Azure · v-prasadboke · May 8, 2023 · May 8, 2023 · May 8, 2023 · May 22, 2023
@@ -0,0 +1,85 @@
+{
+    "name": "Nasuni",
+    "Properties": [
+        {
+            "Name": "access_point",
+            "Type": "String"
+        },
+        {
+            "Name": "Computer",
+            "Type": "String"
+        },
+        {
+            "Name": "domainName",
+            "Type": "String"
+        },
+        {
+            "Name": "directorypath",
+            "Type": "String"
+        },
+        {
+            "Name": "event_details",
+            "Type": "Dynamic"
+        },
+        {
+            "Name": "event_type",
+            "Type": "String"
+        },
+        {
+            "Name": "filename",
+            "Type": "String"
+        },
+        {
+            "Name": "HostName",
+            "Type": "String"
+        },
+        {
+            "Name": "ipaddr",
+            "Type": "String"
+        },
+        {
+            "Name": "new_path",
+            "Type": "String"
+        },
+        {
+            "Name": "path_parts",
+            "Type": "Dynamic"
+        },
+        {
+            "Name": "pattern",
+            "Type": "String"
+        },
+        {
+            "Name": "primary_group_name",
+            "Type": "String"
+        },
+        {
+            "Name": "sAMAccountName",
+            "Type": "String"
+        },
+        {
+            "Name": "sid",
+            "Type": "String"
+        },
+        {
+            "Name": "SyslogMessage",
+            "Type": "String"
+        },
+        {
+            "Name": "SyslogMessageJson",
+            "Type": "String"
+        },
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "volume_guid",
+            "Type": "String"
+        },
+        {
+            "Name": "volume_name",
+            "Type":"String"
+        }
+    ]
+}
@@ -107,6 +107,7 @@
   "MicrosoftSysmonForLinux",
   "MicrosoftThreatProtection",
   "MorphisecUTPP",
+  "NasuniEdgeAppliance",
   "NXLogDnsLogs",
   "NXLogLinuxAudit",
   "Netskope",

@@ -0,0 +1,50 @@
+id: 6c8770fb-c854-403e-a64d-0293ba344d5f
+name: Ransomware Attack Detected
+description: 'Identifies ransomware attacks detected by the Ransomware Protection service running on a Nasuni Edge Appliance.'
+kind: Scheduled
+severity: High
+requiredDataConnectors:
+  - connectorID: NasuniEdgeAppliance
+    datatypes: 
+      - Syslog
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+status: Available
+tactics:
+  - Impact
+relevantTechniques:
+  - T1486
+query: |-
+  Syslog
+  | project TimeGenerated, Computer, SyslogMessage
+  | where SyslogMessage has "The Filer has detected a new ransomware attack"
+  | extend pattern = substring(SyslogMessage, indexof(SyslogMessage, "(")+1, indexof(SyslogMessage, ")") - indexof(SyslogMessage,"(")-1)
+  | extend volume_name = substring(SyslogMessage, indexof(SyslogMessage, "volume")+7, indexof(SyslogMessage,". Visit") - (indexof(SyslogMessage, "volume")+7))
+  | sort by TimeGenerated desc
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertnameFormat: 'Nasuni: Ransomware Attack Detected'
+  alertDescriptionFormat: Ransomware attack detected by Nasuni at {{TimeGenerated}}.
+  alertDynamicProperties:
+  - alertProperty: RemediationSteps
+    value: SyslogMessage
+customDetails:
+  VolumeName: volume_name
+entityMappings:
+- entityType: Malware
+  fieldMappings:
+  - identifier: Name
+    columnName: pattern
+suppressionDuration: 5h
+suppressionEnabled: false
+version: 1.0.0
@@ -0,0 +1,48 @@
+id: 0c96a5a2-d60d-427d-8399-8df7fe8e6536
+name: Ransomware Client Blocked
+description: 'Identifies malicious clients blocked by the Ransomware Protection service running on a Nasuni Edge Appliance.'
+kind: Scheduled
+severity: High
+requiredDataConnectors:
+  - connectorID: NasuniEdgeAppliance
+    datatypes: 
+      - Syslog
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+status: Available
+tactics:
+- Impact
+relevantTechniques:
+- T1486
+query: |-
+  Syslog
+  | project TimeGenerated, Computer, SyslogMessage
+  | where SyslogMessage has "The Filer has enforced the mitigation policy on volume"
+  | extend ipaddr = substring(SyslogMessage, indexof(SyslogMessage, "(")+1, indexof(SyslogMessage, ")") - indexof(SyslogMessage,"(")-1)
+  | extend volume_name = substring(SyslogMessage, indexof(SyslogMessage, "volume")+7, indexof(SyslogMessage,"and") - (indexof(SyslogMessage, "volume")+7))
+  | sort by TimeGenerated desc
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: 5h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertnameFormat: 'Nasuni: Ransomware Client Blocked'
+  alertDescriptionFormat: Nasuni has blocked a client involved in a ransomware attack from accessing a Nasuni Edge Appliance at {{TimeGenerated}}
+  alertDynamicProperties: []
+customDetails:
+  VolumeName: volume_name
+entityMappings:
+- entityType: IP
+  fieldMappings:
+  - identifier: Address
+    columnName: ipaddr
+suppressionDuration: 5h
+suppressionEnabled: false
+version: 1.0.0
@@ -0,0 +1,118 @@
+{
+    "id": "NasuniEdgeAppliance",
+    "title": "Nasuni Edge Appliance",
+    "publisher": "Nasuni",
+    "descriptionMarkdown": "The [Nasuni](https://www.nasuni.com/) connector allows you to easily connect your Nasuni Edge Appliance Notifications and file system audit logs with Microsoft Sentinel. This gives you more insight into activity within your Nasuni infrastructure and improves your security operation capabilities.",
+    "additionalRequirementBanner": "None",
+    "graphQueries": [
+        {
+            "metricName": "Total events received",
+            "legend": "Nasuni",
+            "baseQuery": "Nasuni"
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description": "Last 1000 generated events",
+            "query": "Syslog\n            | top 1000 by TimeGenerated"
+        },
+        {
+            "description": "All events by facility except for cron",
+            "query": "Syslog\n            | summarize count() by Facility | where Facility != \"cron\""
+        }
+    ],
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "Syslog\n   | where TimeGenerated > ago(3d)\n       |take 1\n       | project IsConnected = true"
+            ]
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "Syslog",
+            "lastDataReceivedQuery": "Syslog\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": false
+    },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "write permission is required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "delete": true
+                }
+            }
+        ]
+    },
+    "customers": [
+        {
+            "name": "Nasuni Edge Appliances",
+            "description": "must be configured to export events via Syslog"
+        }
+    ],
+    "instructionSteps": [
+        {
+            "title": "1. Install and onboard the agent for Linux",
+            "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n>  Syslog logs are collected only from **Linux** agents.",
+            "instructions": [
+                {
+                    "parameters": {
+                        "title": "Choose where to install the agent:",
+                        "instructionSteps": [
+                            {
+                                "title": "Install agent on Azure Linux Virtual Machine",
+                                "description": "Select the machine to install the agent on and then click **Connect**.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "linkType": "InstallAgentOnLinuxVirtualMachine"
+                                        },
+                                        "type": "InstallAgent"
+                                    }
+                                ]
+                            },
+                            {
+                                "title": "Install agent on a non-Azure Linux Machine",
+                                "description": "Download the agent on the relevant machine and follow the instructions.",
+                                "instructions": [
+                                    {
+                                        "parameters": {
+                                            "linkType": "InstallAgentOnLinuxNonAzure"
+                                        },
+                                        "type": "InstallAgent"
+                                    }
+                                ]
+                            }
+                        ]
+                    },
+                    "type": "InstructionStepsGroup"
+                }
+            ]
+        },
+        {
+            "title": "2. Configure the logs to be collected",
+            "description": "Follow the configuration steps below to configure your Linux machine to send Nasuni event information to Microsoft Sentinel. Refer to the [Azure Monitor Agent documenation](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview) for additional details on these steps.\nConfigure the facilities you want to collect and their severities.\n1. Select the link below to open your workspace agents configuration, and select the Syslog tab.\n2. Select Add facility and choose from the drop-down list of facilities. Repeat for all the facilities you want to add.\n3. Mark the check boxes for the desired severities for each facility.\n4. Click Apply.\n",
+            "instructions": [
+                {
+                    "parameters": {
+                        "linkType": "OpenSyslogSettings"
+                    },
+                    "type": "InstallAgent"
+                }
+            ]
+        },
+        {
+            "title": "3. Configure Nasuni Edge Appliance settings",
+            "description": "Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings."
+        }
+    ]
+}
@@ -0,0 +1,33 @@
+{
+    "Name": "Nasuni",
+    "Author": "Nasuni - [email protected]",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Nasuni/Data%20Connectors/Logo/Nasuni.svg\" width=\"75px\" height=\"75px\">",
+    "Description": "The [Nasuni](https://www.nasuni.com) solution for Microsoft Sentinel allows you to analyze Nasuni audit events and Notifications collected via Syslog. It includes analytics rules to automatically generate Incidents when a ransomware attack is detected and perform appropriate entity mapping.",
+    "WorkbookDescription": [],
+    "Workbooks": [],
+    "WorkbookBladeDescription": [],
+    "AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view.",
+    "HuntingQueryBladeDescription": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view.",
+    "PlaybooksBladeDescription": [],
+    "Analytic Rules": [
+      "/Nasuni/Analytic Rules/RansomwareClientBlocked.yaml",
+      "/Nasuni/Analytic Rules/RansomwareAttackDetected.yaml"
+    ],
+    "Playbooks": [],
+    "PlaybookDescription": [],
+    "Parsers": [],
+    "SavedSearches": [],
+    "Hunting Queries": [
+      "/Nasuni/Hunting Queries/FileDeleteEvents.yaml"
+    ],
+    "Data Connectors": [
+      "/Nasuni/Data Connectors/Nasuni Data Connector.json"
+    ],
+    "Watchlists": [],
+    "WatchlistDescription": [],
+    "BasePath": "C:/NasuniLabs/Azure-Sentinel/Solutions",
+    "Version": "3.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1PConnector": false
+  }