forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathBeyond Security beSECURE.json
159 lines (157 loc) · 5.75 KB
/
Beyond Security beSECURE.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
{
"id": "BeyondSecuritybeSECURE",
"title": "Beyond Security beSECURE",
"publisher": "Beyond Security",
"descriptionMarkdown":
"The [Beyond Security beSECURE](https://beyondsecurity.com/) connector allows you to easily connect your Beyond Security beSECURE scan events, scan results and audit trail with Azure Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Beyond Security beSECURE Scan Event",
"baseQuery": "beSECURE_ScanEvent_CL"
},
{
"metricName": "Total data received",
"legend": "Beyond Security beSECURE Scan Results",
"baseQuery": "beSECURE_ScanResults_CL"
},
{
"metricName": "Total data received",
"legend": "Beyond Security beSECURE Audit",
"baseQuery": "beSECURE_Audit_CL"
}
],
"sampleQueries": [
{
"description" : "CVSS Score Aggregated",
"query": "beSECURE_ScanResults_CL | summarize count() by cvss_score_s"
},
{
"description" : "Risk Aggregated",
"query": "beSECURE_ScanResults_CL | summarize count() by risk_name_s"
},
{
"description": "Host Risk Aggregated",
"query": "beSECURE_ScanResults_CL | summarize count() by destination_host_s, risk_name_s"
},
{
"description" : "Top 10 most vulnerable Hosts",
"query": "beSECURE_ScanResults_CL | \n where (risk_value_s == 8 or risk_value_s == 4) | \n summarize count() by destination_host_s, risk_value_s | \n order by risk_value_s, count_ | \n limit 10"
},
{
"description" : "Failed login",
"query": "beSECURE_Audit_CL | \n where audit_event_s == 'Login failed' "
},
{
"description": "Completed Scans",
"query" : "beSECURE_ScanEvent_CL | \n where scan_event_s == 'Scan Complete' | \n summarize count()"
}
,
{
"description": "Failed to Complete Scans",
"query" : "beSECURE_ScanEvent_CL | \n where scan_event_s == 'Scan Failed' | \n summarize count()"
}
],
"dataTypes": [
{
"name": "beSECURE_ScanResults_CL",
"lastDataReceivedQuery": "beSECURE_ScanResults_CL \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "beSECURE_ScanEvent_CL",
"lastDataReceivedQuery": "beSECURE_ScanEvent_CL \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "beSECURE_Audit_CL",
"lastDataReceivedQuery": "beSECURE_Audit_CL \n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"beSECURE_ScanEvent_CL \n | summarize LastLogReceived = max(TimeGenerated) \n | project IsConnected = LastLogReceived > ago(30d)",
"beSECURE_ScanResults_CL \n | summarize LastLogReceived = max(TimeGenerated) \n | project IsConnected = LastLogReceived > ago(30d)",
"beSECURE_Audit_CL \n | summarize LastLogReceived = max(TimeGenerated) \n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "Configure beSECURE",
"description" : "Follow the steps below to configure your beSECURE solution to send out scan results, scan status and audit trail to Azure Sentinel.",
"innerSteps" : [
{
"title": "1. Access the Integration menu",
"description": "1.1 Click on the 'More' menu option\n\n1.2 Select Server\n\n1.3 Select Integration\n\n1.4 Enable Azure Sentinel"
},
{ "title": "2. Provide Azure Sentinel settings",
"description" : "Fill in the Workspace ID and Primary Key values, click 'Modify'",
"instructions": [ {
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
]
}
],
"metadata": {
"id": "3be993d4-3aa7-41de-8280-e62de7859eca",
"version": "1.0.0",
"kind": "dataConnector",
"source": {
"kind": "community"
},
"author": {
"name": "Beyond Security"
},
"support": {
"name": "Beyond Security",
"link": "https://beyondsecurity.freshdesk.com/support/home",
"tier": "developer"
}
}
}