Merge pull request #11445 from daviditkin/feature-bhe-solution

Improved BloodHound Enterprise Solution
Azure · Dec 3, 2024 · 4a082e8 · 4a082e8
2 parents a0466d3 + 79e6e01
commit 4a082e8
Show file tree

Hide file tree

Showing 71 changed files with 3,864 additions and 1,882 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/BloodHoundEnterprise.json b/.script/tests/KqlvalidationsTests/CustomTables/BloodHoundEnterprise.json
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/BloodHoundLogs_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/BloodHoundLogs_CL.json
@@ -0,0 +1,121 @@
+{
+  "Name": "BloodHoundLogs_CL",
+  "properties": [
+    {
+      "name": "TimeGenerated",
+      "type": "datetime"
+    },
+    {
+      "name": "domain_sid",
+      "type": "string"
+    },
+    {
+      "name": "exposure_index",
+      "type": "real"
+    },
+    {
+      "name": "tier_zero_count",
+      "type": "real"
+    },
+    {
+      "name": "domain_id",
+      "type": "string"
+    },
+    {
+      "name": "non_tier_zero_principal",
+      "type": "string"
+    },
+    {
+      "name": "tier_zero_principal",
+      "type": "string"
+    },
+    {
+      "name": "group",
+      "type": "string"
+    },
+    {
+      "name": "principal",
+      "type": "string"
+    },
+    {
+      "name": "path_id",
+      "type": "string"
+    },
+    {
+      "name": "user",
+      "type": "string"
+    },
+    {
+      "name": "finding_id",
+      "type": "string"
+    },
+    {
+      "name": "path_title",
+      "type": "string"
+    },
+    {
+      "name": "path_type",
+      "type": "string"
+    },
+    {
+      "name": "exposure",
+      "type": "real"
+    },
+    {
+      "name": "finding_count",
+      "type": "real"
+    },
+    {
+      "name": "principal_count",
+      "type": "real"
+    },
+    {
+      "name": "id",
+      "type": "long"
+    },
+    {
+      "name": "created_at",
+      "type": "datetime"
+    },
+    {
+      "name": "updated_at",
+      "type": "datetime"
+    },
+    {
+      "name": "deleted_at",
+      "type": "datetime"
+    },
+    {
+      "name": "deleted_at_v",
+      "type": "boolean"
+    },
+    {
+      "name": "severity",
+      "type": "string"
+    },
+    {
+      "name": "domain_impact_value",
+      "type": "real"
+    },
+    {
+      "name": "domain_name",
+      "type": "string"
+    },
+    {
+      "name": "domain_type",
+      "type": "string"
+    },
+    {
+      "name": "data_type",
+      "type": "string"
+    },
+    {
+      "name": "event_type",
+      "type": "string"
+    },
+    {
+      "name": "event_details",
+      "type": "string"
+    }
+  ]
+}
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -14,5 +14,6 @@
     },
     "githubPullRequests.ignoredPullRequestBranches": [
         "master"
-    ]
+    ],
+    "azureFunctions.projectSubpath": "Solutions/BloodHound Enterprise/Data Connectors"
 }
diff --git a/.vscode/tasks.json b/.vscode/tasks.json
@@ -11,4 +11,4 @@
 			}
 		}
 	]
-}
+}
diff --git a/Solutions/BloodHound Enterprise/.vscode/extensions.json b/Solutions/BloodHound Enterprise/.vscode/extensions.json
@@ -0,0 +1,5 @@
+{
+  "recommendations": [
+    "ms-azuretools.vscode-azurefunctions"
+  ]
+}
diff --git a/Solutions/BloodHound Enterprise/.vscode/settings.json b/Solutions/BloodHound Enterprise/.vscode/settings.json
@@ -0,0 +1,6 @@
+{
+    "azureFunctions.deploySubpath": "Data Connectors",
+    "azureFunctions.projectLanguage": "Custom",
+    "azureFunctions.projectRuntime": "~4",
+    "debug.internalConsoleOptions": "neverOpen"
+}
diff --git a/Solutions/BloodHound Enterprise/.vscode/tasks.json b/Solutions/BloodHound Enterprise/.vscode/tasks.json
@@ -0,0 +1,15 @@
+{
+	"version": "2.0.0",
+	"tasks": [
+		{
+			"type": "func",
+			"label": "func: host start",
+			"command": "host start",
+			"problemMatcher": "$func-watch",
+			"isBackground": true,
+			"options": {
+				"cwd": "${workspaceFolder}/Data Connectors"
+			}
+		}
+	]
+}
diff --git a/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseCriticalAttackPaths.yaml b/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseCriticalAttackPaths.yaml
@@ -7,24 +7,24 @@ status: Available
 requiredDataConnectors:
   - connectorId: BloodHoundEnterprise
     dataTypes:
-      - BloodHoundEnterprise
+      - BloodHoundLogs_CL
 queryFrequency: 7d
 queryPeriod: 7d
 triggerOperator: gt
 triggerThreshold: 0
 tactics: []
 relevantTechniques: []
-query: |
-  BloodHoundEnterprise
+query: |-
+  BloodHoundLogs_CL
   | where data_type == "posture"
   | where created_at > ago (7d)
-  | summarize min_critical_risk_count = min(critical_risk_count), arg_max(created_at, current_critical_risk_count = critical_risk_count) by domain_name
+  | summarize min_critical_risk_count = min(finding_count), arg_max(created_at, current_critical_risk_count = finding_count) by domain_name
   | extend  difference = current_critical_risk_count - min_critical_risk_count
   | where difference > 0
 entityMappings:
   - entityType: DNS
     fieldMappings:
       - identifier: DomainName
         displayName: domain_name
-version: 1.0.1
+version: 1.1.0
 kind: Scheduled
diff --git a/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseExposure.yaml b/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseExposure.yaml
@@ -7,15 +7,15 @@ status: Available
 requiredDataConnectors:
   - connectorId: BloodHoundEnterprise
     dataTypes:
-      - BloodHoundEnterprise
+      - BloodHoundLogs_CL
 queryFrequency: 7d
 queryPeriod: 7d
 triggerOperator: gt
 triggerThreshold: 0
 tactics: []
 relevantTechniques: []
-query: |
-  BloodHoundEnterprise
+query: |-
+  BloodHoundLogs_CL
   | where data_type == "posture"
   | where created_at > ago (7d)
   | summarize min(exposure_index), arg_max(created_at, exposure_index) by domain_name
@@ -26,5 +26,5 @@ entityMappings:
     fieldMappings:
       - identifier: DomainName
         displayName: domain_name
-version: 1.0.1
+version: 1.1.0
 kind: Scheduled
diff --git a/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseTierZeroAssets.yaml b/Solutions/BloodHound Enterprise/Analytic Rules/BloodHoundEnterpriseTierZeroAssets.yaml
@@ -7,15 +7,15 @@ status: Available
 requiredDataConnectors:
   - connectorId: BloodHoundEnterprise
     dataTypes:
-      - BloodHoundEnterprise
+      - BloodHoundLogs_CL
 queryFrequency: 7d
 queryPeriod: 7d
 triggerOperator: gt
 triggerThreshold: 0
 tactics: []
 relevantTechniques: []
-query: |
-  BloodHoundEnterprise
+query: |-
+  BloodHoundLogs_CL
   | where data_type == "posture"
   | where created_at > ago (7d)
   | summarize min_tier_zero = min(tier_zero_count), max_tier_zero = arg_max(created_at, current_tier_zero = tier_zero_count) by domain_name
@@ -26,5 +26,5 @@ entityMappings:
     fieldMappings:
       - identifier: DomainName
         displayName: domain_name
-version: 1.0.1
+version: 1.1.0
 kind: Scheduled
diff --git a/Solutions/BloodHound Enterprise/Data Connectors/.funcignore b/Solutions/BloodHound Enterprise/Data Connectors/.funcignore
@@ -0,0 +1,15 @@
+a.git*
+.vscode
+azurite
+__azurite_db*__.json
+__blobstorage__
+__queuestorage__
+local.settings.json
+test
+deployment
+azuredeploy*
+1Password*
+prev-*
+handler.go
+*.zip
+function
diff --git a/Solutions/BloodHound Enterprise/Data Connectors/.gitignore b/Solutions/BloodHound Enterprise/Data Connectors/.gitignore
@@ -0,0 +1,4 @@
+
+azurite
+handler
+function
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,4 +11,4 @@ @@
     			}
     		}
     	]
-    }
+    }