabled": false,
+ "query": "Syslog\n| project TimeGenerated, Computer, SyslogMessage\n| where SyslogMessage has \"The Filer has detected a new ransomware attack\"\n| extend pattern = substring(SyslogMessage, indexof(SyslogMessage, \"(\")+1, indexof(SyslogMessage, \")\") - indexof(SyslogMessage,\"(\")-1)\n| extend volume_name = substring(SyslogMessage, indexof(SyslogMessage, \"volume\")+7, indexof(SyslogMessage,\". Visit\") - (indexof(SyslogMessage, \"volume\")+7))\n| sort by TimeGenerated desc",
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "datatypes": [
+ "Syslog"
+ ],
+ "connectorID": "NasuniEdgeAppliance"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": [
+ "T1486"
+ ],
+ "entityMappings": [
+ {
+ "entityType": "Malware",
+ "fieldMappings": [
+ {
+ "columnName": "pattern",
+ "identifier": "Name"
+ }
+ ]
+ }
+ ],
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "customDetails": {
+ "VolumeName": "volume_name"
+ },
+ "alertDetailsOverride": {
+ "alertDescriptionFormat": "Ransomware attack detected by Nasuni at {{TimeGenerated}}.",
+ "alertDynamicProperties": [
+ {
+ "value": "SyslogMessage",
+ "alertProperty": "RemediationSteps"
+ }
+ ],
+ "alertnameFormat": "Nasuni: Ransomware Attack Detected"
+ },
+ "incidentConfiguration": {
+ "groupingConfiguration": {
+ "lookbackDuration": "5h",
+ "reopenClosedIncident": false,
+ "matchingMethod": "AllEntities",
+ "enabled": false
+ },
+ "createIncident": true
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "properties": {
+ "description": "Nasuni Analytics Rule 2",
+ "parentId": "[variables('analyticRuleId2')]",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Nasuni",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Nasuni",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Nasuni",
+ "tier": "Nasuni Labs",
+ "link": "https://github.com/nasuni-labs/Azure-Sentinel"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Ransomware Attack Detected",
+ "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+ "id": "[variables('_analyticRulecontentProductId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "FileDeleteEvents_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Nasuni_Hunting_Query_1",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Nasuni File Delete Activity",
+ "category": "Hunting Queries",
+ "query": "Syslog \n| where SyslogMessage matches regex \"(nasuni.)([0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{1})\"\n| extend SyslogMessageJson = extract('{(.*?)}', 0, SyslogMessage)\n| extend event_details = parse_json(SyslogMessageJson)\n| extend path_parts = parse_path(tostring(event_details.path))\n| where event_details.event_type == \"AUDIT_UNLINK\"\n| project\n TimeGenerated\n ,HostName\n ,event_type = event_details.event_type\n ,sAMAccountName = trim(@\"(?s)^.*\\\\\\s*\", tostring(event_details.username))\n ,domainName = trim_end(@\"[\\\\]\\S*\", tostring(event_details.username))\n ,filename = path_parts.Filename\n ,directorypath = path_parts.DirectoryPath\n ,ipaddr = event_details.ipaddr\n ,sid = event_details.sid\n ,volume_guid = event_details.volume\n ,access_point = event_details.resource\n ,primary_group_name = trim(@\"(?s)^.*\\\\\\s*\", tostring(event_details.groupname))\n ,new_path = event_details.newpath\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "This query looks for file delete audit events generated by a Nasuni Edge Appliance."
+ },
+ {
+ "name": "tactics",
+ "value": "Impact"
+ },
+ {
+ "name": "techniques",
+ "value": "T1485"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "properties": {
+ "description": "Nasuni Hunting Query 1",
+ "parentId": "[variables('huntingQueryId1')]",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Nasuni",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Nasuni",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Nasuni",
+ "tier": "Nasuni Labs",
+ "link": "https://github.com/nasuni-labs/Azure-Sentinel"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Nasuni File Delete Activity",
+ "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
+ "id": "[variables('_huntingQuerycontentProductId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "Nasuni data connector with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "Nasuni Edge Appliance",
+ "publisher": "Nasuni",
+ "descriptionMarkdown": "The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.",
+ "additionalRequirementBanner": "None",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Nasuni",
+ "baseQuery": "Nasuni"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Last 1000 generated events",
+ "query": "Syslog\n | top 1000 by TimeGenerated"
+ },
+ {
+ "description": "All events by facility except for cron",
+ "query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\""
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
+ ]
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Syslog",
+ "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "write permission is required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "delete": true
+ }
+ }
+ ]
+ },
+ "customers": [
+ {
+ "name": "Nasuni Edge Appliances",
+ "description": "must be configured to export events via Syslog"
+ }
+ ],
+ "instructionSteps": [
+ {
+ "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Choose where to install the agent:",
+ "instructionSteps": [
+ {
+ "title": "Install agent on Azure Linux Virtual Machine",
+ "description": "Select the machine to install the agent on and then click **Connect**.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "InstallAgentOnLinuxVirtualMachine"
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ },
+ {
+ "title": "Install agent on a non-Azure Linux Machine",
+ "description": "Download the agent on the relevant machine and follow the instructions.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "InstallAgentOnLinuxNonAzure"
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Install and onboard the agent for Linux"
+ },
+ {
+ "description": "Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "OpenSyslogSettings"
+ },
+ "type": "InstallAgent"
+ }
+ ],
+ "title": "2. Configure the logs to be collected"
+ },
+ {
+ "description": "Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.",
+ "title": "3. Configure Nasuni Edge Appliance settings"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Nasuni",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Nasuni",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Nasuni",
+ "tier": "Nasuni Labs",
+ "link": "https://github.com/nasuni-labs/Azure-Sentinel"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "Nasuni Edge Appliance",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_dataConnectorId1')]"
+ ],
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Nasuni",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Nasuni",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Nasuni",
+ "tier": "Nasuni Labs",
+ "link": "https://github.com/nasuni-labs/Azure-Sentinel"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "Nasuni Edge Appliance",
+ "publisher": "Nasuni",
+ "descriptionMarkdown": "The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.",
+ "graphQueries": [
+ {
+ "metricName": "Total events received",
+ "legend": "Nasuni",
+ "baseQuery": "Nasuni"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "Syslog",
+ "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Last 1000 generated events",
+ "query": "Syslog\n | top 1000 by TimeGenerated"
+ },
+ {
+ "description": "All events by facility except for cron",
+ "query": "Syslog\n | summarize count() by Facility | where Facility != \"cron\""
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "write permission is required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "delete": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "Choose where to install the agent:",
+ "instructionSteps": [
+ {
+ "title": "Install agent on Azure Linux Virtual Machine",
+ "description": "Select the machine to install the agent on and then click **Connect**.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "InstallAgentOnLinuxVirtualMachine"
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ },
+ {
+ "title": "Install agent on a non-Azure Linux Machine",
+ "description": "Download the agent on the relevant machine and follow the instructions.",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "InstallAgentOnLinuxNonAzure"
+ },
+ "type": "InstallAgent"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ],
+ "title": "1. Install and onboard the agent for Linux"
+ },
+ {
+ "description": "Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n",
+ "instructions": [
+ {
+ "parameters": {
+ "linkType": "OpenSyslogSettings"
+ },
+ "type": "InstallAgent"
+ }
+ ],
+ "title": "2. Configure the logs to be collected"
+ },
+ {
+ "description": "Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.",
+ "title": "3. Configure Nasuni Edge Appliance settings"
+ }
+ ],
+ "id": "[variables('_uiConfigId1')]",
+ "additionalRequirementBanner": "None"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "version": "3.0.0",
+ "kind": "Solution",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "Nasuni",
+ "publisherDisplayName": "Nasuni",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Nasuni solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.
\nData Connectors: 1, Analytic Rules: 2, Hunting Queries: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Nasuni",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Nasuni",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Nasuni",
+ "tier": "Nasuni Labs",
+ "link": "https://github.com/nasuni-labs/Azure-Sentinel"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ },
+ {
+ "kind": "HuntingQuery",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2023-07-07",
+ "lastPublishDate": "2023-07-07",
+ "providers": [
+ "Nasuni"
+ ],
+ "categories": {
+ "domains": [
+ "Storage"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/Nasuni/SolutionMetadata.json b/Solutions/Nasuni/SolutionMetadata.json
new file mode 100644
index 0000000000..e298312a5e
--- /dev/null
+++ b/Solutions/Nasuni/SolutionMetadata.json
@@ -0,0 +1,16 @@
+{
+ "publisherId": "nasuni",
+ "offerId": "azure-sentinel-solution-nasuni",
+ "firstPublishDate": "2023-07-07",
+ "lastPublishDate": "2023-07-07",
+ "providers": ["Nasuni"],
+ "categories": {
+ "domains" : ["Storage"],
+ "verticals": []
+ },
+ "support": {
+ "name": "Nasuni",
+ "tier": "Nasuni Labs",
+ "link": "https://github.com/nasuni-labs/Azure-Sentinel"
+ }
+}
\ No newline at end of file