Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/ProcessInvestigatorEventsOffline-Content.xml
|
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2023-06-08T00:58:42.4731192Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.27.0.4 --> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.3.0.17-nia1709261429 --> <Events> <DerivedEvents> <!-- Process Investigator scanner --> <DerivedEvent source="AsmDiagnostics" duration="PT5M" eventName="AsmPiDiag" account="AuditStore" priority="Normal" deadline="PT15M" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ var input = where EventProvider = "PILauncher"; from input let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let NodeIdentity="" let NodeType="" let redacted1 = "" let redacted2 = "" let redacted3 = "" let redacted4 = "" let redacted5 = "" let redacted6 = "" let redacted7 = "" let redacted8 = "" let redacted9 = "" let redacted10 = "" let redacted11 = "" let redacted12 = EventPayload let regexMatchExists = "" let IsFeatureDisabled = ToString(GetStaticEnvironmentVariable("AZSECPACK_DISABLED_FEATURES")) if(!IsFeatureDisabled.contains("CredRedaction")) { regexMatchExists = RegexMatch(EventPayload,"(?i)pa?s*w[^e]o?r?d?[^l]|pass|snmp|[^ ]key[^w]|(?-i)SharePointOnlineAuthenticatedContext(?i)|(?i)twilioauth|authorization[,\\[:= \"']+(basic|digest|hoba|mutual|negotiate|oauth( oauth_token=)?|bearer)|(?-i)eyJ(?i)|Credential|Secure|Secret|_Token|Refresh\\s?Token|Access\\s?Token|SAS\\s?Token|token|(?-i)PAT(?i)|Personal\\s?Access\\s?Token|Token\\s?Cache|Cache\\s?Token|bearer|-p |-pa |-pass |://[^\\s]{0,36}:|X509Certificates2?|Ansible|(?-i)MII(?i)|xox|v1\\.|(?-i)AIza(?i)|[a-f0-9]{20,}|[a-z0-9/+]{30}=|(?-i)[a-z2-7]{52}\\W(?i)|Sig=|Code=|-u"); if(regexMatchExists!=""){ redacted1=RegexSubst(EventPayload,"(?i)(TokenBrokerCookies\.exe\s.*?)eyJ.*","$1TOKEN_BROKER_COOKIE_REDACTED", "g"); redacted2=RegexSubst(redacted1,"(^|[^\w])(?:[A-Za-z0-9/\\+]{43}=|[A-Za-z0-9/\\+]{86}==|[A-Za-z2-7]{52}|[A-Za-z0-9%]{43,63}%3d)($|[^\w=])", "$1SYMM_KEY_REDACTED$2", "g"); redacted3=RegexSubst(redacted2,"(^|[^\w])(?:eyJ[A-Za-z0-9_%-]+\\.eyJ[A-Za-z0-9_%-]+\\.[A-Za-z0-9_%-]+)($|[^\w=])", "$1JWT_REDACTED$2", "g"); redacted4=RegexSubst(redacted3,"(?i)((?:sig|apiKey)[=}\\',]+)(?:[^;,&]+)","$1SAS_OR_APIKEY_REDACTED", "g"); redacted5=RegexSubst(redacted4,"(://)[^: ]+:[^@]+@","$1URI_CRED_REDACTED@", "g"); redacted6=RegexSubst(redacted5,"((?i:(?:\"?Authorization\"?:?\s?\"?)?(?:Bearer|Basic|Digest)\s))(?:\S+?)([;\"]?\s|$)", "$1HTTP_AUTH_REDACTED$2", "g"); redacted7=RegexSubst(redacted6,"(?i)((?:(?:b[^y]|[^b][^y]|[^b]y|^.?)pass(?:word)?|pwd|key|token|secret)s?\"?[\' =:+]+(?:\"|%22)?|Container(?:Up|Down)loader.exe.*?\/ST:\"?)([^\s-;,!\"#][^%\s;,!\"#]{3,})", "$1GENERAL_PASSWORD_REDACTED", "g"); redacted8=RegexSubst(redacted7,"(?i)(\W)(?:[0-9A-F]{20,31}|[0-9A-F]{33,39}|[0-9A-F]{41,})(\W)", "$1SUSPICIOUS_HEX_STRING_REDACTED$2", "g"); redacted9=RegexSubst(redacted8,"((?i:docker.*)\slogin\s.*-p(?:assword)?[\"\']?\s+)\S*", "$1DOCKER_CREDENTIALS_REDACTED", "g"); redacted10=RegexSubst(redacted9,"((?i)(?:psexec|certutil).*\s[\"\']?[-/]p\s+)\S*", "$1COMMON_UTILITY_CREDENTIALS_REDACTED", "g"); redacted11=RegexSubst(redacted10,"((?i)(?:-u(?:ser)?[=: ]+\s*\S+\s*-(?:p(?:ass|w)?(?:word)?)?[=: ]+\s*))(\S*)", "$1USER_PASSWORD_REDACTED", "g"); redacted12=RegexSubst(redacted11,"((?i)(?:curl(?:.exe)?(?:\")?\s+-u\s+\S+:))(\S+)", "$1CURL_PASSWORD_REDACTED", "g"); } } select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, redacted12 as EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference ]]></Query> </DerivedEvent> <DerivedEvent source="AsmAlertsData" duration="PT1M" eventName="AsmPiAlert" account="AuditStore" priority="Normal" deadline="PT5M" retryTimeout="PT1H" storeType="CentralBond" whereToRun="Local" retentionInDays="30"> <Query><![CDATA[ var input = where EventProvider = "PILauncher"; from input let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let NodeIdentity="" let NodeType="" let redacted1 = "" let redacted2 = "" let redacted3 = "" let redacted4 = "" let redacted5 = "" let redacted6 = "" let redacted7 = "" let redacted8 = "" let redacted9 = "" let redacted10 = "" let redacted11 = "" let redacted12 = EventPayload let regexMatchExists = "" let IsFeatureDisabled = ToString(GetStaticEnvironmentVariable("AZSECPACK_DISABLED_FEATURES")) if(!IsFeatureDisabled.contains("CredRedaction")) { regexMatchExists = RegexMatch(EventPayload,"(?i)pa?s*w[^e]o?r?d?[^l]|pass|snmp|[^ ]key[^w]|(?-i)SharePointOnlineAuthenticatedContext(?i)|(?i)twilioauth|authorization[,\\[:= \"']+(basic|digest|hoba|mutual|negotiate|oauth( oauth_token=)?|bearer)|(?-i)eyJ(?i)|Credential|Secure|Secret|_Token|Refresh\\s?Token|Access\\s?Token|SAS\\s?Token|token|(?-i)PAT(?i)|Personal\\s?Access\\s?Token|Token\\s?Cache|Cache\\s?Token|bearer|-p |-pa |-pass |://[^\\s]{0,36}:|X509Certificates2?|Ansible|(?-i)MII(?i)|xox|v1\\.|(?-i)AIza(?i)|[a-f0-9]{20,}|[a-z0-9/+]{30}=|(?-i)[a-z2-7]{52}\\W(?i)|Sig=|Code=|-u"); if(regexMatchExists!=""){ redacted1=RegexSubst(EventPayload,"(?i)(TokenBrokerCookies\.exe\s.*?)eyJ.*","$1TOKEN_BROKER_COOKIE_REDACTED", "g"); redacted2=RegexSubst(redacted1,"(^|[^\w])(?:[A-Za-z0-9/\\+]{43}=|[A-Za-z0-9/\\+]{86}==|[A-Za-z2-7]{52}|[A-Za-z0-9%]{43,63}%3d)($|[^\w=])", "$1SYMM_KEY_REDACTED$2", "g"); redacted3=RegexSubst(redacted2,"(^|[^\w])(?:eyJ[A-Za-z0-9_%-]+\\.eyJ[A-Za-z0-9_%-]+\\.[A-Za-z0-9_%-]+)($|[^\w=])", "$1JWT_REDACTED$2", "g"); redacted4=RegexSubst(redacted3,"(?i)((?:sig|apiKey)[=}\\',]+)(?:[^;,&]+)","$1SAS_OR_APIKEY_REDACTED", "g"); redacted5=RegexSubst(redacted4,"(://)[^: ]+:[^@]+@","$1URI_CRED_REDACTED@", "g"); redacted6=RegexSubst(redacted5,"((?i:(?:\"?Authorization\"?:?\s?\"?)?(?:Bearer|Basic|Digest)\s))(?:\S+?)([;\"]?\s|$)", "$1HTTP_AUTH_REDACTED$2", "g"); redacted7=RegexSubst(redacted6,"(?i)((?:(?:b[^y]|[^b][^y]|[^b]y|^.?)pass(?:word)?|pwd|key|token|secret)s?\"?[\' =:+]+(?:\"|%22)?|Container(?:Up|Down)loader.exe.*?\/ST:\"?)([^\s-;,!\"#][^%\s;,!\"#]{3,})", "$1GENERAL_PASSWORD_REDACTED", "g"); redacted8=RegexSubst(redacted7,"(?i)(\W)(?:[0-9A-F]{20,31}|[0-9A-F]{33,39}|[0-9A-F]{41,})(\W)", "$1SUSPICIOUS_HEX_STRING_REDACTED$2", "g"); redacted9=RegexSubst(redacted8,"((?i:docker.*)\slogin\s.*-p(?:assword)?[\"\']?\s+)\S*", "$1DOCKER_CREDENTIALS_REDACTED", "g"); redacted10=RegexSubst(redacted9,"((?i)(?:psexec|certutil).*\s[\"\']?[-/]p\s+)\S*", "$1COMMON_UTILITY_CREDENTIALS_REDACTED", "g"); redacted11=RegexSubst(redacted10,"((?i)(?:-u(?:ser)?[=: ]+\s*\S+\s*-(?:p(?:ass|w)?(?:word)?)?[=: ]+\s*))(\S*)", "$1USER_PASSWORD_REDACTED", "g"); redacted12=RegexSubst(redacted11,"((?i)(?:curl(?:.exe)?(?:\")?\s+-u\s+\S+:))(\S+)", "$1CURL_PASSWORD_REDACTED", "g"); } } select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, redacted12 as EventPayload, Truncated, TotalChunks, ChunkId, ChunkReference ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |