API tools faq
paste
Dagal2201

solution built by V3

Dagal2201
Aug 12th, 2025
20
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JSON 10.26 KB | None | 0 0
raw download clone embed print report
  1. {
  2.   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  3.   "contentVersion": "1.0.0.0",
  4.   "metadata": {
  5.     "author": "vendor.",
  6.     "comments": "Solution template for Auditd"
  7.   },
  8.   "parameters": {
  9.     "location": {
  10.       "type": "string",
  11.       "minLength": 1,
  12.       "defaultValue": "[resourceGroup().location]",
  13.       "metadata": {
  14.         "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`.  We instead use the `workspace-location` which is derived from the LA workspace"
  15.       }
  16.     },
  17.     "workspace-location": {
  18.       "type": "string",
  19.       "defaultValue": "",
  20.       "metadata": {
  21.         "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
  22.       }
  23.     },
  24.     "workspace": {
  25.       "defaultValue": "",
  26.       "type": "string",
  27.       "metadata": {
  28.         "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
  29.       }
  30.     }
  31.   },
  32.   "variables": {
  33.     "_solutionName": "Auditd",
  34.     "_solutionVersion": "3.0.0",
  35.     "solutionId": "vendor.vendor-solution",
  36.     "_solutionId": "[variables('solutionId')]",
  37.     "analyticRuleObject1": {
  38.       "analyticRuleVersion1": "1.0.0",
  39.       "_analyticRulecontentId1": "694ce09d-a4c8-47d5-8095-f1c4693462f5",
  40.       "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '694ce09d-a4c8-47d5-8095-f1c4693462f5')]",
  41.       "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('694ce09d-a4c8-47d5-8095-f1c4693462f5')))]",
  42.       "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','694ce09d-a4c8-47d5-8095-f1c4693462f5','-', '1.0.0')))]"
  43.     },
  44.     "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
  45.   },
  46.   "resources": [
  47.     {
  48.       "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
  49.       "apiVersion": "2023-04-01-preview",
  50.       "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]",
  51.       "location": "[parameters('workspace-location')]",
  52.       "dependsOn": [
  53.         "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
  54.       ],
  55.       "properties": {
  56.         "description": "auditd_netcat_socat_or_nc_executed_after_firewall_rules_are_altered_AnalyticalRules Analytics Rule with template version 3.0.0",
  57.         "mainTemplate": {
  58.           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  59.           "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
  60.           "parameters": {},
  61.           "variables": {},
  62.           "resources": [
  63.             {
  64.               "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
  65.               "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
  66.               "apiVersion": "2023-02-01-preview",
  67.               "kind": "Scheduled",
  68.               "location": "[parameters('workspace-location')]",
  69.               "properties": {
  70.                 "description": "This query identifies the execution of netcat, socat, or nc following a firewall change",
  71.                 "displayName": "AuditD - netcat, socat, or nc Executed After Firewall Rules Are Altered",
  72.                 "enabled": false,
  73.                 "query": "// update rule. add exclutions (list of users, Dvc)\n// potention new rule. Monitor CmdEvents only -- no firewall status.\n// response: can't use users -- no users in events found\nlet firewallKeys = dynamic([\"iptables_exec\", \"nftables_exec\", \"firewall-cmd_exec\", \"ufw_exec\"]);\nlet cmdKeys = dynamic([\"susp_activity_ncat\", \"susp_activity_socat\", \"susp_activity_nc\"]);\nlet excludeDvc = dynamic([\"centos\"]);\nlet FirewallEvents = ASim_LinuxAuditdSyslog_V01(false)\n    | where key in (firewallKeys);\nlet CmdEvents = ASim_LinuxAuditdSyslog_V01(false)\n    | where key in (cmdKeys)\n    | where not(Dvc has_any (excludeDvc));\nFirewallEvents\n    | join kind=inner (CmdEvents) on $left.Dvc == $right.Dvc\n    | project-rename FirewallAt=TimeGenerated, CmdAt=TimeGenerated1\n    | where FirewallAt <= CmdAt\n    | project FirewallAt, CmdAt, Dvc, FirewallKey=key, CmdKey=key1",
  74.                 "queryFrequency": "PT1H",
  75.                 "queryPeriod": "PT1H",
  76.                 "severity": "Low",
  77.                 "suppressionDuration": "PT1H",
  78.                 "suppressionEnabled": false,
  79.                 "triggerOperator": "GreaterThan",
  80.                 "triggerThreshold": 0,
  81.                 "status": "Available",
  82.                 "requiredDataConnectors": [
  83.                   {
  84.                     "dataTypes": [
  85.                       "Syslog"
  86.                     ],
  87.                     "connectorId": "AuditDSyslog"
  88.                   }
  89.                 ],
  90.                 "tactics": [
  91.                   "InitialAccess"
  92.                 ],
  93.                 "techniques": [
  94.                   "T1189"
  95.                 ],
  96.                 "entityMappings": [
  97.                   {
  98.                     "entityType": "IP",
  99.                     "fieldMappings": [
  100.                       {
  101.                         "identifier": "Address",
  102.                         "columnName": "IPCustomEntity"
  103.                       }
  104.                     ]
  105.                   }
  106.                 ]
  107.               }
  108.             },
  109.             {
  110.               "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
  111.               "apiVersion": "2022-01-01-preview",
  112.               "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]",
  113.               "properties": {
  114.                 "description": "Auditd Analytics Rule 1",
  115.                 "parentId": "[variables('analyticRuleObject1').analyticRuleId1]",
  116.                 "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
  117.                 "kind": "AnalyticsRule",
  118.                 "version": "[variables('analyticRuleObject1').analyticRuleVersion1]",
  119.                 "source": {
  120.                   "kind": "Solution",
  121.                   "name": "Auditd",
  122.                   "sourceId": "[variables('_solutionId')]"
  123.                 },
  124.                 "author": {
  125.                   "name": "vendor."
  126.                 },
  127.                 "support": {
  128.                   "name": "vendor.",
  129.                   "email": "[email protected]",
  130.                   "tier": "Partner",
  131.                   "link": "https://microsoft.com"
  132.                 }
  133.               }
  134.             }
  135.           ]
  136.         },
  137.         "packageKind": "Solution",
  138.         "packageVersion": "[variables('_solutionVersion')]",
  139.         "packageName": "[variables('_solutionName')]",
  140.         "packageId": "[variables('_solutionId')]",
  141.         "contentSchemaVersion": "3.0.0",
  142.         "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
  143.         "contentKind": "AnalyticsRule",
  144.         "displayName": "AuditD - netcat, socat, or nc Executed After Firewall Rules Are Altered",
  145.         "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
  146.         "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]",
  147.         "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
  148.       }
  149.     },
  150.     {
  151.       "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
  152.       "apiVersion": "2023-04-01-preview",
  153.       "location": "[parameters('workspace-location')]",
  154.       "properties": {
  155.         "version": "3.0.0",
  156.         "kind": "Solution",
  157.         "contentSchemaVersion": "3.0.0",
  158.         "displayName": "Auditd",
  159.         "publisherDisplayName": "vendor.",
  160.         "descriptionHtml": "<p><strong>Note:</strong> Please refer to the following before installing the solution:</p>\n<p>• Review the solution <a href=\"https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Auditd/ReleaseNotes.md\">Release Notes</a></p>\n<p>• There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</p>\n<p>Auditd Solution for MS Sentinel</p>\n<p><strong>Analytic Rules:</strong> 1</p>\n<p><a href=\"https://aka.ms/azuresentinel\">Learn more about Microsoft Sentinel</a> | <a href=\"https://aka.ms/azuresentinelsolutionsdoc\">Learn more about Solutions</a></p>\n",
  161.         "contentKind": "Solution",
  162.         "contentProductId": "[variables('_solutioncontentProductId')]",
  163.         "id": "[variables('_solutioncontentProductId')]",
  164.         "icon": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Auditd.svg\" width=\"75px\" height=\"75px\">",
  165.         "contentId": "[variables('_solutionId')]",
  166.         "parentId": "[variables('_solutionId')]",
  167.         "source": {
  168.           "kind": "Solution",
  169.           "name": "Auditd",
  170.           "sourceId": "[variables('_solutionId')]"
  171.         },
  172.         "author": {
  173.           "name": "vendor."
  174.         },
  175.         "support": {
  176.           "name": "vendor.",
  177.           "email": "[email protected]",
  178.           "tier": "Partner",
  179.           "link": "https://microsoft.com"
  180.         },
  181.         "dependencies": {
  182.           "operator": "AND",
  183.           "criteria": [
  184.             {
  185.               "kind": "AnalyticsRule",
  186.               "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]",
  187.               "version": "[variables('analyticRuleObject1').analyticRuleVersion1]"
  188.             }
  189.           ]
  190.         },
  191.         "firstPublishDate": "2025-08-06",
  192.         "lastPublishDate": "2025-08-06",
  193.         "providers": [
  194.           "vendor"
  195.         ],
  196.         "categories": {
  197.           "domains": [
  198.             "Security - Others"
  199.           ]
  200.         }
  201.       },
  202.       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
  203.     }
  204.   ],
  205.   "outputs": {}
  206. }
  207.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!