more rate limiting

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -93,6 +93,7 @@
   "GCPDNSDataConnector",
   "GWorkspaceRAPI",
   "GoogleWorkspaceReportsAPI",
+  "GreyNoise2SentinelAPI",
   "IdentityInfo",
   "ImpervaWAFCloudAPI",
   "ImpervaWAFGateway",

Sample Data/Custom/GreyNoiseEvent.json

@@ -0,0 +1,72 @@
+[
+ {
+    "ip": "1.1.2.2",
+    "metadata": {
+      "asn": "AS25000",
+      "city": "Ta’if",
+      "country": "Saudi Arabia",
+      "country_code": "SA",
+      "organization": "Saudi Telecom Company JSC",
+      "category": "isp",
+      "tor": false,
+      "rdns": "" ,
+      "os": "Windows 7/8",
+      "sensor_count": 78,
+      "sensor_hits": 433,
+      "region": "Mecca Region",
+      "destination_countries": [
+        "Belarus",
+        "United States",
+        "Saudi Arabia",
+        "Bulgaria",
+        "United Kingdom",
+        "Israel",
+        "Australia",
+        "Indonesia",
+        "South Korea"
+      ],
+      "source_country": "Saudi Arabia",
+      "source_country_code": "SA",
+      "destination_country_codes": [
+        "BY",
+        "US",
+        "SA",
+        "BG",
+        "GB",
+        "IL",
+        "AU",
+        "ID",
+        "KR"
+      ]
+    },
+    "bot": false,
+    "vpn": false,
+    "vpn_service": "N/A",
+    "spoofable": false,
+    "raw_data": {
+      "scan": [
+        {
+          "port": 445,
+          "protocol": "TCP"
+        },
+        {
+          "port": 1433,
+          "protocol": "TCP"
+        }
+      ],
+      "web": {},
+      "ja3": [],
+      "hassh": []
+    },
+    "first_seen": "2023-08-23",
+    "last_seen": "2023-08-25",
+    "seen": true,
+    "tags": [
+      "MSSQL Bruteforcer",
+      "SMBv1 Crawler"
+    ],
+    "actor": "unknown",
+    "classification": "malicious",
+    "cve": []
+  }
+]

Sample Data/ThreatIntelligence/GreyNoiseThreatIntelligence.json

@@ -0,0 +1 @@
+[{"type": "indicator", "spec_version": "2.1", "id": "indicator--849a9eaf-1b0f-556d-ab18-7b6a1d1978f6", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.07195Z", "modified": "2023-09-11T17:54:10.07195Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.2']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-09-11T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "confidence": 90}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--20d96100-01cf-5753-8f5b-5ed2aa08f921", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.135856Z", "modified": "2023-09-11T17:54:10.135856Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.3']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-02-24T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "confidence": 100}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--3d63ab74-3949-57f7-bf40-0a7c4f149a77", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.144328Z", "modified": "2023-09-11T17:54:10.144328Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.4']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-09-01T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "confidence": 100}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--0c70e00d-e0a8-5144-8424-cd0fa3ecd5e3", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.150941Z", "modified": "2023-09-11T17:54:10.150941Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["malicious"], "pattern": "[ipv4-addr:value = '1.1.1.5']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2023-09-08T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "labels": ["Mirai"], "confidence": 100}, {"type": "indicator", "spec_version": "2.1", "id": "indicator--b8dfd523-5156-5319-9375-53add8183ea4", "created_by_ref": "identity--90a30b13-e3e2-45e1-be2b-48a8b977ecbc", "created": "2023-09-11T17:54:10.157199Z", "modified": "2023-09-11T17:54:10.157199Z", "name": "GreyNoise Internet Scanner IOC", "description": "GreyNoise Indicator", "indicator_types": ["unknown"], "pattern": "[ipv4-addr:value = '1.1.1.1']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2018-12-23T00:00:00Z", "valid_until": "2023-09-12T17:54:03.846064Z", "labels": ["SMBv1 Crawler"], "confidence": 100}]

Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_CustomSecurityLog.yaml

@@ -0,0 +1,64 @@
+id: e50657d7-8bca-43ff-a647-d407fae440d6
+name: GreyNoise TI Map IP Entity to CommonSecurityLog
+description: |
+  This query maps GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.
+severity: Medium
+requiredDataConnectors:
+  - connectorId: ThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+  - connectorId: CEF
+    dataTypes:
+      - CommonSecurityLog
+  - connectorId: MicrosoftDefenderThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+  - connectorId: GreyNoise2SentinelAPI
+    dataTypes:
+      - ThreatIntelligenceIndicator
+queryFrequency: 4h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+query: |
+  let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
+  let dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events
+  let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators
+  // Fetch threat intelligence indicators related to IP addresses
+  let IP_Indicators = ThreatIntelligenceIndicator
+    | where TimeGenerated >= ago(ioc_lookBack)
+    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+    | where Active == true and ExpirationDateTime > now()
+    | where SourceSystem == 'GreyNoise'
+    | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
+    | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
+    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
+    | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
+    | where ipv4_is_private(TI_ipEntity) == false and  TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127.";
+  // Perform a join between IP indicators and CommonSecurityLog events
+  IP_Indicators
+    // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation
+    | join kind=innerunique (
+        CommonSecurityLog
+        | where TimeGenerated >= ago(dt_lookBack)
+        | extend MessageIP = extract(IPRegex, 0, Message)
+        | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)
+        | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)
+        | extend CommonSecurityLog_TimeGenerated = TimeGenerated
+    )
+    on $left.TI_ipEntity == $right.CS_ipEntity
+    // Filter out logs that occurred after the expiration of the corresponding indicator
+    | where CommonSecurityLog_TimeGenerated < ExpirationDateTime
+    // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp
+    | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity
+    // Select the desired output fields
+    | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: CS_ipEntity
+version: 1.0.0
+kind: Scheduled

Solutions/GreyNoiseThreatIntelligence/Data Connectors/.gitignore

@@ -0,0 +1,135 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don’t work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# celery beat schedule file
+celerybeat-schedule
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# Azure Functions artifacts
+bin
+obj
+appsettings.json
+local.settings.json
+
+# Azurite artifacts
+__blobstorage__
+__queuestorage__
+__azurite_db*__.json
+.python_packages

Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/function.json

@@ -0,0 +1,11 @@
+{
+  "scriptFile": "main.py",
+  "bindings": [
+    {
+      "name": "mytimer",
+      "type": "timerTrigger",
+      "direction": "in",
+      "schedule": "0 0 0 */0 * *"
+    }
+  ]
+}