// Title:           Tenable.ad Data Parser
// Author:          Tenable
// Version:         1.0
// Last Updated:    11/18/2021
// Comment:         Add parser for Tenable.ad
//
// DESCRIPTION:
// This parser takes raw Tenable.ad logs from the relevant connector's data stream and parses the data into a normalized schema
//
// USAGE:
// 1. Open Log Analytics/Azure Sentinel Logs blade. Copy the query below and paste into the Logs query window.
// 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down.
//    In order for the Tenable.ad logs to work with pre-built queries and workbooks the Function name must be set to "afad_parser"
//    In Legacy category you set "parser". Then Click "Save".
// 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries
//
//
// REFERENCE:
// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
//
//
let CodenameTable=datatable(Codename: string, Explanation: string) [
"test-checker-codename", "This is a test checker",
"", "Not an alert",
"C-GPO-EXEC-SANITY", "Ensure that GPOs applied on domain computers are sane.",
"C-CREDENTIAL-ROAMING", "Credential roaming attributes are vulnerable, making the related user protected secrets readable by an attacker.",
"C-ADMIN-RESTRICT-AUTH", "Privileged users can connect to less privileged machines thus risking credential theft",
"C-ADM-ACC-USAGE", "Recent use of the default administrator account",
"C-UNCONST-DELEG", "Dangerous delegation",
"C-PASSWORD-DONT-EXPIRE", "Accounts with never expiring passwords",
"C-USERS-CAN-JOIN-COMPUTERS", "Users allowed to join computers to the domain",
"C-CLEARTEXT-PASSWORD", "Potential clear-text password",
"C-PROTECTED-USERS-GROUP-UNUSED", "Protected Users group not used",
"C-PASSWORD-POLICY", "Weak password policies are applied on users",
"C-GPO-HARDENING", "Domain without computer-hardening GPOs",
"C-LAPS-UNSECURE-CONFIG", "Local administrative account management",
"C-AAD-CONNECT", "Verify permissions related to AAD Connect accounts",
"C-AAD-SSO-PASSWORD", "Verify AAD SSO account password last change",
"C-GPO-SD-CONSISTENCY", "Verify sensitive GPO objects and files permissions",
"C-DSHEURISTICS", "Domain using a dangerous backward-compatibility configuration",
"C-DOMAIN-FUNCTIONAL-LEVEL", "Domains have an outdated functional level",
"C-DISABLED-ACCOUNTS-PRIV-GROUPS", "Disabled accounts in privileged groups",
"C-DCSHADOW", "Rogue domain controllers",
"C-DC-ACCESS-CONSISTENCY", "Domain controllers managed by illegitimate users",
"C-DANGEROUS-TRUST-RELATIONSHIP", "Dangerous trust relationship",
"C-DANGEROUS-SENSITIVE-PRIVILEGES", "Dangerous sensitive privileges",
"C-DANG-PRIMGROUPID", "User Primary Group ID",
"C-BAD-PASSWORD-COUNT", "Brute-force attack detection",
"C-ADMINCOUNT-ACCOUNT-PROPS", "AdminCount attribute set on standard users",
"C-ACCOUNTS-DANG-SID-HISTORY", "Accounts having a dangerous SID History attribute",
"C-ABNORMAL-ENTRIES-IN-SCHEMA", "Dangerous rights in AD's schema",
"C-GPOLICY-DISABLED-UNLINKED", "Unlinked, disabled or orphan GPO",
"C-KERBEROS-CONFIG-ACCOUNT", "Kerberos configuration on user account",
"C-KRBTGT-PASSWORD", "KDC password last change",
"C-LAPS-UNSECURE-CONFIG", "Local administrative account management",
"C-NATIVE-ADM-GROUP-MEMBERS", "Native administrative group members",
"C-NETLOGON-SECURITY", "Unsecured configuration of Netlogon protocol",
"C-OBSOLETE-SYSTEMS", "Computers running an obsolete OS",
"C-PASSWORD-NOT-REQUIRED", "Account that might have an empty password",
"C-PKI-WEAK-CRYPTO", "Use of weak cryptography algorithms into Active Directory PKI",
"C-PRE-WIN2000-ACCESS-MEMBERS", "Accounts using a pre-Windows 2000 compatible access control",
"C-PRIV-ACCOUNTS-SPN", "Privileged accounts running Kerberos services",
"C-REVER-PWD-GPO", "Reversible passwords in GPO",
"C-ROOTOBJECTS-SD-CONSISTENCY", "Root objects permissions allowing DCSync-like attacks",
"C-SDPROP-CONSISTENCY", "Ensure SDProp consistency",
"C-SENSITIVE-CERTIFICATES-ON-USER", "Ensure SDProp consistency",
"C-SLEEPING-ACCOUNTS", "Sleeping accounts",
"C-USER-PASSWORD", "User account using old password",
"C-USERS-REVER-PWDS", "Reversible passwords",
// IOAs
"DCSync","The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.",
"I-DCSync","The DCSync command in Mimikatz allows an attacker to pretend to be a domain controller and retrieve password hashes and encryption keys from other domain controllers, without executing any code on the target.",
"Golden Ticket","A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).",
"I-GoldenTicket","A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).",
"Password Guessing","A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.",
"I-Bruteforce","A brute force password guessing attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.",
"Password Spraying","Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \"low-and-slow\" method.",
"I-PasswordSpraying","Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the \"low-and-slow\" method.",
"DCShadow","DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.",
"I-DCShadow","DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push changes to a domain via domain replication.",
"OS Credential Dumping: LSASS Memory","After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).",
"I-ProcessInjectionLsass","After a user logs on, attackers may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).",
"Suspicious process","Attackers can use well-known tools to exploit a vulnerability.",
"I-ProcessExec","Attackers can use well-known tools to exploit a vulnerability.",
"Suspicious service","Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context.",
"I-ServiceInstall","Before or after an exploit, malicious tools might require to create a service to gain privileges or to be executed in another context.",
"I-PetitPotam","PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks."
];
let Common = Tenable_ad_CL
| parse RawData with
                     Time:datetime  " "
                     Host:string  " "
                     Product:string "["
                     PID:int "]: \""
                     MessageType:int "\" \""
                     AlertID:int "\" \""
                     Forest:string "\" \""
                     Domain:string "\" "
                     DistinctPart:string;
let Deviances = Common
| where MessageType == 0 | parse DistinctPart with "\""
                     Codename:string "\" \""
                     Severity:string "\" \""
                     ADObject:string "\" \""
                     DevianceID:string "\" \""
                     ProfileID:string "\" \""
                     ReasonCodename:string "\" \""
                     EventID:string "\""
                     Attributes:string;
let Changes = Common
| where MessageType == 1
| parse kind=regex DistinctPart with "\""
                     ADObject:string "\" \""
                     EventID:string "\" \""
                     EventType:string "\" "
                     Attributes:string;
let Attacks = Common
| where MessageType == 2
| parse DistinctPart with "\""
                     Codename:string "\" \""
                     Severity:string "\" \""
                     SourceHostname:string "\" \""
                     SourceIP:string "\" \""
                     DestinationHostname:string "\" \""
                     DestinationIP:string "\" \""
                     Attributes:string;
union Changes, Deviances, Attacks
| project-away DistinctPart, Product, _ResourceId, _SubscriptionId
| lookup kind=leftouter CodenameTable on Codename;