Koos Goossens TheCloudScout

## azure-firewall-log4j-kql
let timeWindow = datetime("2021-12-09");
let intel = ((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
let domains = intel |  extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)| distinct domains| where domains != "" | project domains;
let ips = intel | extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) | distinct ips | where ips != "" | project ips;
let ports = intel | extend ports=extract(@":([0-9]{2,5})\/",1,URL) | distinct ports | where ports != "" | project ports;
// to parse Azure Firewall logs with "AzureFirewallApplicationRule" category, we need several different parsing methods based on the type of entries
let appl

## correlate-with-outer-join-and-calculate-timestamp-difference
let AlertLogs = _GetWatchlist("AlertLogs")
| extend AlertDateTime = todatetime(strcat(AlertDate, AlertTime))
| project AlertDateTime, AlertName, UID;
let JunosLogs = _GetWatchlist("JunosLogs")
| extend JunosDateTime = todatetime(strcat(Date, Time))
| project JunosDateTime, Action, UID=UID_;
// JunosLogs
AlertLogs
| join kind=leftouter JunosLogs on UID
| sort by AlertDateTime

## correlate-travel-alerts-with-vpn-logs
let Unfamiliarsigninproperties = ExportSecurityAlerts_CL
    | where AlertName_s == "Unfamiliar sign-in properties"
    | extend IPAddress = tostring(parse_json(ExtendedProperties_s).["Client IP Address"])
    | extend Location = tostring(parse_json(ExtendedProperties_s).["Client Location"])
    | extend UID = split(tostring(parse_json(ExtendedProperties_s).["User Account"]),"@")[0]
    | extend AlertDate = split(TimeGenerated_Local_Time__s, ",")[0]
    | extend AlertTime = split(TimeGenerated_Local_Time__s, ",")[1]
    | extend AlertDateTime = todatetime(strcat(AlertDate, AlertTime))
    | project AlertDateTime, AlertName = AlertName_s, IPAddress, Location, UID;
let AtypicalTravel = ExportSecurityAlerts_CL

## show-service-connection-key.yml
trigger: none

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  displayName: Retrieve Service Connection credentials
  inputs:
    azureSubscription: '<Service Connection name>'

## Set-AzureDevOpsKeyRotation.ps1
<#
.DESCRIPTION
    Azure DevOps Pipeline details:
    - AzureCLI@2
    - scriptType: 'pscore'
    - addSpnToEnvironment: true
    Permission requirements:
    - Azure DevOps: <Project> Build Service needs to be member of the Endpoint Administrators group
    - Azure AD: Application needs to be owner of it's own application
    - Azure AD: Application requires the application permission Application.ReadWrite.OwnedBy

## Set-addApplicationOwner.ps1
<#
.DESCRIPTION
    This script will add the Service Principal of the Application as Owner of the Application.
    It performs the following steps:
    - Login to the graph.microsoft.com
    - Validate the Application Id
    - Retrieve the current owner(s)
    - Add if applicable the application delegation for graph.microsoft.com/Application.ReadWrite.OwnedBy
    - Perform if applicable the admin consent for the application delegation graph.microsoft.com/Application.ReadWrite.OwnedBy
    - Add if applicable the service principal to the application as owner

## postgres-to-sentinel.conf
# file: postgres-to-sentinel.conf
input {
    jdbc {
        # Postgres jdbc connection string to our database, mydb
        jdbc_connection_string => "jdbc:postgresql://localhost:5432/security"
        # The user we wish to execute our statement as
        jdbc_user => "lutsdbuser"
        # The user we wish to execute our statement as
        jdbc_password => "<YOUR PASSWORD>"
        # The path to our downloaded jdbc driver

## logstash-postgresToSentinel.dockerfile
# escape=`

# LogStash base image from Elastic version 7.6.2
FROM docker.elastic.co/logstash/logstash:7.6.2

# Delete logstash.conf in custom image, so that we won't retain the example config from the base image.
RUN rm -f /usr/share/logstash/pipeline/logstash.conf

# Copy JDBC drivers for PostgreSQL connection
ADD postgresql-42.2.12.jar /usr/share/logstash/modules/postgres/postgresql-42.2.12.jar

## Store Azure Container Registry credentials in Key Vault
# Retrieve all Azure Container Registry credentials
$RegistryCredentials =  Get-AzContainerRegistry | Get-AzContainerRegistryCredential

# Convert first password to secure string and store it inside Key Vault as a secret
$RegistryPw1 = ConvertTo-SecureString -string $RegistryCredentials.Password -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name "RegistryPassword1" -SecretValue $RegistryPw1

# Convert second password to secure string and store it inside Key Vault as a secret
$RegistryPw2 = ConvertTo-SecureString -string $RegistryCredentials.Password2 -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name "RegistryPassword2" -SecretValue $RegistryPw2

## dockerfile
# escape=`

FROM mcr.microsoft.com/powershell:6.2.0-ubuntu-18.04

# Set default directory to C:\Agent
WORKDIR /agent

# Set PowerShell as default shell
SHELL [ "pwsh", "-NoProfile", "-Command" ]
	let timeWindow = datetime("2021-12-09");
	let intel = ((externaldata (URL:string,values: dynamic) [@"https://gist.githubusercontent.com/superducktoes/9b742f7b44c71b4a0d19790228ce85d8/raw/f1751cc072bd33256c0005021f33348c22aa76fc/Callback%2520Domains%2520log4j"]));
	let IPList = externaldata(IPAddress:string)[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv"] with (format="csv", ignoreFirstRecord=True);
	let domains = intel \| extend domains=extract(@"([0-9a-z]+\.[0-9a-z]+\.[a-z]+)",0,URL)\| distinct domains\| where domains != "" \| project domains;
	let ips = intel \| extend ips=extract(@"([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})",0,URL) \| distinct ips \| where ips != "" \| project ips;
	let ports = intel \| extend ports=extract(@":([0-9]{2,5})\/",1,URL) \| distinct ports \| where ports != "" \| project ports;
	// to parse Azure Firewall logs with "AzureFirewallApplicationRule" category, we need several different parsing methods based on the type of entries
	let appl
	let AlertLogs = _GetWatchlist("AlertLogs")
	\| extend AlertDateTime = todatetime(strcat(AlertDate, AlertTime))
	\| project AlertDateTime, AlertName, UID;
	let JunosLogs = _GetWatchlist("JunosLogs")
	\| extend JunosDateTime = todatetime(strcat(Date, Time))
	\| project JunosDateTime, Action, UID=UID_;
	// JunosLogs
	AlertLogs
	\| join kind=leftouter JunosLogs on UID
	\| sort by AlertDateTime
	let Unfamiliarsigninproperties = ExportSecurityAlerts_CL
	\| where AlertName_s == "Unfamiliar sign-in properties"
	\| extend IPAddress = tostring(parse_json(ExtendedProperties_s).["Client IP Address"])
	\| extend Location = tostring(parse_json(ExtendedProperties_s).["Client Location"])
	\| extend UID = split(tostring(parse_json(ExtendedProperties_s).["User Account"]),"@")[0]
	\| extend AlertDate = split(TimeGenerated_Local_Time__s, ",")[0]
	\| extend AlertTime = split(TimeGenerated_Local_Time__s, ",")[1]
	\| extend AlertDateTime = todatetime(strcat(AlertDate, AlertTime))
	\| project AlertDateTime, AlertName = AlertName_s, IPAddress, Location, UID;
	let AtypicalTravel = ExportSecurityAlerts_CL
	trigger: none

	pool:
	vmImage: 'ubuntu-latest'

	steps:
	- task: AzureCLI@2
	displayName: Retrieve Service Connection credentials
	inputs:
	azureSubscription: '<Service Connection name>'
	<#
	.DESCRIPTION
	Azure DevOps Pipeline details:
	- AzureCLI@2
	- scriptType: 'pscore'
	- addSpnToEnvironment: true
	Permission requirements:
	- Azure DevOps: <Project> Build Service needs to be member of the Endpoint Administrators group
	- Azure AD: Application needs to be owner of it's own application
	- Azure AD: Application requires the application permission Application.ReadWrite.OwnedBy
	<#
	.DESCRIPTION
	This script will add the Service Principal of the Application as Owner of the Application.
	It performs the following steps:
	- Login to the graph.microsoft.com
	- Validate the Application Id
	- Retrieve the current owner(s)
	- Add if applicable the application delegation for graph.microsoft.com/Application.ReadWrite.OwnedBy
	- Perform if applicable the admin consent for the application delegation graph.microsoft.com/Application.ReadWrite.OwnedBy
	- Add if applicable the service principal to the application as owner
	# file: postgres-to-sentinel.conf
	input {
	jdbc {
	# Postgres jdbc connection string to our database, mydb
	jdbc_connection_string => "jdbc:postgresql://localhost:5432/security"
	# The user we wish to execute our statement as
	jdbc_user => "lutsdbuser"
	# The user we wish to execute our statement as
	jdbc_password => "<YOUR PASSWORD>"
	# The path to our downloaded jdbc driver
	# escape=`

	# LogStash base image from Elastic version 7.6.2
	FROM docker.elastic.co/logstash/logstash:7.6.2

	# Delete logstash.conf in custom image, so that we won't retain the example config from the base image.
	RUN rm -f /usr/share/logstash/pipeline/logstash.conf

	# Copy JDBC drivers for PostgreSQL connection
	ADD postgresql-42.2.12.jar /usr/share/logstash/modules/postgres/postgresql-42.2.12.jar
	# Retrieve all Azure Container Registry credentials
	$RegistryCredentials = Get-AzContainerRegistry \| Get-AzContainerRegistryCredential

	# Convert first password to secure string and store it inside Key Vault as a secret
	$RegistryPw1 = ConvertTo-SecureString -string $RegistryCredentials.Password -AsPlainText -Force
	Set-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name "RegistryPassword1" -SecretValue $RegistryPw1

	# Convert second password to secure string and store it inside Key Vault as a secret
	$RegistryPw2 = ConvertTo-SecureString -string $RegistryCredentials.Password2 -AsPlainText -Force
	Set-AzKeyVaultSecret -VaultName $(KeyVaultName) -Name "RegistryPassword2" -SecretValue $RegistryPw2
	# escape=`

	FROM mcr.microsoft.com/powershell:6.2.0-ubuntu-18.04

	# Set default directory to C:\Agent
	WORKDIR /agent

	# Set PowerShell as default shell
	SHELL [ "pwsh", "-NoProfile", "-Command" ]