From 27e2a69fad5190d12ff73cc6bb2c40d8c66f8a6a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:04 +0000
Subject: [PATCH 001/375] Exported file:
./.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json.json
---
..._c4780b67-8059-45a5-8dc8-0301570477c0.json | 376 ++++++++++++++++++
1 file changed, 376 insertions(+)
create mode 100644 .sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
diff --git a/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
new file mode 100644
index 00000000..e2d864b0
--- /dev/null
+++ b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
@@ -0,0 +1,376 @@
+{
+ "64ce2f23-eab3-4e96-899a-bd2403d21a86": "\"a7004ad4-0000-0800-0000-63d45e2f0000\"",
+ "c48bc19c-dba4-4da3-b215-c9086150d26f": "\"a70052d4-0000-0800-0000-63d45e300000\"",
+ "c2cab3a7-b80c-4b53-8126-9affe3ef96d4": "\"35002d68-0000-0800-0000-63f5638f0000\"",
+ "6a14a7a3-8278-47a8-b17a-2f9f1571362c": "\"3500554e-0000-0800-0000-63f55b050000\"",
+ "835a2032-8b67-4e89-a5c6-2d3c04526a70": "\"35007b4c-0000-0800-0000-63f557450000\"",
+ "bbe16dbb-c5b1-4796-a640-23be2e6e1e6f": "\"35007e4c-0000-0800-0000-63f557590000\"",
+ "29579f11-7599-48db-9ded-b81730a99f26": "\"3500844c-0000-0800-0000-63f5576e0000\"",
+ "9f7a0194-705a-45f9-a54d-a1a1d29354e0": "\"3500a24c-0000-0800-0000-63f557a90000\"",
+ "1dbb9018-2cb3-4818-87e0-8a4a5a1980dc": "\"3500ab4c-0000-0800-0000-63f557c40000\"",
+ "4d197e7a-078d-4401-9359-9c84a2335885": "\"3500b14c-0000-0800-0000-63f557d90000\"",
+ "118cc3d5-6ab5-493a-a0a9-793c9dd09875": "\"250037d3-0000-0800-0000-63ec4af90000\"",
+ "84af311a-0ca0-4e6e-9626-65cbcd255ceb": "\"3500b54c-0000-0800-0000-63f557f20000\"",
+ "fa3714b9-e6fa-4839-92cf-c7a3329e0edb": "\"3500ce4c-0000-0800-0000-63f558410000\"",
+ "2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd": "\"3500d34c-0000-0800-0000-63f558540000\"",
+ "3bef0ebd-28b7-465d-9f37-f2e69d390dbc": "\"3500ed4c-0000-0800-0000-63f558a60000\"",
+ "b129d496-e02c-479f-a5c7-16cc71ef63ad": "\"3500404d-0000-0800-0000-63f558bc0000\"",
+ "62e59eb2-2ac3-4a04-b73e-9aaea7a00c90": "\"35009f4d-0000-0800-0000-63f558d00000\"",
+ "8628a3cf-01b4-40ff-b06c-1ff6d5678535": "\"3500c34d-0000-0800-0000-63f558ea0000\"",
+ "2cca3599-da9a-4231-a9d2-b1f733201dbd": "\"3500c94d-0000-0800-0000-63f559010000\"",
+ "ee43dc07-3a2f-4c4d-b460-557389385470": "\"3500ce4d-0000-0800-0000-63f5591f0000\"",
+ "45f5eb6b-e221-44e3-928c-a372d76d1a6d": "\"3500d74d-0000-0800-0000-63f559350000\"",
+ "7b61a883-0219-4ac3-8058-29afe81b8e7e": "\"3500df4d-0000-0800-0000-63f559540000\"",
+ "5835ecfd-6b56-4f8e-9719-74d85e34c077": "\"3500e24d-0000-0800-0000-63f5596c0000\"",
+ "798fde9b-d47c-4158-99e0-326a7f4e29d6": "\"3500ea4d-0000-0800-0000-63f559830000\"",
+ "a4490aac-93b0-4262-b08d-fb4bc4e74dd6": "\"3500f44d-0000-0800-0000-63f559990000\"",
+ "fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246": "\"3500fa4d-0000-0800-0000-63f559c30000\"",
+ "5892dbb0-9d3b-485a-b4cf-147e30b22cbe": "\"3500fe4d-0000-0800-0000-63f559d40000\"",
+ "75e2a7e7-535e-47ca-9fea-d30a0f0f104d": "\"3500064e-0000-0800-0000-63f559ee0000\"",
+ "288cca7e-3f39-42fc-ada2-eca124936ec2": "\"35000b4e-0000-0800-0000-63f55a000000\"",
+ "769308db-305a-47ed-9837-bfb6bec71ea7": "\"35001f4e-0000-0800-0000-63f55a5c0000\"",
+ "24b268fb-0acf-4315-808e-f1e941506be3": "\"3500264e-0000-0800-0000-63f55a740000\"",
+ "10254512-df08-4fea-8619-c505e87d377b": "\"3500354e-0000-0800-0000-63f55a870000\"",
+ "aa392189-9ff4-40f3-af07-3c2e454d5b22": "\"3500384e-0000-0800-0000-63f55a9b0000\"",
+ "78389019-b3c8-476c-9867-dee37f00f6ea": "\"35003c4e-0000-0800-0000-63f55ab20000\"",
+ "c2397090-face-41f6-ae70-89fc66312292": "\"3500474e-0000-0800-0000-63f55ac90000\"",
+ "edb16bf3-eeca-4545-901f-6b4d79a41be9": "\"35004a4e-0000-0800-0000-63f55add0000\"",
+ "6d3d9221-367e-4954-836b-a53bfb08d042": "\"35004f4e-0000-0800-0000-63f55af20000\"",
+ "09171b34-9e5d-4554-8675-f564c77f739d": "\"3500584e-0000-0800-0000-63f55b170000\"",
+ "0993b38b-fb86-4dc8-8b3d-8531f0b2e12b": "\"3500654e-0000-0800-0000-63f55b300000\"",
+ "15ce6bf5-76f6-4160-a6ab-cae48ccd14c7": "\"3500804e-0000-0800-0000-63f55b440000\"",
+ "defe98a5-5be4-4a6c-9808-eef4c1946f37": "\"3500004f-0000-0800-0000-63f55b600000\"",
+ "ebbc52fe-8427-412b-98a7-6804d5506f7d": "\"35003a4f-0000-0800-0000-63f55b740000\"",
+ "44975607-3f23-4632-871e-b08b59ebd68c": "\"3500834f-0000-0800-0000-63f55b880000\"",
+ "74a06942-f4b8-440a-bcbb-829dc41948ba": "\"3500be4f-0000-0800-0000-63f55b9a0000\"",
+ "4e137990-3aad-4695-8ea5-eac1e16a9451": "\"35001150-0000-0800-0000-63f55bb00000\"",
+ "dea3bd60-9ee8-49fd-a859-3bab903451e5": "\"35005550-0000-0800-0000-63f55bc20000\"",
+ "0bffacb7-52da-463c-8ae4-62c09da8c510": "\"35009c50-0000-0800-0000-63f55bd70000\"",
+ "d6f670a3-6443-47c0-8c9e-387a1d0e58c0": "\"35000f51-0000-0800-0000-63f55bea0000\"",
+ "05c4ea76-9c7f-4865-824b-178cbb899a82": "\"35006a51-0000-0800-0000-63f55c030000\"",
+ "7bf49942-c5ad-448a-bf6b-893f39186ea2": "\"3500ef51-0000-0800-0000-63f55c200000\"",
+ "5410fda8-a757-41b6-97f1-79a08f07dd0f": "\"35004852-0000-0800-0000-63f55c330000\"",
+ "41f05d3b-cc19-40f4-942e-d6748668eb18": "\"35008b52-0000-0800-0000-63f55c460000\"",
+ "4f53eb74-71dc-4775-a62c-ff48580a8bb2": "\"3500cc52-0000-0800-0000-63f55c580000\"",
+ "4413d174-435c-48a7-8a3c-437db7ff3939": "\"35001753-0000-0800-0000-63f55c6d0000\"",
+ "ece1918c-59f2-43ec-841a-7ef0e99c3b7f": "\"35006a53-0000-0800-0000-63f55c800000\"",
+ "29e3406d-b57c-411b-8604-4b77ff01e36f": "\"3500c153-0000-0800-0000-63f55c920000\"",
+ "d06f4dc9-2343-4bd9-85a1-86436bcf45fb": "\"35001554-0000-0800-0000-63f55ca60000\"",
+ "094a8752-7d9e-4873-84ee-ff561e73b3c0": "\"35007854-0000-0800-0000-63f55cbd0000\"",
+ "afa9ee13-2d74-4ca6-bb7e-8193ba946d40": "\"35008954-0000-0800-0000-63f55cd40000\"",
+ "872545df-734f-481c-acd9-4a2d7af889e3": "\"35008f54-0000-0800-0000-63f55ce80000\"",
+ "6be5f005-18ec-4034-8f0d-13b8ce42b11a": "\"3500a054-0000-0800-0000-63f55cfb0000\"",
+ "7d5851b1-5d59-44da-9b51-5a0482707723": "\"3500a454-0000-0800-0000-63f55d0e0000\"",
+ "d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a": "\"3500a754-0000-0800-0000-63f55d2c0000\"",
+ "814a077a-8846-4195-af81-d17d1bbfd54d": "\"3500c354-0000-0800-0000-63f55d4a0000\"",
+ "2888ae98-ce2c-44e9-a841-001e775b0b7a": "\"3500ca54-0000-0800-0000-63f55d610000\"",
+ "a438db5b-f71f-4cb7-98ad-335e3b8ba533": "\"3500ce54-0000-0800-0000-63f55d730000\"",
+ "cda5807c-80cb-4159-adcb-884589deef20": "\"3500d654-0000-0800-0000-63f55d8f0000\"",
+ "4a9a7b49-4e79-4f64-b778-209a63227af1": "\"3500e154-0000-0800-0000-63f55da10000\"",
+ "56bd3d9c-25ae-42f7-80b5-b3be274f9971": "\"35000655-0000-0800-0000-63f55df70000\"",
+ "fc32fc57-e12b-4823-b40a-86ede70b5af7": "\"35001d55-0000-0800-0000-63f55e0d0000\"",
+ "1ffcf2eb-7b20-4385-add1-d47244784479": "\"35009c55-0000-0800-0000-63f55e200000\"",
+ "a095755b-fc1c-4311-a607-118eb9170048": "\"3500b056-0000-0800-0000-63f55e340000\"",
+ "9bcc4a9b-d85e-4927-a32e-b8284cfa5422": "\"3500ba57-0000-0800-0000-63f55e470000\"",
+ "aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4": "\"3500bc58-0000-0800-0000-63f55e5a0000\"",
+ "3df7345e-b037-4478-a753-dd23d194b187": "\"3500165a-0000-0800-0000-63f55e740000\"",
+ "8e494d49-35d6-4cea-b30d-29f22c179aab": "\"35008a5b-0000-0800-0000-63f55e8c0000\"",
+ "f6dda353-e32a-41e2-b892-87012ab48a79": "\"35002d5d-0000-0800-0000-63f55eaa0000\"",
+ "ece332c1-3f76-49d9-92fb-c94bc4af948d": "\"3500755e-0000-0800-0000-63f55ebf0000\"",
+ "b40835ac-6aa1-44c8-94ee-9634550cbf43": "\"35005a60-0000-0800-0000-63f55eda0000\"",
+ "af215a8a-6d4d-4018-9e57-232303ee41d6": "\"3500c561-0000-0800-0000-63f55eed0000\"",
+ "ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e": "\"3500df63-0000-0800-0000-63f55f060000\"",
+ "eef3a7d9-3be0-461b-9136-dfd2485f0fe5": "\"3500b064-0000-0800-0000-63f55f1b0000\"",
+ "4715c9ad-d4c0-4eed-b1a7-fa0a808deff4": "\"3500b664-0000-0800-0000-63f55f360000\"",
+ "6769d928-39db-442b-8af3-4477e02f38fc": "\"3500bb64-0000-0800-0000-63f55f490000\"",
+ "fd78be72-fc73-4cb5-aef3-b9f61b35c1be": "\"3500bf64-0000-0800-0000-63f55f5e0000\"",
+ "08df1b8f-e53a-4f2e-9bd3-b3908f512f46": "\"3500c264-0000-0800-0000-63f55f730000\"",
+ "9aa0f3fe-1c85-48de-b37f-63b61b97b3d6": "\"3500c964-0000-0800-0000-63f55f8a0000\"",
+ "6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974": "\"3500cc64-0000-0800-0000-63f55f9f0000\"",
+ "33e7e266-a87e-454d-8e09-6d3e131d75ee": "\"3500d264-0000-0800-0000-63f55fb80000\"",
+ "881f8a7b-1178-4f35-9b02-7fc5414ba7f8": "\"3500df64-0000-0800-0000-63f55fcd0000\"",
+ "79061028-980a-4760-881b-52e79c1015c6": "\"35007565-0000-0800-0000-63f55fdf0000\"",
+ "b674088a-825a-4b49-ad10-7ffa5d483059": "\"35006b66-0000-0800-0000-63f55ff50000\"",
+ "f740a0e2-386b-4470-8b13-284d2ee5dce5": "\"35000467-0000-0800-0000-63f560170000\"",
+ "fd536808-fae9-4fc6-b046-9cd28b7e9e19": "\"35000867-0000-0800-0000-63f5602a0000\"",
+ "3e4f6960-6e74-4b97-960b-6eca2383de68": "\"35001f67-0000-0800-0000-63f560440000\"",
+ "41da3e01-b685-4352-bded-ae2646b20c5c": "\"35002667-0000-0800-0000-63f560680000\"",
+ "8e545f53-bfa1-47e0-997d-d7f67d02eda4": "\"35002b67-0000-0800-0000-63f5607d0000\"",
+ "bde332b1-a602-44eb-b834-99dc1e0b42d9": "\"35002e67-0000-0800-0000-63f5608e0000\"",
+ "bc94a765-bab8-4692-9cec-86978582f1b8": "\"35003467-0000-0800-0000-63f560a40000\"",
+ "7791c2cc-28ac-4387-87e7-9ddda54c2543": "\"35003767-0000-0800-0000-63f560b70000\"",
+ "99d7dd4b-3f78-4f82-b514-82a22fe2eb3a": "\"35003a67-0000-0800-0000-63f560cd0000\"",
+ "3c22319a-c4d1-411e-8764-72a96333f21e": "\"35004b67-0000-0800-0000-63f561270000\"",
+ "0ae05016-a937-41c9-92ab-9c347b0ea127": "\"35005167-0000-0800-0000-63f561410000\"",
+ "534eed88-50e6-4584-a8f0-c245d16537e9": "\"35005767-0000-0800-0000-63f561530000\"",
+ "f440c27a-949f-44a8-8617-6533617ce4c6": "\"35006367-0000-0800-0000-63f561660000\"",
+ "f41c2cf0-14ea-42fb-a07e-c7514a198d17": "\"35006a67-0000-0800-0000-63f5617c0000\"",
+ "8931ab6f-b308-4242-9876-014014c6b8ff": "\"35007167-0000-0800-0000-63f561950000\"",
+ "a21f9398-0e6d-4d8a-a9cf-4becee5853b0": "\"35007667-0000-0800-0000-63f561ad0000\"",
+ "b0a0ec4e-ca45-42df-aaca-8487d921115d": "\"35007967-0000-0800-0000-63f561c20000\"",
+ "4e451694-0fbc-4df8-83ca-1cbc82d3e019": "\"35007e67-0000-0800-0000-63f561da0000\"",
+ "511e0713-a13f-4f83-8021-b8a22bb9bcc4": "\"35008267-0000-0800-0000-63f561ed0000\"",
+ "176ecb24-2007-4d65-a832-af6efe88afb5": "\"35008667-0000-0800-0000-63f562010000\"",
+ "a37d6c4a-630f-40f1-8ed7-85033c97b226": "\"35008a67-0000-0800-0000-63f562160000\"",
+ "3e0c16d9-b987-4982-8917-261b9b619c83": "\"35008f67-0000-0800-0000-63f562280000\"",
+ "a48aee53-b375-4d5c-b0e2-9d534f99bed8": "\"35009267-0000-0800-0000-63f5623a0000\"",
+ "a52b38c6-0473-4282-b1ac-a34022f46447": "\"35009867-0000-0800-0000-63f562520000\"",
+ "b52679aa-c825-444f-8dc3-2e679658b552": "\"35009b67-0000-0800-0000-63f5626c0000\"",
+ "d12000f0-f1b6-4344-bb3c-a8988e77eb75": "\"35009f67-0000-0800-0000-63f5627f0000\"",
+ "75cbd5b7-4158-4e21-8ce3-8197e05caa7f": "\"3500ab67-0000-0800-0000-63f562940000\"",
+ "675ea0df-9fff-4dc5-b0ee-521faf737c55": "\"3500b367-0000-0800-0000-63f562a80000\"",
+ "215089a8-4173-47cc-801b-56f449b9e978": "\"3500b667-0000-0800-0000-63f562bd0000\"",
+ "efea115d-c997-4be7-adcb-95afd6643a0a": "\"3500bd67-0000-0800-0000-63f562da0000\"",
+ "da88214f-a4b3-48fc-b8c3-fa71bb3ef678": "\"3500c267-0000-0800-0000-63f562f10000\"",
+ "149a0db6-2ad7-4e69-bf36-0c4f62873101": "\"35000568-0000-0800-0000-63f5633f0000\"",
+ "789aca0f-8766-49a2-84b7-1d68e2db7652": "\"35000b68-0000-0800-0000-63f563550000\"",
+ "481c342f-c33a-455b-82d5-2205b068f5d0": "\"35002668-0000-0800-0000-63f563660000\"",
+ "204119a5-daf5-4bfb-a565-a6bbf5dec2ad": "\"35002a68-0000-0800-0000-63f563780000\"",
+ "eb68e7af-1e04-45c3-985f-76e076002f57": "\"35004a68-0000-0800-0000-63f563aa0000\"",
+ "b42fd648-56d8-405b-8303-ecbf32e7f3be": "\"35005468-0000-0800-0000-63f563bd0000\"",
+ "f25caf39-8a25-48d1-b564-3098bfb1a4b3": "\"35006b68-0000-0800-0000-63f563d10000\"",
+ "d7b90ebc-9243-4837-bc04-15808d6fffdf": "\"35007968-0000-0800-0000-63f563e50000\"",
+ "e6926bd2-1c73-494e-b193-b5853be6b838": "\"35007c68-0000-0800-0000-63f563f80000\"",
+ "5178c35e-cf89-4442-b41b-ff963659f9a5": "\"35008168-0000-0800-0000-63f564120000\"",
+ "25bd255a-bf5e-4c83-b39f-fb8570442411": "\"35008468-0000-0800-0000-63f564250000\"",
+ "b7d192e4-4786-463b-acef-ae7ea5569a06": "\"35008968-0000-0800-0000-63f564370000\"",
+ "a6e2aa27-43bc-45b2-b96d-48b735364839": "\"35008d68-0000-0800-0000-63f564550000\"",
+ "eb2153ae-e569-42cf-8467-40f05affa51f": "\"35009868-0000-0800-0000-63f564680000\"",
+ "f801914e-c351-43d7-b2a7-ba58f064fda6": "\"3500a268-0000-0800-0000-63f5647b0000\"",
+ "c655ec79-ccbb-4940-b53f-a1f0a6583a53": "\"3500ac68-0000-0800-0000-63f564920000\"",
+ "ba38e02e-2c7c-4744-9292-8df5f3fc28ac": "\"3500b068-0000-0800-0000-63f564aa0000\"",
+ "a649754e-0850-48be-af9d-9ae66e282259": "\"3500b368-0000-0800-0000-63f564bd0000\"",
+ "048acbb1-a65f-405e-b6bd-da47b59dffa7": "\"3500b768-0000-0800-0000-63f564d10000\"",
+ "432364d6-323c-41fb-a646-12ae79e3d321": "\"3500c268-0000-0800-0000-63f564ea0000\"",
+ "1b1e0484-a8d7-4116-bbc0-294d9d45aa1d": "\"3500c968-0000-0800-0000-63f564fe0000\"",
+ "a203a1c1-5360-4d2b-a61e-7e02066ef891": "\"3500d968-0000-0800-0000-63f565170000\"",
+ "e9f798a0-8821-4cde-9667-21d84cc45915": "\"3500df68-0000-0800-0000-63f5652c0000\"",
+ "58279f6d-5629-40b2-852b-66c575dbb0ca": "\"3500e368-0000-0800-0000-63f565480000\"",
+ "689e109d-46e0-4f54-b0b4-1377167cd660": "\"3500ff68-0000-0800-0000-63f5655e0000\"",
+ "f3f94d19-f440-483e-b11a-231f93731fe8": "\"35000469-0000-0800-0000-63f565730000\"",
+ "f9862418-b01a-40d9-84e1-bece0e2e89bb": "\"35000a69-0000-0800-0000-63f565850000\"",
+ "bf490122-cedd-48e7-ba93-246d9ba9bfae": "\"35000f69-0000-0800-0000-63f5659c0000\"",
+ "9aab9ad2-d911-4d72-95ba-0fa53d80af93": "\"35001569-0000-0800-0000-63f565af0000\"",
+ "338cfd75-5f86-4e98-91a0-87733bd4698e": "\"35001a69-0000-0800-0000-63f565c30000\"",
+ "9970db1b-bed7-4ca6-a5ea-effa3aac7b05": "\"35001f69-0000-0800-0000-63f565da0000\"",
+ "c6b7994e-ae58-499c-bdac-a7035e8858de": "\"35002269-0000-0800-0000-63f565ec0000\"",
+ "59b0b0bc-b313-42b4-a3d9-7c5dc383b448": "\"35002669-0000-0800-0000-63f565ff0000\"",
+ "36af90d3-daf0-4785-a195-afa11219595f": "\"35002c69-0000-0800-0000-63f566130000\"",
+ "c4f34b46-8c20-46f0-b790-23d2bd555b6a": "\"35004769-0000-0800-0000-63f5665f0000\"",
+ "17cf26a4-edee-458d-a467-5933e8c1a1aa": "\"35004f69-0000-0800-0000-63f566830000\"",
+ "6b67df71-a90e-424c-8725-e7f9574d716f": "\"35005369-0000-0800-0000-63f566990000\"",
+ "68b67702-32ef-41ac-a8b2-f793d9689274": "\"35006969-0000-0800-0000-63f566af0000\"",
+ "a814a61a-672f-431f-9b2b-869e9bcaa534": "\"35007569-0000-0800-0000-63f566ca0000\"",
+ "f45e4a0d-2bbf-417c-97b7-643c7d4a0f93": "\"35007969-0000-0800-0000-63f566e30000\"",
+ "837ae291-8946-4918-a036-a22f4da70456": "\"35008169-0000-0800-0000-63f566fd0000\"",
+ "7fa27bab-66bb-4d8c-a80e-843f48e2a3b0": "\"35008469-0000-0800-0000-63f567140000\"",
+ "04adf3cf-371a-475f-9f03-f7991a6f3aa3": "\"3500a169-0000-0800-0000-63f567400000\"",
+ "16b51acb-d11f-4570-ad5b-2a33fb52e25f": "\"3500a969-0000-0800-0000-63f567590000\"",
+ "af5d8d85-ac5f-4ef7-bf10-7b43986ec91d": "\"3500ac69-0000-0800-0000-63f5676e0000\"",
+ "4ef59b89-0b97-4fca-99d0-6b3f861142cf": "\"3500c969-0000-0800-0000-63f567c00000\"",
+ "e001fc5b-00f7-47eb-ad14-4f68ac4b56fa": "\"3500cd69-0000-0800-0000-63f567d30000\"",
+ "8adb0ef2-02b3-4efd-81b3-20f79556d862": "\"3500d469-0000-0800-0000-63f567ed0000\"",
+ "a36172b6-4acf-4915-b0c5-ea8be7d05c86": "\"3500d769-0000-0800-0000-63f568010000\"",
+ "516cc0be-cc97-486b-928e-0e222352ba46": "\"3500dc69-0000-0800-0000-63f568130000\"",
+ "4515ed4c-edac-40b7-9ba0-1e96b7db4572": "\"3500e069-0000-0800-0000-63f568270000\"",
+ "4059cc8c-74ef-43f9-abed-bb067aa015ae": "\"3500e369-0000-0800-0000-63f568390000\"",
+ "8fb31b17-e360-4b59-a281-19c4fe483909": "\"3500e769-0000-0800-0000-63f5684c0000\"",
+ "edec3f95-3e38-4140-a078-96c6bf105d1a": "\"3500ee69-0000-0800-0000-63f568640000\"",
+ "4e52f7d5-cb46-4880-9b3a-279444078bcf": "\"3500016a-0000-0800-0000-63f568780000\"",
+ "dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46": "\"3500076a-0000-0800-0000-63f568940000\"",
+ "74893bd0-8ffa-4e9f-83a5-58ed055824bc": "\"35000d6a-0000-0800-0000-63f568ad0000\"",
+ "2f33cb73-78b6-4886-8434-f319deea8d62": "\"3500146a-0000-0800-0000-63f568be0000\"",
+ "9d356cdc-fd63-4071-bc5b-f06d5effc36f": "\"35001a6a-0000-0800-0000-63f568e30000\"",
+ "e669ef82-838e-40b8-8423-efd8303206c6": "\"3500206a-0000-0800-0000-63f568fe0000\"",
+ "beb39f94-ac53-4ab4-b1c2-7b591497b571": "\"3500246a-0000-0800-0000-63f569120000\"",
+ "20412a8c-a3a7-41a5-8620-6d4c724d3092": "\"35002b6a-0000-0800-0000-63f569290000\"",
+ "595b910c-156b-4a20-996e-06c50a217133": "\"3500486a-0000-0800-0000-63f569430000\"",
+ "22cf036c-2193-4352-9fb5-869ed7dc00a6": "\"35004d6a-0000-0800-0000-63f569580000\"",
+ "a0ee0fdf-b347-449d-8cdb-b750cc062e02": "\"3500516a-0000-0800-0000-63f5696c0000\"",
+ "2c3d7a74-362a-4a6e-836a-279bc1fd8813": "\"3500756a-0000-0800-0000-63f5697e0000\"",
+ "32d3c923-7729-41bc-8b18-790e97726d79": "\"35008d6a-0000-0800-0000-63f569920000\"",
+ "49325680-a0e6-4b0d-b9ea-cc4991de4c73": "\"3500ba6a-0000-0800-0000-63f569aa0000\"",
+ "d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d": "\"3500ce6a-0000-0800-0000-63f569df0000\"",
+ "34be0f95-d845-4501-a64f-3f272d3e7d52": "\"3500d16a-0000-0800-0000-63f569f30000\"",
+ "5fa2554b-b319-4605-ad60-92601ac5d7ba": "\"3500e76a-0000-0800-0000-63f56a0a0000\"",
+ "ab212c5e-07ce-439e-a2d3-cba34ff1cc1d": "\"3500006b-0000-0800-0000-63f56a240000\"",
+ "58d21291-77aa-4e73-9603-1cefbe80b39c": "\"35002e6b-0000-0800-0000-63f56a9d0000\"",
+ "eba9eb63-e5e8-4617-87f7-492aedad803a": "\"3500396b-0000-0800-0000-63f56ab20000\"",
+ "bedfc0cf-b75b-4574-9de6-1b38a51fc987": "\"3500496b-0000-0800-0000-63f56ac90000\"",
+ "ed27aa54-2adc-4774-ae30-6f84a1de0213": "\"3a004472-0000-0800-0000-63f81ea90000\"",
+ "7c192267-ac8a-4182-9336-f5e7647fe9e5": "\"1f00d02a-0000-0800-0000-63e711b10000\"",
+ "63d1052b-e396-4366-a76f-4665b4b8f319": "\"2500f8ce-0000-0800-0000-63ec43700000\"",
+ "927ca451-fe12-4de3-983d-bd50cc359b7f": "\"250013cf-0000-0800-0000-63ec43920000\"",
+ "895522a3-ae18-4771-add7-334f7b4a3124": "\"25007dd2-0000-0800-0000-63ec492b0000\"",
+ "fcd7bae2-0354-454d-9884-18880ff95fe8": "\"2500e9d2-0000-0800-0000-63ec4ad60000\"",
+ "02ca5f41-a642-413b-aec0-51b9e20cce8a": "\"35008869-0000-0800-0000-63f567280000\"",
+ "8ccf4287-558c-445f-9331-ebb58c2be800": "\"35006b6b-0000-0800-0000-63f56ae90000\"",
+ "0a9646c6-c11c-4190-83be-ff0440581ebd": "\"35006f6b-0000-0800-0000-63f56afc0000\"",
+ "324b11f6-6382-45b4-934b-3f60ff4457a3": "\"3500756b-0000-0800-0000-63f56b240000\"",
+ "8e6cbbe1-93ba-45ab-8731-82d2802a60df": "\"3500796b-0000-0800-0000-63f56b360000\"",
+ "c3ec0a36-7cf7-47df-a82c-fc32720db69f": "\"35007d6b-0000-0800-0000-63f56b490000\"",
+ "fe7d80f1-5bd1-409b-89df-c48b2f340b80": "\"35008b6b-0000-0800-0000-63f56b5c0000\"",
+ "0f5a5c06-ca09-4075-890a-e46be2ee412a": "\"35009a6b-0000-0800-0000-63f56b6e0000\"",
+ "64c74af9-0412-4732-89f8-86f46e4897eb": "\"3500b56b-0000-0800-0000-63f56b820000\"",
+ "3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646": "\"3500bb6b-0000-0800-0000-63f56b950000\"",
+ "1ef21999-d53f-4840-bde9-6b90ee767bb7": "\"3500da6b-0000-0800-0000-63f56bb00000\"",
+ "6392295f-31e9-45da-8c14-5554a2b3fb7c": "\"3500f76b-0000-0800-0000-63f56bc10000\"",
+ "1217fe0b-489f-434b-9c6d-877c44610d0b": "\"3500fb6b-0000-0800-0000-63f56bd40000\"",
+ "86475faa-04ff-4383-86b2-ebca93ca8097": "\"3500136c-0000-0800-0000-63f56be60000\"",
+ "52bb7be6-1fb5-424b-bb24-84d427d91626": "\"35002a6c-0000-0800-0000-63f56c030000\"",
+ "4af76a04-0e2a-4892-ae63-3de3b4e9ead2": "\"35002f6c-0000-0800-0000-63f56c210000\"",
+ "a0021314-e49e-45d9-801f-e7bca20e9046": "\"3500336c-0000-0800-0000-63f56c320000\"",
+ "84cfa531-ea08-4c84-a1a1-d85c55c45f06": "\"3500376c-0000-0800-0000-63f56c4a0000\"",
+ "89bbc939-d47e-4b36-82dc-bcec562f0763": "\"3500486c-0000-0800-0000-63f56c5c0000\"",
+ "6f4474f5-8c95-4248-a56d-510a85fb07b3": "\"35006e6c-0000-0800-0000-63f56c780000\"",
+ "91d5304a-0628-4ab8-9c57-670bb4da620b": "\"35007c6c-0000-0800-0000-63f56c8b0000\"",
+ "8cfd3e23-2616-4c6f-b061-a8e47d0536bb": "\"35008d6c-0000-0800-0000-63f56c9f0000\"",
+ "2636af24-3225-405a-aa4b-7b455f326445": "\"35009e6c-0000-0800-0000-63f56cbb0000\"",
+ "9abf000c-f4ad-413f-9cd7-405d95349988": "\"3500a66c-0000-0800-0000-63f56cd50000\"",
+ "6e485f07-3a11-4eb5-ac2a-d1b82aca8c62": "\"3500b56c-0000-0800-0000-63f56ce70000\"",
+ "fd68f806-d8b0-4c8f-aa0f-3b78b59f157f": "\"3500cd6c-0000-0800-0000-63f56cfa0000\"",
+ "704b2418-b2bd-4b4a-8f9e-cf47562e133d": "\"3500d16c-0000-0800-0000-63f56d0c0000\"",
+ "b3345cc6-ee8c-46d4-abc9-8adae4b877d1": "\"3500e26c-0000-0800-0000-63f56d270000\"",
+ "3aa3ab52-566f-46a0-a5c9-caba62eaa518": "\"3500e96c-0000-0800-0000-63f56d3b0000\"",
+ "cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0": "\"3500ed6c-0000-0800-0000-63f56d4d0000\"",
+ "9df8fa13-f28b-41d5-8065-9d7e234aaa26": "\"3500f16c-0000-0800-0000-63f56d660000\"",
+ "c20c6d74-5470-4242-a748-d5625abb65b1": "\"3500f56c-0000-0800-0000-63f56d790000\"",
+ "340041fc-2cb7-423b-9da9-ec04a258f864": "\"3500f86c-0000-0800-0000-63f56d8b0000\"",
+ "d012df68-9c36-431a-acc1-704063e21101": "\"3500fb6c-0000-0800-0000-63f56d9d0000\"",
+ "bb49283b-b564-43d4-868c-2a6186144d8e": "\"3500186d-0000-0800-0000-63f56db20000\"",
+ "fa482a76-22d1-469d-8a47-510e71286ddd": "\"35001d6d-0000-0800-0000-63f56dc30000\"",
+ "bb0035d3-3ac9-40d5-976e-6076f906473c": "\"3500216d-0000-0800-0000-63f56dda0000\"",
+ "61a3f08d-ad2d-49cb-baac-9edc6235e968": "\"3500256d-0000-0800-0000-63f56df20000\"",
+ "f88f852a-b2cb-4e34-b282-36549eb50b2b": "\"35002b6d-0000-0800-0000-63f56e090000\"",
+ "efe3369b-f57f-4fb2-9570-d7a9fe32b526": "\"35002f6d-0000-0800-0000-63f56e1f0000\"",
+ "2950dda7-bc3f-4e83-9528-80df8dbe1368": "\"3500466d-0000-0800-0000-63f56e350000\"",
+ "e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e": "\"3500576d-0000-0800-0000-63f56e4f0000\"",
+ "fe861c55-a355-4af2-8e9e-2e2d8f7a68d9": "\"35005c6d-0000-0800-0000-63f56e620000\"",
+ "b63935f5-aae3-45b5-bd0d-f2da794fd126": "\"35005f6d-0000-0800-0000-63f56e750000\"",
+ "57b338f9-1c0e-42ee-9b56-1af8886e2047": "\"3500626d-0000-0800-0000-63f56e860000\"",
+ "ce11fda8-f604-4547-af58-fa313e8a8146": "\"3500676d-0000-0800-0000-63f56e990000\"",
+ "3d7a19b1-33bc-429e-b5d3-b6d0ab02216c": "\"35006d6d-0000-0800-0000-63f56eb30000\"",
+ "b131e363-3009-4942-a35c-14d5c7284ead": "\"3500706d-0000-0800-0000-63f56ec70000\"",
+ "916dae72-d95a-41c4-9370-30ff57177fbf": "\"3500736d-0000-0800-0000-63f56eda0000\"",
+ "066d6852-04de-4dab-9b95-bd3d2835a859": "\"3500776d-0000-0800-0000-63f56eed0000\"",
+ "b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b": "\"35007c6d-0000-0800-0000-63f56f050000\"",
+ "fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2": "\"3500816d-0000-0800-0000-63f56f180000\"",
+ "c34a8927-e01b-4de6-ae5f-52fb6ac204f9": "\"3500866d-0000-0800-0000-63f56f2b0000\"",
+ "00f4fd35-801a-4996-a1c5-bde58605be5c": "\"35008b6d-0000-0800-0000-63f56f3d0000\"",
+ "e901d93b-d192-4fac-8c53-9e023b8ef3c0": "\"35008e6d-0000-0800-0000-63f56f500000\"",
+ "74131d4a-83fd-4606-a5f4-71dc1d169a3d": "\"3500926d-0000-0800-0000-63f56f630000\"",
+ "91011f1e-3186-450d-9cd7-83e9c840508a": "\"3500996d-0000-0800-0000-63f56f760000\"",
+ "4b4b2f57-ace1-4d2d-9793-942442bc9668": "\"3500a06d-0000-0800-0000-63f56f8d0000\"",
+ "d4f0a426-2354-416f-9999-b8d28d3e93ed": "\"3500a36d-0000-0800-0000-63f56fa00000\"",
+ "370b2ef6-5d11-4827-a36a-eadd0cd821fe": "\"3500a66d-0000-0800-0000-63f56fb20000\"",
+ "9798584d-ebeb-4a0d-89f1-df23ee5a9edf": "\"3500aa6d-0000-0800-0000-63f56fc70000\"",
+ "51c23e70-6d7e-47c5-87b0-e798a636931d": "\"3500ad6d-0000-0800-0000-63f56fd80000\"",
+ "7e19583d-27e1-41c2-90a9-3f813155c6ce": "\"3500b26d-0000-0800-0000-63f56fea0000\"",
+ "a9e6f155-4049-4401-89e3-a9f769675eb6": "\"3500b66d-0000-0800-0000-63f56ffe0000\"",
+ "4f1de90b-7ff1-441a-af02-0a2a86ca9848": "\"3500ba6d-0000-0800-0000-63f570130000\"",
+ "9199567e-9c5d-4078-8f0f-40e9d4d5836c": "\"3500c56d-0000-0800-0000-63f570280000\"",
+ "66ee9d45-4e7e-4b0d-a361-377cd3662750": "\"3500d26d-0000-0800-0000-63f5703f0000\"",
+ "94d72012-0846-4f42-9d26-51f9cdb2fa6e": "\"3500d86d-0000-0800-0000-63f570530000\"",
+ "697575c4-83f0-4d98-9594-b6f254db566a": "\"3500db6d-0000-0800-0000-63f570680000\"",
+ "454abbc9-3d65-4dfb-9446-0af12f681192": "\"3500e06d-0000-0800-0000-63f570850000\"",
+ "7d070056-c31e-46a3-8ab6-299510132e4f": "\"3500e66d-0000-0800-0000-63f5709a0000\"",
+ "80e77d48-d0f1-4d7d-bb68-2ad8123ba8db": "\"3500ef6d-0000-0800-0000-63f570ae0000\"",
+ "bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b": "\"3500f46d-0000-0800-0000-63f570c40000\"",
+ "3c746716-20a6-46bd-98fd-d5c9d0aa1553": "\"3500f76d-0000-0800-0000-63f570d70000\"",
+ "8ed981a2-337b-4542-a371-3968ac93f923": "\"3500fd6d-0000-0800-0000-63f570ef0000\"",
+ "55f68d39-f930-44bd-acb6-4eddd9007237": "\"3500546e-0000-0800-0000-63f571060000\"",
+ "b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3": "\"35009f6e-0000-0800-0000-63f5711c0000\"",
+ "35efaa1c-ca0f-4fc8-b30b-993f1502dadc": "\"3500be6e-0000-0800-0000-63f571300000\"",
+ "4416b145-266e-461b-b5bf-c346069f404e": "\"3500ee6e-0000-0800-0000-63f571490000\"",
+ "47a5442c-c3e1-4a44-829b-a0fce5ffdb54": "\"3500196f-0000-0800-0000-63f571650000\"",
+ "7aa0650e-f8b6-4737-9894-85f684aa5d18": "\"3500506f-0000-0800-0000-63f571840000\"",
+ "5fcaa294-5c2f-495c-acf4-f6a93b6589f9": "\"35006b6f-0000-0800-0000-63f571960000\"",
+ "3838a2fe-0433-432b-8f34-fd48f0930148": "\"3500886f-0000-0800-0000-63f571ae0000\"",
+ "fddce345-91bc-4cba-82f9-af733f7cdc69": "\"3500a46f-0000-0800-0000-63f571c10000\"",
+ "b26de50a-8f22-4454-ae13-6442ac7decad": "\"3500d86f-0000-0800-0000-63f571d40000\"",
+ "b59ad89c-249e-462f-ac68-c23a93202fa3": "\"3500fb6f-0000-0800-0000-63f571e60000\"",
+ "6fbd8942-976f-4b19-94c6-785e9f05136e": "\"35002c70-0000-0800-0000-63f572350000\"",
+ "3f40377b-15d8-490f-a8d7-82c385f81829": "\"35003070-0000-0800-0000-63f5724a0000\"",
+ "e557ae74-ef8a-4bab-b807-959486942ceb": "\"35003570-0000-0800-0000-63f572630000\"",
+ "9578ea47-ee34-4289-9aa2-05630ecf2f1b": "\"35003a70-0000-0800-0000-63f572760000\"",
+ "e52bd802-3e96-4391-8b7f-c57e58539370": "\"35004e70-0000-0800-0000-63f5729e0000\"",
+ "aaa53051-1af4-42d9-a523-c08752580ade": "\"35005c70-0000-0800-0000-63f572b60000\"",
+ "cda14730-b43b-4099-a785-6145306928b9": "\"35006070-0000-0800-0000-63f572cb0000\"",
+ "af136dbc-b98a-4c3b-9842-e076768ae2a1": "\"35006470-0000-0800-0000-63f572e20000\"",
+ "1c6090a0-fa8a-4ebe-b8b2-5576114a384f": "\"35006c70-0000-0800-0000-63f572f40000\"",
+ "1e944163-f959-46f8-9760-95a54652437b": "\"35007d70-0000-0800-0000-63f5730b0000\"",
+ "fd618de1-e892-433a-9bc3-4d5d94edf017": "\"35008070-0000-0800-0000-63f5731e0000\"",
+ "8ef3b755-c57d-4103-8ad3-7536adbdd953": "\"35008770-0000-0800-0000-63f573360000\"",
+ "61cf974b-9170-4e7e-9c13-f801cce8b2c2": "\"35009370-0000-0800-0000-63f573850000\"",
+ "85e14dab-bc47-4f28-810f-47db9aa5896f": "\"35009970-0000-0800-0000-63f5739c0000\"",
+ "b4b19b2b-c30f-4f25-b5d5-762e7ceeef99": "\"35009d70-0000-0800-0000-63f573b40000\"",
+ "8d2677a1-dcf3-42b1-848b-a0a7055016d8": "\"3500a270-0000-0800-0000-63f573cb0000\"",
+ "6ee20e13-a511-42e0-beb8-020666b7071c": "\"3500a870-0000-0800-0000-63f573e20000\"",
+ "1d14a23e-7c19-4d9b-8775-eb282774958d": "\"3500ab70-0000-0800-0000-63f573f50000\"",
+ "6cef2de7-424f-4297-b732-b8985477fb7e": "\"3500af70-0000-0800-0000-63f5740b0000\"",
+ "c5141be2-18ae-4afc-a9f5-b07e5746cee1": "\"3500b770-0000-0800-0000-63f574220000\"",
+ "c110f9e8-7ac6-496f-8df7-da0c413e767e": "\"3500db70-0000-0800-0000-63f5743d0000\"",
+ "c5b4fb13-738e-4591-a704-741486688b20": "\"3500ec70-0000-0800-0000-63f574540000\"",
+ "a0ae8d0a-38d8-441f-b491-134cf3151846": "\"3500f370-0000-0800-0000-63f5746c0000\"",
+ "460cbcbe-314d-4841-8398-6926043768b8": "\"3500f670-0000-0800-0000-63f5747e0000\"",
+ "9aa5f4c8-b3ad-458f-92e4-d4cf21948c59": "\"35000471-0000-0800-0000-63f574d50000\"",
+ "f34bfe11-29ce-41f8-9a1e-167cd3302d0e": "\"35000771-0000-0800-0000-63f574ec0000\"",
+ "3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f": "\"35000d71-0000-0800-0000-63f574fe0000\"",
+ "a4d01245-f322-4861-9ffe-1c410aa9dfaa": "\"35001071-0000-0800-0000-63f575110000\"",
+ "1b94b9a2-ddd7-4d88-949e-ac13cf28b454": "\"35001571-0000-0800-0000-63f5752c0000\"",
+ "6e9a6f1b-a40e-4ffa-974d-3ab5d675c531": "\"35001871-0000-0800-0000-63f5753e0000\"",
+ "ff44fc3f-4e22-4c9c-94d9-645c7644d2ca": "\"35002071-0000-0800-0000-63f575510000\"",
+ "de4a8f18-acf0-4738-a6b2-2302216fdf48": "\"35002571-0000-0800-0000-63f575620000\"",
+ "c84de391-2133-43e6-af89-27b021feaf75": "\"35003171-0000-0800-0000-63f5757b0000\"",
+ "bbcf3e06-84cb-4bb0-813b-f4f9ce090bab": "\"35003671-0000-0800-0000-63f575920000\"",
+ "941e3a2b-8eed-4cb4-afba-1322838fcbb2": "\"35003a71-0000-0800-0000-63f575a90000\"",
+ "e0adc565-7cd3-47f0-9027-c700df43303a": "\"35003d71-0000-0800-0000-63f575be0000\"",
+ "14c4920e-9a71-4680-aa78-da32072e8dc2": "\"35004871-0000-0800-0000-63f575d60000\"",
+ "22a677eb-9971-4b78-8082-0061d9a975fd": "\"35004c71-0000-0800-0000-63f575e90000\"",
+ "fe80d1cc-65a1-400c-a5d5-5a5decf74f31": "\"35005271-0000-0800-0000-63f576020000\"",
+ "a13c922b-fe7c-476e-a586-edaab2219e57": "\"35005e71-0000-0800-0000-63f576540000\"",
+ "ceb7fe01-21a7-4ffb-b8f0-ac29b991da50": "\"35006371-0000-0800-0000-63f576660000\"",
+ "dfbb9a20-254e-4c70-a302-0ba22da59117": "\"35006971-0000-0800-0000-63f576790000\"",
+ "6dff9c6d-c191-4e5b-a308-a0906a23752d": "\"35007471-0000-0800-0000-63f576900000\"",
+ "b7e581ff-451f-4e85-97fd-f22c8be96580": "\"35007c71-0000-0800-0000-63f576a30000\"",
+ "7ee415a8-0c09-46a1-b75d-9223de562a12": "\"35008171-0000-0800-0000-63f576b40000\"",
+ "049d9663-9edb-4269-8bfa-340896d5cfe4": "\"35008771-0000-0800-0000-63f576c70000\"",
+ "26ed4120-b9df-487e-bf25-3f179ebf75f4": "\"35008a71-0000-0800-0000-63f576df0000\"",
+ "9d781e96-280e-4760-8a74-e28bcd7ef128": "\"35008e71-0000-0800-0000-63f576f20000\"",
+ "3421562d-ac3e-42dc-9d90-e751868bb424": "\"35009471-0000-0800-0000-63f577050000\"",
+ "22b9eab7-3edd-483a-8aca-5568e23dad78": "\"35009871-0000-0800-0000-63f5771d0000\"",
+ "2397d157-f3c4-485d-acd3-008ab8612c60": "\"35009e71-0000-0800-0000-63f5773e0000\"",
+ "67e76653-affb-4264-9b2a-0dd5f5fc2835": "\"3500a271-0000-0800-0000-63f577560000\"",
+ "303d53fd-b132-45bc-9dc9-8852122a64b9": "\"3500a571-0000-0800-0000-63f577690000\"",
+ "4f5a652f-bec8-4112-8f7b-531ff30dfd75": "\"3500aa71-0000-0800-0000-63f5777b0000\"",
+ "1f0221ac-cee3-4eae-801f-c725df4b9f27": "\"3500b471-0000-0800-0000-63f5778f0000\"",
+ "150bcc1a-7788-4624-a9d9-1b05b0fc7051": "\"3500eb71-0000-0800-0000-63f577a30000\"",
+ "929e1a28-c623-44b1-a8ef-7a1739b9bba1": "\"3500f171-0000-0800-0000-63f577b70000\"",
+ "3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75": "\"35000472-0000-0800-0000-63f577cc0000\"",
+ "be59c13c-c811-4444-9a72-b69c713672b1": "\"35000c72-0000-0800-0000-63f577fc0000\"",
+ "e857375b-b96a-4757-a5a6-c0ed478ee5de": "\"35001072-0000-0800-0000-63f578110000\"",
+ "80491722-4553-4683-a9a0-8f14ea6dfe08": "\"35001472-0000-0800-0000-63f578230000\"",
+ "6e16dc82-ea01-41d5-aa55-6390a418421d": "\"35001772-0000-0800-0000-63f578370000\"",
+ "e3d218b4-cb49-40bb-ac39-4892088ba6c1": "\"35001c72-0000-0800-0000-63f5784a0000\"",
+ "349c1b39-5c33-4d6f-b5a5-580083a77cd3": "\"35003772-0000-0800-0000-63f5785e0000\"",
+ "7fd08f98-0dbf-4604-853a-76a610cc9c0d": "\"35003b72-0000-0800-0000-63f578710000\"",
+ "9d680f1a-5c96-48c6-8662-3604bfe61eb2": "\"35004172-0000-0800-0000-63f5788b0000\"",
+ "c895ed04-d628-4d7d-ad3d-63afd80aa2a9": "\"35004672-0000-0800-0000-63f5789e0000\"",
+ "3c5c78d4-a787-4c7c-9da1-a1244a9878b4": "\"35004a72-0000-0800-0000-63f578b10000\"",
+ "742ae0bd-633c-4f38-804b-3ed926117077": "\"35008872-0000-0800-0000-63f578c80000\"",
+ "57d051c8-0108-455a-9a94-bfa7c7c8e565": "\"3500aa72-0000-0800-0000-63f578df0000\"",
+ "ad713bda-ef00-4837-b0ee-4c955214d0a6": "\"3500b472-0000-0800-0000-63f578f20000\"",
+ "495ef656-bd0f-4a92-a97c-17eab3d1b0b1": "\"3500ca72-0000-0800-0000-63f579030000\"",
+ "604dfab2-c845-4910-876f-76dce9eb58cb": "\"3500d872-0000-0800-0000-63f579550000\"",
+ "3700252b-2d09-4ca1-ba8d-5b070add4fbc": "\"3500de72-0000-0800-0000-63f579670000\"",
+ "bc28747a-f907-4cf8-b2e2-099b4663b67e": "\"3500e472-0000-0800-0000-63f5797b0000\"",
+ "a414027e-9d31-4716-84b5-41bc3cefbde1": "\"3500fe72-0000-0800-0000-63f5798f0000\"",
+ "2985b2db-a13a-4ec0-9606-dc6c837a6dd8": "\"35001173-0000-0800-0000-63f579a10000\"",
+ "2fd7979f-6d09-463b-828c-be33fc9ccfbb": "\"35001773-0000-0800-0000-63f579bf0000\"",
+ "ee08a1b6-de2e-4397-bb4a-9d434ad24ee3": "\"35001f73-0000-0800-0000-63f579d20000\"",
+ "dece78df-9bea-4625-9457-d4a37e01a4a8": "\"35002473-0000-0800-0000-63f579e60000\"",
+ "8a5e860b-05d8-47b1-bb76-f690d926ab12": "\"35002a73-0000-0800-0000-63f579f90000\"",
+ "6587f4a3-260a-470f-a372-fd7d879e9772": "\"35003273-0000-0800-0000-63f57a0b0000\"",
+ "63037f09-9e99-49da-909e-f384f84b9738": "\"35003c73-0000-0800-0000-63f57a230000\"",
+ "5a658bc2-1c28-40d4-be6d-fb228e071c1b": "\"3a006471-0000-0800-0000-63f81e920000\""
+}
\ No newline at end of file
From 862cb2bd4c0c0e18023fdb9f735daf55dda13b3e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:05 +0000
Subject: [PATCH 002/375] Exported file: (Preview) Microsoft Threat
Intelligence Analytics.json.json
---
...crosoft Threat Intelligence Analytics.json | 30 +++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
diff --git a/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
new file mode 100644
index 00000000..37b219cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
@@ -0,0 +1,30 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "ThreatIntelligence",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "alertRuleTemplateName": "0dd422ee-e6af-4204-b219-f59ac172e4c6",
+ "severity": "Medium",
+ "tactics": [
+ "Persistence",
+ "LateralMovement"
+ ],
+ "techniques": [],
+ "displayName": "(Preview) Microsoft Threat Intelligence Analytics",
+ "enabled": true,
+ "description": "This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \n\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts."
+ }
+ }
+ ]
+}
\ No newline at end of file
From c8f55b6d45185ea70f4dfb9e1d00bec2700b0c03 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:05 +0000
Subject: [PATCH 003/375] Exported file: (Preview) TI map Domain entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..aa9fd169
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where Active == true\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\nDomainTIs\n | join (\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map Domain entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any Domain IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a351d5398742010b47f498424653cff87924aa6e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:06 +0000
Subject: [PATCH 004/375] Exported file: (Preview) TI map IP entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..34e28555
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = (ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"\")\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\n | extend tilist = toscalar(TI_IP_List)\n | mv-expand tilist\n | extend SingleIP=tostring(tilist)\n | project-away tilist\n | where has_ipv4(DnsResponseName, SingleIP)\n | extend DNS_TimeGenerated = TimeGenerated\n| join IP_TI\n on $left.SingleIP == $right.TI_ipEntity\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map IP entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any IP IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "67775878-7f8b-4380-ac54-115e1e828901"
+ }
+ }
+ ]
+}
\ No newline at end of file
From edd263b4e38c223ba38fb0711d1d482a0110273f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:07 +0000
Subject: [PATCH 005/375] Exported file: (Private Preview) Insider Risk
Management_ Sensitive Data Access Outside Organizational
Geolocations.json.json
---
...s Outside Organizational Geolocations.json | 64 +++++++++++++++++++
1 file changed, 64 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
diff --git a/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
new file mode 100644
index 00000000..45aed148
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
@@ -0,0 +1,64 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT7H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "// Rule Name - (Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations\r\n// Rule Description - Sensitive Data Access Outside Organziational Geolocations\r\n// Prerequisite 1: Onboard Azure Infomation Protection (https://docs.microsoft.com/en-us/azure/information-protection/requirements)\r\n// Prerequisite 2: Install AIP Unified Labeling Scanner (https://docs.microsoft.com/en-us/azure/information-protection/tutorial-install-scanner)\r\n// Prerequisite 3: Enable Azure Information Protection Connector (https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#azure-information-protection)\r\n// Prerequisite 4: Enable Azure Active Directory Connector (hhttps://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory)\r\nInformationProtectionLogs_CL\r\n| extend UserPrincipalName = UserId_s\r\n| where LabelName_s <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n// | where City <> \"New York\" // Configure Location Details within Organizational Requirements\r\n| extend State = tostring(LocationDetails.state)\r\n// | where State <> \"Texas\" // Configure Location Details within Organizational Requirements\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n// | where Country_Region <> \"US\" // Configure Location Details within Organizational Requirements\r\n| summarize count() by UserPrincipalName, LabelName_s, Activity_s, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 250",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "customDetails": {
+ "Activity": "Activity_s",
+ "Where": "City"
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "AadUserId",
+ "columnName": "UserPrincipalName"
+ }
+ ]
+ }
+ ],
+ "tactics": [],
+ "techniques": null,
+ "displayName": "(Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations",
+ "enabled": false,
+ "description": "Sensitive Data Access Outside Organziational Geolocations",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2f7d8329502f7287e7a7f9440b6a5213702a9e11 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:08 +0000
Subject: [PATCH 006/375] Exported file: A client made a web request to a
potentially harmful file (ASIM Web Session schema).json.json
---
...armful file (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
new file mode 100644
index 00000000..edcb1bd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists(\"Extension\",\"\") | where isnotempty(Extension) | summarize make_set(Extension));\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\nimWebSession(url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]),'/')[-1])\n| extend requestedFileExt=extract(@(\\.\\w+)$,1,requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced SIEM information Model (ASIM).\nTo use this analytics rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM)",
+ "alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 64f5101b97d07cf6870efa47cae09da9be9ad54a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:09 +0000
Subject: [PATCH 007/375] Exported file: A host is potentially running
PowerShell to send HTTP(S) requests (ASIM Web Session schema).json.json
---
...S) requests (ASIM Web Session schema).json | 52 +++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
new file mode 100644
index 00000000..ee78f037
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
@@ -0,0 +1,52 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Powershell\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "42436753-9944-4d70-801c-daaa4d19ddd2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e5614d56b31a10f74b3d52df9e78f96d8289156d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:09 +0000
Subject: [PATCH 008/375] Exported file: A host is potentially running a crypto
miner (ASIM Web Session schema).json.json
---
...rypto miner (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
new file mode 100644
index 00000000..deeead3f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Cryptominer\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a crypto miner (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the Advanced SIEM Information Model (ASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "8cbc3215-fa58-4bd6-aaaa-f0029c351730"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1abc9e0d2ac3ad3c4a4fb05d8aca1619ba1ea00c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:10 +0000
Subject: [PATCH 009/375] Exported file: A host is potentially running a
hacking tool (ASIM Web Session schema).json.json
---
...acking tool (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
new file mode 100644
index 00000000..36756c66
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Hacking Tool\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a hacking tool (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "3f0c20d5-6228-48ef-92f3-9ff7822c1954"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 70eca1636368594b36e7ec5a8e93b77aef00faef Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:11 +0000
Subject: [PATCH 010/375] Exported file: A potentially malicious web request
was executed against a web server.json.json
---
...est was executed against a web server.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
diff --git a/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
new file mode 100644
index 00000000..4ba5f88b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mode = 'Blocked'; \nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet minTime = ago(1d);\nlet maxSessionWindow = 1h;\nlet sessionBin = maxSessionWindow/2.0;\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayFirewallLog'\n| where action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\n| extend duration = maxTime - minTime\n| extend TimeKey = bin(SessionStarted, sessionBin)\n| join kind = inner(\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayAccessLog'\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\n| extend originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\")\n| extend serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| where SessionBlockedCount > SuccessfulAccessLogCount \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A potentially malicious web request was executed against a web server",
+ "enabled": false,
+ "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.",
+ "alertRuleTemplateName": "46ac55ae-47b8-414a-8f94-89ccd1962178"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1b52a0ac1b9f2b5b6139d5218aa4ef4610495926 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:12 +0000
Subject: [PATCH 011/375] Exported file: AD FS Remote Auth Sync
Connection.json.json
---
.../AD FS Remote Auth Sync Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
new file mode 100644
index 00000000..d8e5a274
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\n//let adfsuser = 'adfsadmin';\n// Identify ADFS Servers\nlet ADFS_Servers = (\n SecurityEvent\n //| where TimeGenerated > ago(timeframe+lookback)\n | where EventSourceName == 'AD FS Auditing'\n | distinct Computer\n);\nSecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // A token of type 'http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation'\n // for relying party '-' was successfully authenticated.\n | where EventID == 412\n | extend EventData = parse_xml(EventData).EventData.Data\n | extend InstanceId = tostring(EventData[0])\n| join kind=inner\n(\n SecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // Events to identify caller identity from event 412\n | where EventID == 501\n | extend EventData = parse_xml(EventData).EventData.Data\n | where tostring(EventData[1]) contains 'identity/claims/name'\n | extend InstanceId = tostring(EventData[0])\n | extend ClaimsName = tostring(EventData[2])\n // Filter on the use of a specific AD FS user account\n //| where ClaimsName contains adfsuser\n)\non $left.InstanceId == $right.InstanceId\n| join kind=inner\n(\n SecurityEvent\n | where EventID == 5156\n | where Computer in~ (ADFS_Servers)\n | extend EventData = parse_xml(EventData).EventData.Data\n | mv-expand bagexpansion=array EventData\n | evaluate bag_unpack(EventData)\n | extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n | extend DestPort = column_ifexists(\"DestPort\", \"\"),\n Direction = column_ifexists(\"Direction\", \"\"),\n Application = column_ifexists(\"Application\", \"\"),\n DestAddress = column_ifexists(\"DestAddress\", \"\"),\n SourceAddress = column_ifexists(\"SourceAddress\", \"\"),\n SourcePort = column_ifexists(\"SourcePort\", \"\")\n // Look for inbound connections from endpoints on port 80\n | where DestPort == 80 and Direction == '%%14592' and Application == 'System'\n | where DestAddress !in ('::1','0:0:0:0:0:0:0:1') \n)\non $left.Computer == $right.Computer\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote Auth Sync Connection",
+ "enabled": false,
+ "description": "This detection uses Security events from the \"AD FS Auditing\" provider to detect suspicious authentication events on an AD FS server. The results then get\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\nsensitive information such as AD FS certificates.\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7c58e437a376e35f7f71ae9d79ef793cc53dd718 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:13 +0000
Subject: [PATCH 012/375] Exported file: AD FS Remote HTTP Network
Connection.json.json
---
.../AD FS Remote HTTP Network Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
new file mode 100644
index 00000000..bd68ae23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// Filter out other servers in the AD FS farm\nlet ADFSServersList = dynamic([\"ADFS02.domain.com\",\"ADFS03.domain.com\"]);\n// Start by identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer !in (ADFSServersList)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer\n);\n// Look for ADFS servers receiving connections over port 80\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"), TechniqueId = column_ifexists(\"TechniqueId\", \"\"), TechniqueName = column_ifexists(\"TechniqueName\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n| where EventID == 3\n// Look for endpoints connecting to the AD FS server over port 80\n| extend DestinationPort = column_ifexists(\"DestinationPort\", \"\"), Image = column_ifexists(\"Image\", \"\"), Initiated = column_ifexists(\"Initiated\", \"\"), SourceIp = column_ifexists(\"DestinationIp\", \"\"), DestinationIp = column_ifexists(\"DestinationIp\", \"\")\n| where DestinationPort == 80\n| extend process = split(Image, '\\\\', -1)[-1]\n// Look for the System process receiving connections\n| where process == 'System' and Initiated == 'false'\n| where DestinationIp !in ('::1','0:0:0:0:0:0:0:1')\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote HTTP Network Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "d57c33a9-76b9-40e0-9dfa-ff0404546410"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fa3ba855d6f2ae3e532ef23d95260796641620cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:13 +0000
Subject: [PATCH 013/375] Exported file: AD account with Don't Expire
Password.json.json
---
...AD account with Don't Expire Password.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
diff --git a/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
new file mode 100644
index 00000000..f732ef14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nSecurityEvent\n| where EventID == 4738\n// 2089 value indicates the Don't Expire Password value has been set\n| where UserAccountControl has \"%%2089\" \n| extend Value_2089 = iff(UserAccountControl has \"%%2089\",\"'Don't Expire Password' - Enabled\", \"Not Changed\")\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \n| extend Value_2050 = iff(UserAccountControl has \"%%2050\",\"'Password Not Required' - Disabled\", \"Not Changed\")\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \n| extend Value_2082 = iff(UserAccountControl has \"%%2082\",\"'Password Not Required' - Enabled\", \"Not Changed\")\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD account with Don't Expire Password",
+ "enabled": false,
+ "description": "Identifies whenever a user account has the setting \"Password Never Expires\" in the user account properties selected.\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\n%%2089 resolves to \"Don't Expire Password - Enabled\".",
+ "alertRuleTemplateName": "6c360107-f3ee-4b91-9f43-f4cfd90441cf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 052b1b84c2abf1ad1e4b8e07e3ccec184ec58ccd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:14 +0000
Subject: [PATCH 014/375] Exported file: AD user enabled and password not set
within 48 hours.json.json
---
... and password not set within 48 hours.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
diff --git a/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
new file mode 100644
index 00000000..f860a774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 3d;\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\n| where EventID in (4722,4723) | where TargetUserName !endswith \"$\"\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\nlet userEnable = SecEvents\n| extend EventID4722Time = TimeGenerated\n// 4722: User Account Enabled\n| where EventID == 4722\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\nlet userPwdSet = SecEvents\n// 4723: Attempt made by user to set password\n| where EventID == 4723\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)\n| project-away TargetAccount1, TargetSid1\n| extend Reason = @\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\"\n| order by Time_Event4722 asc \n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD user enabled and password not set within 48 hours",
+ "enabled": false,
+ "description": "Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\nIt is recommended that this time period is adjusted per your internal company policy.",
+ "alertRuleTemplateName": "62085097-d113-459f-9ea7-30216f2ee6af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 11b5f2f22b0ec27e01bc360a85dde4587e0da03a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:15 +0000
Subject: [PATCH 015/375] Exported file: ADFS DKM Master Key Export.json.json
---
.../ADFS DKM Master Key Export.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
diff --git a/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
new file mode 100644
index 00000000..291cf211
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "(union isfuzzy=true (SecurityEvent \n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \n| where ObjectServer == 'DS'\n| where OperationType == 'Object Access'\n//| where ObjectName contains '
Date: Fri, 24 Feb 2023 02:20:16 +0000
Subject: [PATCH 016/375] Exported file: ADFS Database Named Pipe
Connection.json.json
---
.../ADFS Database Named Pipe Connection.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
diff --git a/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
new file mode 100644
index 00000000..aff745de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 6d;\n// Adjust this to adjust the key export detection timeframe\n//let timeframe = 1d;\n// Start be identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer);\n// Look for ADFS servers where Named Pipes event are present\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"),\n TechniqueId = column_ifexists(\"TechniqueId\", \"\"),\n TechniqueName = column_ifexists(\"TechniqueName\", \"\"),\n Image = column_ifexists(\"Image\", \"\"),\n PipeName = column_ifexists(\"PipeName\", \"\"),\n EventType = column_ifexists(\"EventType\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n// Look for Pipe related to querying the WID\n| where PipeName == \"\\\\MICROSOFT##WID\\\\tsql\\\\query\"\n| extend process = split(Image, '\\\\', -1)[-1]\n// Exclude expected processes\n| where process !in (\"Microsoft.IdentityServer.ServiceHost.exe\", \"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\", \"AzureADConnect.exe\", \"Microsoft.Tri.Sensor.exe\", \"wsmprovhost.exe\",\"mmc.exe\", \"sqlservr.exe\")\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "ADFS Database Named Pipe Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\nFailed to resolve scalar expression named \"[@Name]\"",
+ "alertRuleTemplateName": "dcdf9bfc-c239-4764-a9f9-3612e6dff49c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6422930938a97b1b40f7d8850273832de4bdf4ce Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:17 +0000
Subject: [PATCH 017/375] Exported file: AWS Guard Duty Alert.json.json
---
.../AWS Guard Duty Alert.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
diff --git a/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
new file mode 100644
index 00000000..60586c45
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AWSGuardDuty | extend tokens = split(ActivityType,\":\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\"High\",iff(Severity between (4.0..6.9), \"Medium\", iff(Severity between (1.0..3.9),\"Low\",\"Unknown\")))",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "AWS Guard Duty Alert",
+ "enabled": false,
+ "description": "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.",
+ "alertRuleTemplateName": "bf0cde21-0c41-48f6-a40c-6b5bd71fa106"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 981eb98369ce80edf778d614d10af6083d72b628 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:18 +0000
Subject: [PATCH 018/375] Exported file: Account Created and Deleted in Short
Timeframe.json.json
---
...reated and Deleted in Short Timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
diff --git a/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
new file mode 100644
index 00000000..a3a2cb27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName =~ \"Add user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| join kind=inner (AuditLogs\n| where OperationName =~ \"Delete user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\n| extend timedelta = TimeGenerated1 - TimeGenerated\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\n| where timedelta < timespan(24h) and timedelta > timespan(0h)\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account Created and Deleted in Short Timeframe",
+ "enabled": false,
+ "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account",
+ "alertRuleTemplateName": "bb616d82-108f-47d3-9dec-9652ea0d3bf6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 70361e4fd8706fe89878788de869fdefc1e10165 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:18 +0000
Subject: [PATCH 019/375] Exported file: Account added and removed from
privileged groups.json.json
---
...ed and removed from privileged groups.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
diff --git a/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
new file mode 100644
index 00000000..51ad12f9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet AC_Add = \nSecurityEvent\n// Event ID related to member addition.\n| where EventID in (4728, 4732,4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountAdded \",OU\" *\n| where isnotempty(AccountAdded)\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \"||\", GroupAddedTo, \"||\", AddingAccount )\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\nlet AC_Remove = \nSecurityEvent\n// Event IDs related to member removal.\n| where EventID in (4729,4733,4757)\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountRemoved \",OU\" * \n| where isnotempty(AccountRemoved)\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \"||\", GroupRemovedFrom, \"||\", RemovingAccount)\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \nAC_Add \n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\n| where DurationinSecondAfter_Removed > 0\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Account added and removed from privileged groups",
+ "enabled": false,
+ "description": "Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.",
+ "alertRuleTemplateName": "7efc75ce-e2a4-400f-a8b1-283d3b0f2c60"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9b2d5078976627e76cbd01ca68e1015d7d9b0efe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:19 +0000
Subject: [PATCH 020/375] Exported file: Account created or deleted by
non-approved user.json.json
---
...eated or deleted by non-approved user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
diff --git a/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
new file mode 100644
index 00000000..71abee6a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName == \"Add user\" or OperationName == \"Delete user\"\n| where Result == \"success\"\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account created or deleted by non-approved user",
+ "enabled": false,
+ "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts",
+ "alertRuleTemplateName": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6dfb440c1cfac61f0e6a9fe7131d900c8b9ed792 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:20 +0000
Subject: [PATCH 021/375] Exported file: Admin promotion after Role Management
Application Permission Grant.json.json
---
...nagement Application Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
new file mode 100644
index 00000000..fac376d0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"AppRole.Value\"\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where AppRole has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\n| join kind=innerunique (\n AuditLogs\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-expand TargetResources\n | mv-expand TargetResources.modifiedProperties\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n | where displayName_ =~ \"Role.DisplayName\"\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n | where RoleName contains \"Admin\"\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\n | extend TargetType = tostring(TargetResources.type)\n | extend TargetId = tostring(TargetResources.id)\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\n) on $left.TargetId == $right.InitiatorId\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\n| where TimeRoleMgGrant < TimeAdminPromo\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Admin promotion after Role Management Application Permission Grant",
+ "enabled": false,
+ "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "f80d951a-eddc-4171-b9d0-d616bb83efdc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2db2c0ef2b040d4b246b854972c7132a3dccbd5b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:21 +0000
Subject: [PATCH 022/375] Exported file: Alert for IOCs related to Windows_ELF
malware - IP, Hash IOCs - September 2021.json.json
---
...ware - IP, Hash IOCs - September 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
diff --git a/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
new file mode 100644
index 00000000..2fbc7ec6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let IPList = dynamic([\"185.63.90.137\"]); \nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = \ndynamic([\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\",\n\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\",\n\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\",\n\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\",\n\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\",\n\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\",\n\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\",\n\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\"\n]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", MessageIP in (IPList), \"Message\", \"NoMatch\")\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost) \n| where SourceHost in (IPList) or DestinationHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(DeviceFileEvents\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n| where FileHash in (sha256Hashes)\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName in (IPList) \n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\nReference: \nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar",
+ "alertRuleTemplateName": "d992b87b-eb49-4a9d-aa96-baacf9d26247"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 18690a03874d43796705f242eab608ab7b5535dc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:22 +0000
Subject: [PATCH 023/375] Exported file: Alsid Active Directory attacks
pathways.json.json
---
...sid Active Directory attacks pathways.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
new file mode 100644
index 00000000..892797cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Active Directory attacks pathways",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to Active Directory attacks pathways",
+ "alertRuleTemplateName": "9649e203-3cb7-47ff-89a9-42f2a5eefe31"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 47ebd437b7ba2f8520d227b79e23d6d9318ed1cb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:22 +0000
Subject: [PATCH 024/375] Exported file: Alsid DCShadow.json.json
---
.../Alsid DCShadow.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCShadow.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCShadow.json b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
new file mode 100644
index 00000000..177269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCShadow\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCShadow",
+ "enabled": false,
+ "description": "Searches for DCShadow attacks",
+ "alertRuleTemplateName": "25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 50f5f852db53b0e05a35d5c33b145fc45af3321b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:23 +0000
Subject: [PATCH 025/375] Exported file: Alsid DCSync.json.json
---
.../Alsid DCSync.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCSync.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCSync.json b/SentinelExported-AnalyticsRule/Alsid DCSync.json
new file mode 100644
index 00000000..9b75999f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCSync.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCSync\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCSync",
+ "enabled": false,
+ "description": "Searches for DCSync attacks",
+ "alertRuleTemplateName": "d3c658bd-8da9-4372-82e4-aaffa922f428"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8a423a560a069c66a571f442f8ec983697d2809a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:24 +0000
Subject: [PATCH 026/375] Exported file: Alsid Golden Ticket.json.json
---
.../Alsid Golden Ticket.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
new file mode 100644
index 00000000..605710d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Golden Ticket\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Golden Ticket",
+ "enabled": false,
+ "description": "Searches for Golden Ticket attacks",
+ "alertRuleTemplateName": "21ab3f52-6d79-47e3-97f8-ad65f2cb29fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 19b4e2e94d957be1c02eba72d79e5fc23b69f02a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:25 +0000
Subject: [PATCH 027/375] Exported file: Alsid Indicators of Attack.json.json
---
.../Alsid Indicators of Attack.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
new file mode 100644
index 00000000..eabbaa2e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 2\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Attack",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Attack",
+ "alertRuleTemplateName": "3caa67ef-8ed3-4ab5-baf2-3850d3667f3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0a083ce9351b2b0f5da174a0e9d508f1648e1f75 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:26 +0000
Subject: [PATCH 028/375] Exported file: Alsid Indicators of
Exposures.json.json
---
.../Alsid Indicators of Exposures.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
new file mode 100644
index 00000000..a3fa8625
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 0\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Exposures",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures",
+ "alertRuleTemplateName": "154fde9f-ae00-4422-a8da-ef00b11da3fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3b7c6203897e0135fdc5511677d849872c22f4b0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:27 +0000
Subject: [PATCH 029/375] Exported file: Alsid LSASS Memory.json.json
---
.../Alsid LSASS Memory.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
diff --git a/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
new file mode 100644
index 00000000..60c47531
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid LSASS Memory",
+ "enabled": false,
+ "description": "Searches for OS Credentials dumping attacks",
+ "alertRuleTemplateName": "3acf5617-7c41-4085-9a79-cc3a425ba83a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 92a093cc41993baf5c7658649c337bdab6dbbcb5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:27 +0000
Subject: [PATCH 030/375] Exported file: Alsid Password Guessing.json.json
---
.../Alsid Password Guessing.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Guessing.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Guessing.json b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
new file mode 100644
index 00000000..02fbf5c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Guessing\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Guessing",
+ "enabled": false,
+ "description": "Searches for bruteforce Password Guessing attacks",
+ "alertRuleTemplateName": "ba239935-42c2-472d-80ba-689186099ea1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a9aaaa2e1b0ca80103c30e301693a79606b66fa8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:28 +0000
Subject: [PATCH 031/375] Exported file: Alsid Password Spraying.json.json
---
.../Alsid Password Spraying.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Spraying.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Spraying.json b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
new file mode 100644
index 00000000..a72493ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Spraying\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Spraying",
+ "enabled": false,
+ "description": "Searches for Password spraying attacks",
+ "alertRuleTemplateName": "9e20eb4e-cc0d-4349-a99d-cad756859dfb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8bf54e7c226f72f9d7979b900c37f8c4d7355888 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:29 +0000
Subject: [PATCH 032/375] Exported file: Alsid Password issues.json.json
---
.../Alsid Password issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password issues.json b/SentinelExported-AnalyticsRule/Alsid Password issues.json
new file mode 100644
index 00000000..e0ebdc4d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to password issues",
+ "alertRuleTemplateName": "472b7cf4-bf1a-4061-b9ab-9fe4894e3c17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0e00df873e2d3d645afd335972d8d3006accb233 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:30 +0000
Subject: [PATCH 033/375] Exported file: Alsid privileged accounts
issues.json.json
---
.../Alsid privileged accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
new file mode 100644
index 00000000..41c05802
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid privileged accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to privileged accounts issues",
+ "alertRuleTemplateName": "a5fe9489-cf8b-47ae-a87e-8f3a13e4203e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 57cf3a2e1aa4c01b497656d45ac20e1a221f48fa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:31 +0000
Subject: [PATCH 034/375] Exported file: Alsid user accounts issues.json.json
---
.../Alsid user accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid user accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid user accounts issues.json b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
new file mode 100644
index 00000000..07a811e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid user accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to user accounts issues",
+ "alertRuleTemplateName": "fb9e0b51-8867-48d7-86f4-6e76f2176bf8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d840dc282e195c656ec14ea3107be0c32d133faa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:32 +0000
Subject: [PATCH 035/375] Exported file: Anomalous User Agent connection
attempt.json.json
---
...omalous User Agent connection attempt.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
new file mode 100644
index 00000000..1eb976f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2397090-face-41f6-ae70-89fc66312292')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2397090-face-41f6-ae70-89fc66312292')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet short_uaLength = 5;\nlet long_uaLength = 1000;\nlet c_threshold = 100;\nW3CIISLog \n// Exclude local IPs as these create noise\n| where cIP !startswith \"192.168.\" and cIP != \"::1\"\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\"-\", \"MSRPC\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\n| extend csUserAgent_size = string_size(csUserAgent)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\n| where ConnectionCount < c_threshold\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous User Agent connection attempt",
+ "enabled": false,
+ "description": "Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.",
+ "alertRuleTemplateName": "f845881e-2500-44dc-8ed7-b372af3e1e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d79f999bcc129a01a1a90fe77ec6c0dd32c01f1e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:32 +0000
Subject: [PATCH 036/375] Exported file: Anomalous login followed by Teams
action.json.json
---
...malous login followed by Teams action.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
new file mode 100644
index 00000000..e49e899e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\n//The minimum number of countries that the account has been accessed from [default: 2]\nlet minimumCountries = 2;\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\nlet deltaThreshold = 95;\n//The maximum (%) threshold that the country appears in login data [default: 10]\nlet countryPrevalenceThreshold = 10;\n//The time to project forward after the last login activity [default: 60min]\nlet projectedEndTime = 60min; \n//Get Teams successful signins globally\nlet aadFunc = (tableName:string){\nlet signinData =\n table(tableName)\n | where AppDisplayName has \"Teams\"\n | where ConditionalAccessStatus =~ \"success\"\n | extend country = tostring(todynamic(LocationDetails)['countryOrRegion'])\n | where isnotempty(country) and isnotempty(IPAddress);\n// Collect successful signins to teams\nlet loginEvents = \n signinData\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\n//Calcualte delta between logins\nlet loginDelta =\n loginEvents\n | summarize max(count_), min(count_) by UserPrincipalName\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\n | where delta >= deltaThreshold;\n//Count number of countries used to sign in\nlet countryCount =\n loginEvents\n | summarize Countries = dcount(country) by UserPrincipalName;\n//Join delta and sign in counts to successful logins\nloginDelta\n| join kind=rightouter (\n loginEvents\n) on UserPrincipalName\n| join kind=rightouter (\n countryCount\n) on UserPrincipalName\n//Check where the record meets the minimum required countries\n| where Countries >= minimumCountries\n| join kind=leftouter (\n signinData\n | summarize count() by country\n | join (\n //Now get the total number of logins from any country and join it to the previous count in a single table\n signinData\n | summarize count() by country\n | summarize sum(count_), make_list(country)\n | mv-expand list_country\n | extend country = tostring(list_country)\n ) on country\n | summarize by country, count_, sum_count_\n //Now calculate each countries prevalence within login events\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\n | project-away sum_count_\n | order by prevalence\n) on country\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\n| where prevalence < countryPrevalenceThreshold\n| where min_count_ == count_\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\n| extend EventTimes = list_TimeGenerated\n| extend SuspiciousIP = IPAddress\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\n//Teams join to collect operations the user account has performed within the given time range\n| join kind=inner( \n OfficeActivity\n | where Operation in~ (\"TeamsAdminAction\", \"MemberAdded\", \"MemberRemoved\", \"MemberRoleChanged\", \"AppInstalled\", \"BotAddedToTeam\")\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\n) on $left.UserPrincipalName == $right.UserId\n| mv-expand StartTime = EventTimes\n| extend StartTime = make_datetime(StartTime)\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\n//Limit to operations carried out by the user account in the timeframe the IP was active\n| where OperationTime between (StartTime .. ProjectedEndTime)\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n//Filter on suspicious actions\n| extend activitySummary = pack(tostring(StartTime), pack(\"Operation\",tostring(Operation), \"OperationTime\", OperationTime))\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous login followed by Teams action",
+ "enabled": false,
+ "description": "Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.",
+ "alertRuleTemplateName": "2b701288-b428-4fb8-805e-e4372c574786"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 506603199e495bd57910ccbae84f854c3773d936 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:33 +0000
Subject: [PATCH 037/375] Exported file: Anomalous sign-in location by user
account and authenticating application.json.json
---
...ccount and authenticating application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
new file mode 100644
index 00000000..53c03dd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet lookBack_long = 7d;\nlet lookBack_med = 3d;\nlet lookBack = 1d;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_long))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n// Create time series \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \nby UserPrincipalName, AppDisplayName \n// Compute best fit line for each entry \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \n// Chart the 3 most interesting lines \n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\n| where Slope > 0.3\n| top 50 by Slope desc\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_med))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 0.3\n| top 50 by Slope desc\n) on UserPrincipalName, AppDisplayName\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 5\n| top 50 by Slope desc\n// Higher threshold requirement on last day anomaly\n) on UserPrincipalName, AppDisplayName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous sign-in location by user account and authenticating application",
+ "enabled": false,
+ "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \nDirectory application and picks out the most anomalous change in location profile for a user within an \nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\nover last day but also over the last 3-day and 7-day periods.\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\nIt is recommended that you test and tune this appropriately for the workspace.",
+ "alertRuleTemplateName": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 62b03c152ec8cede920362b1a2b3041ce9565442 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:34 +0000
Subject: [PATCH 038/375] Exported file: AppServices AV Scan Failure.json.json
---
.../AppServices AV Scan Failure.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
new file mode 100644
index 00000000..9b8ca0c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where ScanStatus == \"Failed\"\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan Failure",
+ "enabled": false,
+ "description": "Identifies if an AV scan fails in Azure App Services.",
+ "alertRuleTemplateName": "c2da1106-bfe4-4a63-bf14-5ab73130ccd5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 85fac3b988b1eab0d4cf46d5cdcc74df4e42b78f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:35 +0000
Subject: [PATCH 039/375] Exported file: AppServices AV Scan with Infected
Files.json.json
---
...pServices AV Scan with Infected Files.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
new file mode 100644
index 00000000..798f4b14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan with Infected Files",
+ "enabled": false,
+ "description": "Identifies if an AV scan finds infected files in Azure App Services.",
+ "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1ec4943c9301d0b963cc5fa9837ccd378d5c75b3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:35 +0000
Subject: [PATCH 040/375] Exported file: Attempt to bypass conditional access
rule in Azure AD.json.json
---
...s conditional access rule in Azure AD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
new file mode 100644
index 00000000..a5d22d05
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\n| extend Status = strcat(StatusCode, \": \", ResultDescription) \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Attempt to bypass conditional access rule in Azure AD",
+ "enabled": false,
+ "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences: \nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown",
+ "alertRuleTemplateName": "3af9285d-bb98-4a35-ad29-5ea39ba0c628"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e18fa33c1d9ec85e7715f760ba75b6dd8d264b71 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:36 +0000
Subject: [PATCH 041/375] Exported file: Attempts to sign in to disabled
accounts.json.json
---
...empts to sign in to disabled accounts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
new file mode 100644
index 00000000..38093f5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Attempts to sign in to disabled accounts",
+ "enabled": false,
+ "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8f656ef540dc4741cb4e6ed5e7e3faa3e45add10 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:37 +0000
Subject: [PATCH 042/375] Exported file: Audit policy manipulation using
auditpol utility.json.json
---
...y manipulation using auditpol utility.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
diff --git a/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
new file mode 100644
index 00000000..9a038cca
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet AccountAllowList = dynamic(['SYSTEM']);\nlet SubCategoryList = dynamic([\"Logoff\", \"Account Lockout\", \"User Account Management\", \"Authorization Policy Change\"]); // Add any Category in the list to be allowed or disallowed\nlet tokens = dynamic([\"clear\", \"remove\", \"success:disable\",\"failure:disable\"]); \n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n//| where Process =~ \"auditpol.exe\" \n| where CommandLine has_any (tokens)\n| where AccountType !~ \"Machine\" and Account !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n// | where InitiatingProcessFileName =~ \"auditpol.exe\" \n| where InitiatingProcessCommandLine has_any (tokens)\n| where AccountName !in~ (AccountAllowList)\n| parse InitiatingProcessCommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n// | where OriginalFileName =~ \"auditpol.exe\"\n| where CommandLine has_any (tokens)\n| where User !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Audit policy manipulation using auditpol utility",
+ "enabled": false,
+ "description": "This detects attempt to manipulate audit policies using auditpol command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \nif the results show unrelated false positives, users may want to uncomment it.\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \nRefer to our M365 blog for details on use during the Solorigate attack:\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "alertRuleTemplateName": "66276b14-32c5-4226-88e3-080dacc31ce1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f40ae7e228a7ed8e13a3b429a1f5b1c7d44454fe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:38 +0000
Subject: [PATCH 043/375] Exported file: Authentication Methods Changed for
Privileged Account.json.json
---
...ethods Changed for Privileged Account.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
diff --git a/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
new file mode 100644
index 00000000..2a146d8f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles matches regex 'Admin'\n | summarize by tolower(AccountUPN));\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName =~ \"User registered security info\"\n| where LoggedByService =~ \"Authentication Methods\"\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(InitiatedBy.user.ipAddress)\n| where AccountCustomEntity in (VIPUsers)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Authentication Methods Changed for Privileged Account",
+ "enabled": false,
+ "description": "Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "694c91ee-d606-4ba9-928e-405a2dd0ff0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b87224c376efb08a40489b782a52c2a2dc8984cf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:38 +0000
Subject: [PATCH 044/375] Exported file: Azure AD Health Monitoring Agent
Registry Keys Access.json.json
---
...Monitoring Agent Registry Keys Access.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
new file mode 100644
index 00000000..dbd3607b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealth Monitoring Agent Registry Key\nlet aadHealthMonAgentRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n| summarize count() by ProcessName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Monitoring Agent Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\n",
+ "alertRuleTemplateName": "f819c592-c5f9-4d5c-a79f-1e6819863533"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 54db700ad9f3fbe7df93285fb9db4123dc3eb6c3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:39 +0000
Subject: [PATCH 045/375] Exported file: Azure AD Health Service Agents
Registry Keys Access.json.json
---
...h Service Agents Registry Keys Access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
new file mode 100644
index 00000000..2e4c50df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealthAgent Registry Key\nlet aadConnectHealthRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Service Agents Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\n",
+ "alertRuleTemplateName": "06bbf969-fcbe-43fa-bac2-b2fa131d113a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fdec717471dd4573cd2eecc1860f9de06f774085 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:40 +0000
Subject: [PATCH 046/375] Exported file: Azure AD Role Management Permission
Grant.json.json
---
...e AD Role Management Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
new file mode 100644
index 00000000..0754cfd5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ has_any (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where Permission has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = iif(displayName_ =~ 'DelegatedPermissionGrant.Scope',\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Role Management Permission Grant",
+ "enabled": false,
+ "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "1ff56009-db01-4615-8211-d4fda21da02d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f45a6b71c02bbc308cbd41c176cedb28d9772120 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:41 +0000
Subject: [PATCH 047/375] Exported file: Azure Active Directory Hybrid Health
AD FS New Server.json.json
---
...ectory Hybrid Health AD FS New Server.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
new file mode 100644
index 00000000..29761afb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS New Server",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "88f453ff-7b9e-45bb-8c12-4058ca5e44ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f6a51e1ec39565dfd8eba7a9a4eac5ed9cd7f57c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:42 +0000
Subject: [PATCH 048/375] Exported file: Azure Active Directory Hybrid Health
AD FS Service Delete.json.json
---
...ry Hybrid Health AD FS Service Delete.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
new file mode 100644
index 00000000..7426686e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Service Delete",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\nMore information in this blog https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "86a036b2-3686-42eb-b417-909fc0867771"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b010381824408fee8f1cb9fa7ad3a8facb2d2bac Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:42 +0000
Subject: [PATCH 049/375] Exported file: Azure Active Directory Hybrid Health
AD FS Suspicious Application.json.json
---
...d Health AD FS Suspicious Application.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
new file mode 100644
index 00000000..1fad03c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\nlet appList = dynamic(['cf6d7e68-f018-4e0a-a7b3-126e053fb88d','cb1056e2-e479-49de-ae31-7812af012ed8']);\nlet operationNamesList = dynamic(['Microsoft.ADHybridHealthService/services/servicemembers/action','Microsoft.ADHybridHealthService/services/delete']);\nAzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue in~ (operationNamesList)\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| where AppId !in (appList)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Suspicious Application",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.",
+ "alertRuleTemplateName": "d9938c3b-16f9-444d-bc22-ea9a9110e0fd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c000ba998777a01d2a09ad212d572483e7f1c901 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:43 +0000
Subject: [PATCH 050/375] Exported file: Azure Active Directory PowerShell
accessing non-AAD resources.json.json
---
...owerShell accessing non-AAD resources.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
new file mode 100644
index 00000000..482dc022
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
+ "enabled": false,
+ "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.",
+ "alertRuleTemplateName": "50574fac-f8d1-4395-81c7-78a463ff0c52"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2df27f023aad65f9db039f927320b9a6c07a19d2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:44 +0000
Subject: [PATCH 051/375] Exported file: Azure DevOps Administrator Group
Monitoring.json.json
---
...DevOps Administrator Group Monitoring.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
new file mode 100644
index 00000000..381cb64c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT4H",
+ "queryPeriod": "PT4H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// Change to true to monitor for Project Administrator adds to *any* project\nlet MonitorAllProjects = false;\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\nlet ProjectsToMonitor = dynamic(['','']);\nAzureDevOpsAuditing\n| where Area == \"Group\" and OperationName == \"Group.UpdateGroupMembership.Add\"\n| where Details has 'Administrators'\n| where Details has \"was added as a member of group\" and (Details endswith '\\\\Project Administrators' or Details endswith '\\\\Project Collection Administrators')\n| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\\\' GroupName\n| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\n| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Administrator Group Monitoring",
+ "enabled": false,
+ "description": "This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.",
+ "alertRuleTemplateName": "89e6adbd-612c-4fbe-bc3d-32f81baf3b6c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5fb4c01e13889b7d56b461890e78db02e41f4770 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:45 +0000
Subject: [PATCH 052/375] Exported file: Azure DevOps Agent Pool Created Then
Deleted.json.json
---
...evOps Agent Pool Created Then Deleted.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
new file mode 100644
index 00000000..7daf66d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let lookback = 14d;\nlet timewindow = 7d;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolCreated\"\n| extend AgentCloudId = tostring(Data.AgentCloudId)\n| extend PoolType = iif(isnotempty(AgentCloudId), \"Azure VMs\", \"Self Hosted\")\n// Comment this line out to include cloud pools as well\n| where PoolType == \"Self Hosted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend IsHosted = tostring(Data.IsHosted)\n| extend IsLegacy = tostring(Data.IsLegacy)\n| extend timekey = bin(TimeGenerated, timewindow)\n// Join only with pools deleted in the same window\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolDeleted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Agent Pool Created Then Deleted",
+ "enabled": false,
+ "description": "As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.",
+ "alertRuleTemplateName": "acfdee3f-b794-404a-aeba-ef6a1fa08ad1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d56788a1fb6781f450ba5e4f0f155b029fc87ab4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:46 +0000
Subject: [PATCH 053/375] Exported file: Azure DevOps Audit Stream
Disabled.json.json
---
.../Azure DevOps Audit Stream Disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
new file mode 100644
index 00000000..cb3e0d9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"AuditLog.StreamDisabledByUser\"\n| extend StreamType = tostring(Data.ConsumerType)\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Audit Stream Disabled",
+ "enabled": false,
+ "description": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \nits unlikely to have a high false positive rate.",
+ "alertRuleTemplateName": "4e8238bd-ff4f-4126-a9f6-09b3b6801b3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0859d890d3d08a327bae226be85a8f85a8b0655d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:47 +0000
Subject: [PATCH 054/375] Exported file: Azure DevOps Build Variable Modified
by New User_.json.json
---
... Build Variable Modified by New User_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
new file mode 100644
index 00000000..75675e69
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/10254512-df08-4fea-8619-c505e87d377b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/10254512-df08-4fea-8619-c505e87d377b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nlet historical_data =\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend variables = Data.Variables\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| project UserKey;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| where UserKey !in (historical_data)\n| project-away UserKey\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Build Variable Modified by New User.",
+ "enabled": false,
+ "description": "Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \nmodifying them before.",
+ "alertRuleTemplateName": "3b9a44d7-c651-45ed-816c-eae583a6f2f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4a5169c6dc8ccb1d5de9e7209d5ad984b965741b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:48 +0000
Subject: [PATCH 055/375] Exported file: Azure DevOps New Extension
Added.json.json
---
.../Azure DevOps New Extension Added.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
new file mode 100644
index 00000000..3b224b1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let allowed_publishers = dynamic([]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Extension.Installed\"\n| extend ExtensionName = tostring(Data.ExtensionName)\n| extend PublisherName = tostring(Data.PublisherName)\n| where PublisherName !in (allowed_publishers)\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps New Extension Added",
+ "enabled": false,
+ "description": "Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \nThis query looks for new extensions that are not from a configurable list of approved publishers.",
+ "alertRuleTemplateName": "bf07ca9c-e408-443a-8939-6860a45a929e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9211e705eefe41dfb3f82b756c7a7079cbc6441e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:49 +0000
Subject: [PATCH 056/375] Exported file: Azure DevOps PAT used with
Browser_.json.json
---
.../Azure DevOps PAT used with Browser_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
new file mode 100644
index 00000000..f3e7ef1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\"\n// Look for useragents that include a redenring engine\n| where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps PAT used with Browser.",
+ "enabled": false,
+ "description": "Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.",
+ "alertRuleTemplateName": "5f0d80db-3415-4265-9d52-8466b7372e3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From af9c14f861e58a328c23b019b329d9de6d35f583 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:49 +0000
Subject: [PATCH 057/375] Exported file: Azure DevOps Personal Access Token
(PAT) misuse.json.json
---
...ps Personal Access Token (PAT) misuse.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
new file mode 100644
index 00000000..e5f4bec3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n// Allowlisted UPNs should likely stay empty\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];\n// Operation Name parts that will alert\nlet HasAnyBlocklist = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\n// Distinct Operation Names that will flag\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\n'Release.ReleasePipelineModified', 'Git.RefUpdatePoliciesBypassed'];\nAzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\n and ActorUPN !in (AllowlistedUpns)\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Personal Access Token (PAT) misuse",
+ "enabled": false,
+ "description": "This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\nUse this query for baselining:\nAzureDevOpsAuditing\n| distinct OperationName",
+ "alertRuleTemplateName": "ac891683-53c3-4f86-86b4-c361708e2b2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3536454d1a807509e4539ac8fc9ea8670390ab20 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:50 +0000
Subject: [PATCH 058/375] Exported file: Azure DevOps Pipeline Created and
Deleted on the Same Day.json.json
---
...e Created and Deleted on the Same Day.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
new file mode 100644
index 00000000..751b6ae4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P3D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 3d;\n// Get Release Pipeline Creation Events and group by day\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineCreated\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some columns to make output clearer\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineDeleted\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some things to make the output clearer\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline Created and Deleted on the Same Day",
+ "enabled": false,
+ "description": "An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.",
+ "alertRuleTemplateName": "17f23fbe-bb73-4324-8ecf-a18545a5dc26"
+ }
+ }
+ ]
+}
\ No newline at end of file
From befffe61c611d25146b1e7dea66fdd52af8b8b65 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:51 +0000
Subject: [PATCH 059/375] Exported file: Azure DevOps Pipeline modified by a
new user_.json.json
---
...vOps Pipeline modified by a new user_.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
new file mode 100644
index 00000000..9b968c7a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Set the lookback to determine if user has created pipelines before\nlet timeback = 14d;\n// Set the period for detections\nlet timeframe = 1d;\n// Get a list of previous Release Pipeline creators to exclude\nlet releaseusers = AzureDevOpsAuditing\n| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)\n| where OperationName in (\"Release.ReleasePipelineCreated\", \"Release.ReleasePipelineModified\")\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| summarize by UserScope;\n// Get Release Pipeline creations by new users\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineModified\"\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| where UserScope !in (releaseusers)\n| extend ActorUPN = tolower(ActorUPN)\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\n| join kind = leftouter (\nSecurityAlert\n| where TimeGenerated > ago(timeframe)\n| where ProviderName == \"IPC\"\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\n// Uncomment the line below to only show results where the user as AADIdP alerts\n//| where Alerts > 0\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline modified by a new user.",
+ "enabled": false,
+ "description": "There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.",
+ "alertRuleTemplateName": "155e9134-d5ad-4a6f-88f3-99c220040b66"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5a893450ddf7a43c2032bfc26061e61c39861f64 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:52 +0000
Subject: [PATCH 060/375] Exported file: Azure DevOps Pull Request Policy
Bypassing - Historic allow list.json.json
---
...olicy Bypassing - Historic allow list.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
new file mode 100644
index 00000000..fa73bd4c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 3h;\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\nlet historicBypassers = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| distinct ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\n| parse ScopeDisplayName with OrganizationName '(Organization)'\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \n BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pull Request Policy Bypassing - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.",
+ "alertRuleTemplateName": "4d8de9e6-263e-4845-8618-cd23a4f58b70"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4db8ceb494cea9463298f3160e8d721243f21252 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:53 +0000
Subject: [PATCH 061/375] Exported file: Azure DevOps Retention
Reduced.json.json
---
.../Azure DevOps Retention Reduced.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
new file mode 100644
index 00000000..1567aab0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Pipelines.PipelineRetentionSettingChanged\"\n| where Data.SettingName in (\"PurgeArtifacts\", \"PurgeRuns\")\n| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Retention Reduced",
+ "enabled": false,
+ "description": "AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.",
+ "alertRuleTemplateName": "71d374e0-1cf8-4e50-aecd-ab6c519795c2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3894d758f3efc6f5ba09b9e9b1996f60515b54a2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:53 +0000
Subject: [PATCH 062/375] Exported file: Azure DevOps Service Connection
Abuse.json.json
---
...Azure DevOps Service Connection Abuse.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
new file mode 100644
index 00000000..40ce7976
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// How many greater than Service Connections you want to view per build/release\nlet ServiceConnectionThreshold = 4;\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nAzureDevOpsAuditing\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\n| where CurrentCount > ServiceConnectionThreshold\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iif(\n Type == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\n strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Abuse",
+ "enabled": false,
+ "description": "Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \nor dump credentials from service connections.",
+ "alertRuleTemplateName": "d564ff12-8f53-41b8-8649-44f76b37b99f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 558980dccdfc3f1a34ee9ee38dc01af6d7c6f1e1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:54 +0000
Subject: [PATCH 063/375] Exported file: Azure DevOps Service Connection
Addition_Abuse - Historic allow list.json.json
---
... Addition_Abuse - Historic allow list.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
new file mode 100644
index 00000000..9bd1181b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 6h;\n// Ignore Build/Releases with less/equal this number\nlet ServiceConnectionThreshold = 3;\n// New Connections need to exhibit execution of more \"new\" connections than this number.\nlet NewConnectionThreshold = 1;\n// List of Builds/Releases to ignore in your space\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nlet HistoricDefs = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\n| where CurrentCount > ServiceConnectionThreshold\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iff(\nType == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\nstrcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Addition/Abuse - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.",
+ "alertRuleTemplateName": "5efb0cfd-063d-417a-803b-562eae5b0301"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cd1947776e5b8b150809010b1651bc00adbfe56a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:55 +0000
Subject: [PATCH 064/375] Exported file: Azure DevOps Variable Secret Not
Secured.json.json
---
...re DevOps Variable Secret Not Secured.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
new file mode 100644
index 00000000..dd7a369c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let keywords = dynamic([\"secret\", \"secrets\", \"password\", \"PAT\", \"passwd\", \"pswd\", \"pwd\", \"cred\", \"creds\", \"credentials\", \"credential\", \"key\"]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend Type = tostring(Data.Type)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| mv-expand Data.Variables\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\n| where Type != \"AzureKeyVault\"\n| where Data_Variables !has \"IsSecret\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Variable Secret Not Secured",
+ "enabled": false,
+ "description": "Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.",
+ "alertRuleTemplateName": "4ca74dc0-8352-4ac5-893c-73571cc78331"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5a78df4d7ff095dd834fe6c7fffbcde481db64d8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:56 +0000
Subject: [PATCH 065/375] Exported file: Azure Key Vault access TimeSeries
anomaly.json.json
---
...e Key Vault access TimeSeries anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
new file mode 100644
index 00000000..e77da8f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\nAzureDiagnostics\n| where TimeGenerated > ago(timeframe)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\n) on Resource, TimeGenerated\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Key Vault access TimeSeries anomaly",
+ "enabled": false,
+ "description": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
+ "alertRuleTemplateName": "0914adab-90b5-47a3-a79f-7cdcac843aa7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 939fad49e76e7e39a7ede25330c223f76874c435 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:56 +0000
Subject: [PATCH 066/375] Exported file: Azure Portal Signin from another Azure
Tenant.json.json
---
...rtal Signin from another Azure Tenant.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
diff --git a/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
new file mode 100644
index 00000000..7904a727
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211129.json\"]\nwith(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes);\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where AppDisplayName =~ \"Azure Portal\"\n// Only get logons where the IP address is in an Azure range\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == TenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Portal Signin from another Azure Tenant",
+ "enabled": false,
+ "description": "This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.",
+ "alertRuleTemplateName": "87210ca1-49a4-4a7d-bb4a-4988752f978c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bec85dddc30656f4b244021c141a2aa90e4c5b14 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:57 +0000
Subject: [PATCH 067/375] Exported file: Azure VM Run Command operation
executed during suspicious login window.json.json
---
...ecuted during suspicious login window.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
new file mode 100644
index 00000000..49ff5bff
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n// Create a join key using the Caller (UPN)\n| extend joinkey = tolower(Caller)\n// Join the Run Command actions to UEBA data\n| join kind = inner (\n BehaviorAnalytics\n // We are specifically interested in unusual logins\n | where EventSource == \"Azure AD\" and ActivityInsights.ActionUncommonlyPerformedByUser == \"True\"\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\n | extend joinkey = tolower(UserPrincipalName)\n) on joinkey\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operation executed during suspicious login window",
+ "enabled": false,
+ "description": "Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \nthat has resulted in a recent user entity behaviour alert.",
+ "alertRuleTemplateName": "11bda520-a965-4654-9a45-d09f372f71aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From dce3d9c574e13cb1cdca0e9e52674955cd673989 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:58 +0000
Subject: [PATCH 068/375] Exported file: Azure VM Run Command operations
executing a unique powershell script.json.json
---
... executing a unique powershell script.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
new file mode 100644
index 00000000..62fc74a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let RunCommandData = materialize ( AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n| join kind=leftouter (\n DeviceFileEvents\n | where InitiatingProcessFileName == \"RunCommandExtension.exe\"\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\n) on VirtualMachineName\n// We need to filter by time sadly, this is the only way to link events\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\n| join kind=inner(\n DeviceEvents\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | where InitiatingProcessCommandLine has \"-File\"\n // Extract the script name based on the structure used by the RunCommand extension\n | extend PowershellFileName = extract(@\"\\-File\\s(script[0-9]{1,9}\\.ps1)\", 1, InitiatingProcessCommandLine)\n // Discard results that didn't successfully extract, these are not run command related\n | where isnotempty(PowershellFileName)\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\n | where PSCommand != PowershellFileName \n // Now we normalise the cmdlets, we're aiming to hash them to find scripts using rare combinations\n | extend PSCommand = toupper(PSCommand)\n | order by PSCommand asc\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\n) on $left.FileName == $right.PowershellFileName\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\n| order by StartTime asc \n// We generate the hash based on the cmdlets called and the size of the powershell script\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\nlet totals = toscalar (RunCommandData\n| summarize count());\nlet hashTotals = RunCommandData\n| summarize HashCount=count() by ScriptFingerprintHash;\nRunCommandData\n| join kind=leftouter (\nhashTotals\n) on ScriptFingerprintHash\n// Calculate prevelance, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\n// Where the hash was only ever seen once.\n| where HashCount == 1\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operations executing a unique powershell script",
+ "enabled": false,
+ "description": "Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\nin your environment.",
+ "alertRuleTemplateName": "5239248b-abfb-4c6a-8177-b104ade5db56"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d1c8b4e47952f203c83095042d70803c2a39b98b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:20:59 +0000
Subject: [PATCH 069/375] Exported file: Azure WAF matching for Log4j
vuln(CVE-2021-44228).json.json
---
...tching for Log4j vuln(CVE-2021-44228).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
diff --git a/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
new file mode 100644
index 00000000..4e56f2fd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDiagnostics\n| where details_data_s has \"jndi:\"\n| parse details_data_s with * '${' MaliciousCommand '}' *\n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode\")\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure WAF matching for Log4j vuln(CVE-2021-44228)",
+ "enabled": false,
+ "description": "This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/",
+ "alertRuleTemplateName": "2de8abd6-a613-450e-95ed-08e503369fb3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From adfdd97d7e9be9939ee18c596cea281bbb94a3d3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:00 +0000
Subject: [PATCH 070/375] Exported file: Base64 encoded Windows process
command-lines (Normalized Process Events).json.json
---
...and-lines (Normalized Process Events).json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
new file mode 100644
index 00000000..7ceaecf7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n | where CommandLine contains \"TVqQAAMAAAAEAAA\"\n | where isnotempty(Process)\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "f8b3c49c-4087-499b-920f-0dcfaff0cbca"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 896a9d72921c977e511e51b3a216041dac33b14b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:00 +0000
Subject: [PATCH 071/375] Exported file: Base64 encoded Windows process
command-lines.json.json
---
...encoded Windows process command-lines.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
new file mode 100644
index 00000000..e07eee3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents\n| where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.",
+ "alertRuleTemplateName": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d2344893eca4bcea2ea05b01159a21ae627a958c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:01 +0000
Subject: [PATCH 072/375] Exported file: Brute Force Attack against GitHub
Account.json.json
---
...e Force Attack against GitHub Account.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
diff --git a/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
new file mode 100644
index 00000000..eebc9526
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d; \nlet BinTime = 1h; \nlet RunTime = 1h; \nlet StartTime = 1h; \nlet NumberOfStds = 3; \nlet MinThreshold = 10.0; \nlet EndRunTime = StartTime - RunTime; \nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\nlet GitHubFailedSSOLogins = (table(tableName) \n| where AppDisplayName == \"GitHub.com\" \n| where ResultType != 0); \nGitHubFailedSSOLogins \n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \n| join kind=innerunique ( \n GitHubFailedSSOLogins \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\n) on UserPrincipalName \n| where FailedLoginsCountInRunTime > LearningThreshold\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute Force Attack against GitHub Account",
+ "enabled": false,
+ "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.",
+ "alertRuleTemplateName": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From caad75161daf69ac99424cc0a39c00684d4b0108 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:02 +0000
Subject: [PATCH 073/375] Exported file: Brute force attack against Azure
Portal.json.json
---
...ute force attack against Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
new file mode 100644
index 00000000..7c751939
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| where AppDisplayName has \"Azure Portal\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against Azure Portal",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "28b42356-45af-40a6-a0b4-a554cdfd5d8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e67c9e21413c2feccb68d34c1069beb20018b037 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:03 +0000
Subject: [PATCH 074/375] Exported file: Brute force attack against a Cloud
PC.json.json
---
...Brute force attack against a Cloud PC.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
new file mode 100644
index 00000000..0535916e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nSigninLogs\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n| where AppDisplayName =~ \"Windows Sign In\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against a Cloud PC",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.",
+ "alertRuleTemplateName": "3fbc20a4-04c4-464e-8fcb-6667f53e4987"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2c9794ba45a2b657c5a8c163c9230093c3040f69 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:04 +0000
Subject: [PATCH 075/375] Exported file: Brute force attack against user
credentials (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
new file mode 100644
index 00000000..981a8c70
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nimAuthentication\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\n , FailureCount = countif(EventResult=='Failure')\n , SuccessCount = countif(EventResult=='Success') \n // might be improved by counting FailReason:Outdated as Success.\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against user credentials (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a user highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "a6c435a2-b1a0-466d-b730-9f8af69262e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e6f2f759d2afcf08ff0e6b8b419372aed8460f1e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:05 +0000
Subject: [PATCH 076/375] Exported file: Bulk Changes to Privileged Account
Permissions.json.json
---
...ges to Privileged Account Permissions.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
diff --git a/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
new file mode 100644
index 00000000..18bc8b11
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Bulk Changes to Privileged Account Permissions",
+ "enabled": false,
+ "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "218f60de-c269-457a-b882-9966632b9dc6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4fdf9cd5ebf64ab1316784001e8cf6969e30785d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:05 +0000
Subject: [PATCH 077/375] Exported file: CAC Bugbash_ Valid Analytics Rule
2.json.json
---
.../CAC Bugbash_ Valid Analytics Rule 2.json | 28 +++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
diff --git a/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
new file mode 100644
index 00000000..9a34a1d6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
@@ -0,0 +1,28 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "MicrosoftSecurityIncidentCreation",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "productFilter": "Microsoft 365 Insider Risk Management",
+ "severitiesFilter": null,
+ "displayNamesFilter": null,
+ "displayNamesExcludeFilter": null,
+ "displayName": "CAC Bugbash: Valid Analytics Rule 2",
+ "enabled": true,
+ "description": "Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 77ebd97f3b4672de48a70753f7524e3109582f5e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:06 +0000
Subject: [PATCH 078/375] Exported file: Changes made to AWS CloudTrail
logs.json.json
---
.../Changes made to AWS CloudTrail logs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
diff --git a/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
new file mode 100644
index 00000000..9119d665
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"UpdateTrail\",\"DeleteTrail\",\"StopLogging\",\"DeleteFlowLogs\",\"DeleteEventBus\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Changes made to AWS CloudTrail logs",
+ "enabled": false,
+ "description": "Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html ",
+ "alertRuleTemplateName": "610d3850-c26f-4f20-8d86-f10fdf2425f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd0c7daccbd88ca8ae90eae79c31aea4ccf33920 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:07 +0000
Subject: [PATCH 079/375] Exported file: Changes to AWS Elastic Load Balancer
security groups.json.json
---
...Elastic Load Balancer security groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
new file mode 100644
index 00000000..2e040b09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"ApplySecurityGroupsToLoadBalancer\", \"SetSecurityGroups\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Elastic Load Balancer security groups",
+ "enabled": false,
+ "description": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \n and https://aws.amazon.com/elasticloadbalancing/.",
+ "alertRuleTemplateName": "c7bfadd4-34a6-4fa5-82f8-3691a32261e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f24c8d540b51023d1ec4dbcd1c750b3c0986eaa3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:08 +0000
Subject: [PATCH 080/375] Exported file: Changes to AWS Security Group ingress
and egress settings.json.json
---
...ity Group ingress and egress settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
new file mode 100644
index 00000000..71c08bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([ \"AuthorizeSecurityGroupEgress\", \"AuthorizeSecurityGroupIngress\", \"RevokeSecurityGroupEgress\", \"RevokeSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Security Group ingress and egress settings",
+ "enabled": false,
+ "description": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.",
+ "alertRuleTemplateName": "4f19d4e3-ec5f-4abc-9e61-819eb131758c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b47ee1b0040a2f2bf6bc320b222ad87906db3c24 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:09 +0000
Subject: [PATCH 081/375] Exported file: Changes to Amazon VPC
settings.json.json
---
.../Changes to Amazon VPC settings.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
new file mode 100644
index 00000000..087b4a2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation",
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Changes to Amazon VPC settings",
+ "enabled": false,
+ "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\nin a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
+ "alertRuleTemplateName": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7ccd352ecaf9b6305184331118e4db6c8b08c951 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:09 +0000
Subject: [PATCH 082/375] Exported file: Changes to internet facing AWS RDS
Database instances.json.json
---
...net facing AWS RDS Database instances.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
diff --git a/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
new file mode 100644
index 00000000..7abccb3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"AuthorizeDBSecurityGroupIngress\",\"CreateDBSecurityGroup\",\"DeleteDBSecurityGroup\",\"RevokeDBSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to internet facing AWS RDS Database instances",
+ "enabled": false,
+ "description": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "8c2ef238-67a0-497d-b1dd-5c8a0f533e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff1a29e3523811833be2d946a15dc4075f8e472a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:10 +0000
Subject: [PATCH 083/375] Exported file: Chia_Crypto_Mining - Domain, Process,
Hash and IP IOCs - June 2021.json.json
---
...Process, Hash and IP IOCs - June 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
diff --git a/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
new file mode 100644
index 00000000..6fd88e78
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n//This query uses sysmon data, sections that have - | where Source == \"Microsoft-Windows-Sysmon\" - may need to be updated with latest\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL has_any (domains), \"RequestUrl\", \"NoMatch\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), Account = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name in~ (domains) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), File = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = tostring(EventDetail.[9].[\"#text\"]), DestinationIP = tostring(EventDetail.[14].[\"#text\"]), Image = tostring(EventDetail.[4].[\"#text\"])\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\', -1)[-1]), IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n| extend FilePath = replace_string(Image, File, '')\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Chia crypto IOC detected', Type\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) or ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = 'Chia crypto IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) \n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(Image, File, '')\n),\n(DeviceFileEvents\n| where InitiatingProcessFolderPath has_any (process)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlertDetail = 'Chia crypto IOC detected', FileHashAlgo = 'SHA256', Account = SourceUserID\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| project TimeGenerated, EventDetail, UserName, Computer, Type\n| extend Image = tostring(EventDetail.[4].[\"#text\"]), CommandLine = tostring(EventDetail.[10].[\"#text\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| where Image has_any (process)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath= replace_string(Image, File, '')\n),\n(DeviceEvents\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName has_any (process)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\n| extend FilePath = replace_string(NewProcessName, File, '')\n)\n)\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.",
+ "alertRuleTemplateName": "595a10c9-91be-4abb-bbc7-ae9c57848bef"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d4162891f1f92dd3a3165cd39a7c4472fea03707 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:11 +0000
Subject: [PATCH 084/375] Exported file: Cisco - firewall block but success
logon to Azure AD.json.json
---
...l block but success logon to Azure AD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
new file mode 100644
index 00000000..49e0d333
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet aadFunc = (tableName:string){\nCommonSecurityLog\n| where DeviceVendor =~ \"Cisco\"\n| where DeviceAction =~ \"denied\"\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where SourceIPType == \"public\"\n| summarize count() by SourceIP\n| join (\n // Successful signins from IPs blocked by the firewall solution are suspect\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\n // as that supposes the password was sucessfully guessed.\n table(tableName)\n | where ResultType in (\"0\", \"50074\", \"50076\") \n) on $left.SourceIP == $right.IPAddress\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco - firewall block but success logon to Azure AD",
+ "enabled": false,
+ "description": "Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\nand could indicate credential compromise for the user account.",
+ "alertRuleTemplateName": "157c0cfc-d76d-463b-8755-c781608cdc1a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From da726e85c2c8e1c22424dd3920287babe076c44a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:12 +0000
Subject: [PATCH 085/375] Exported file: Cisco ASA - average attack detection
rate increase.json.json
---
...verage attack detection rate increase.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
new file mode 100644
index 00000000..1a3d96bd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeframe = 1h;\nlet last1h = CommonSecurityLog \n| where TimeGenerated >= ago(timeframe)\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlet prev6h = CommonSecurityLog \n| where TimeGenerated between (ago(6h) .. ago(1h))\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlast1h | join (\n prev6h \n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - average attack detection rate increase",
+ "enabled": false,
+ "description": "This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "79f29feb-6a9d-4cdf-baaa-2daf480a5da1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a3544cd099f7922a2bd5813f6dcdf832d270600e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:13 +0000
Subject: [PATCH 086/375] Exported file: Cisco ASA - threat detection message
fired.json.json
---
... ASA - threat detection message fired.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
new file mode 100644
index 00000000..be3f7747
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCommonSecurityLog \n| where isempty(CommunicationDirection) \n| where DeviceEventClassID in (\"733101\",\"733102\",\"733103\",\"733104\",\"733105\")\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - threat detection message fired",
+ "enabled": false,
+ "description": "Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "795edf2d-cf3e-45b5-8452-fe6c9e6a582e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 818601e0372d258ca755013ad316ad76a4c5b873 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:13 +0000
Subject: [PATCH 087/375] Exported file: Cisco Umbrella - Connection to
Unpopular Website Detected.json.json
---
...nection to Unpopular Website Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
new file mode 100644
index 00000000..ada78069
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let domain_lookBack= 14d;\nlet timeframe = 1d;\nlet top_million_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| summarize count() by tostring(Hostname)\n| top 1000000 by count_\n| summarize make_list(Hostname);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| where Hostname !in (top_million_list)\n| extend Message = \"Connect to unpopular website (possible malicious payload delivery)\"\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to Unpopular Website Detected",
+ "enabled": false,
+ "description": "Detects first connection to an unpopular website (possible malicious payload delivery).",
+ "alertRuleTemplateName": "75297f62-10a8-4fc1-9b2a-12f25c6f05a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8dbd92d05d647a201586130cc4f8d8b6cee9f66c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:14 +0000
Subject: [PATCH 088/375] Exported file: Cisco Umbrella - Connection to
non-corporate private network.json.json
---
...tion to non-corporate private network.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
new file mode 100644
index 00000000..a1810d0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to non-corporate private network",
+ "enabled": false,
+ "description": "IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.",
+ "alertRuleTemplateName": "c9b6d281-b96b-4763-b728-9a04b9fe1246"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fc23a4124a13f352ee49d5a60ffda74785e32a47 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:15 +0000
Subject: [PATCH 089/375] Exported file: Cisco Umbrella - Crypto Miner
User-Agent Detected.json.json
---
...la - Crypto Miner User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
new file mode 100644
index 00000000..b77d766f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"XMRig\" or HttpUserAgentOriginal contains \"ccminer\"\n| extend Message = \"Crypto Miner User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Crypto Miner User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by crypto miners in proxy logs.",
+ "alertRuleTemplateName": "b619d1f1-7f39-4c7e-bf9e-afbb46457997"
+ }
+ }
+ ]
+}
\ No newline at end of file
From efd99b7aad8853fa12ef88db7aaf5823713aca26 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:16 +0000
Subject: [PATCH 090/375] Exported file: Cisco Umbrella - Empty User Agent
Detected.json.json
---
... Umbrella - Empty User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
new file mode 100644
index 00000000..970fe218
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal == ''\n| extend Message = \"Empty User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Empty User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "2b328487-162d-4034-b472-59f1d53684a1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 12775d618519fb07fea8cb118b6c316cd27b1710 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:17 +0000
Subject: [PATCH 091/375] Exported file: Cisco Umbrella - Hack Tool User-Agent
Detected.json.json
---
...rella - Hack Tool User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
new file mode 100644
index 00000000..84affc5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nlet user_agents=dynamic([\n '(hydra)',\n ' arachni/',\n ' BFAC ',\n ' brutus ',\n ' cgichk ',\n 'core-project/1.0',\n ' crimscanner/',\n 'datacha0s',\n 'dirbuster',\n 'domino hunter',\n 'dotdotpwn',\n 'FHScan Core',\n 'floodgate',\n 'get-minimal',\n 'gootkit auto-rooter scanner',\n 'grendel-scan',\n ' inspath ',\n 'internet ninja',\n 'jaascois',\n ' zmeu ',\n 'masscan',\n ' metis ',\n 'morfeus fucking scanner',\n 'n-stealth',\n 'nsauditor',\n 'pmafind',\n 'security scan',\n 'springenwerk',\n 'teh forest lobster',\n 'toata dragostea',\n ' vega/',\n 'voideye',\n 'webshag',\n 'webvulnscan',\n ' whcc/',\n ' Havij',\n 'absinthe',\n 'bsqlbf',\n 'mysqloit',\n 'pangolin',\n 'sql power injector',\n 'sqlmap',\n 'sqlninja',\n 'uil2pn',\n 'ruler',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\n ]);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal has_any (user_agents)\n| extend Message = \"Hack Tool User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Hack Tool User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by known hack tools",
+ "alertRuleTemplateName": "8d537f3c-094f-430c-a588-8a87da36ee3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 144060f0a8389dbc189842e7708084de9f9735b2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:17 +0000
Subject: [PATCH 092/375] Exported file: Cisco Umbrella - Rare User Agent
Detected.json.json
---
...o Umbrella - Rare User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
new file mode 100644
index 00000000..d366425b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookBack = 14d;\nlet timeframe = 1d;\nlet user_agents_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)\n| summarize count() by HttpUserAgentOriginal\n| summarize make_list(HttpUserAgentOriginal);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal !in (user_agents_list)\n| extend Message = \"Rare User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Rare User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "8c8de3fa-6425-4623-9cd9-45de1dd0569a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3275498d9787ca5711d0d2e237f5f47239f9c201 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:18 +0000
Subject: [PATCH 093/375] Exported file: Cisco Umbrella - Request Allowed to
harmful_malicious URI category.json.json
---
...wed to harmful_malicious URI category.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
new file mode 100644
index 00000000..e6d0a858
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n UrlCategory contains 'Adware' or\n UrlCategory contains 'Alcohol' or\n UrlCategory contains 'Illegal Downloads' or\n UrlCategory contains 'Drugs' or\n UrlCategory contains 'Child Abuse Content' or\n UrlCategory contains 'Hate/Discrimination' or\n UrlCategory contains 'Nudity' or\n UrlCategory contains 'Pornography' or\n UrlCategory contains 'Proxy/Anonymizer' or\n UrlCategory contains 'Sexuality' or\n UrlCategory contains 'Tasteless' or\n UrlCategory contains 'Terrorism' or\n UrlCategory contains 'Web Spam' or\n UrlCategory contains 'German Youth Protection' or\n UrlCategory contains 'Illegal Activities' or\n UrlCategory contains 'Lingerie/Bikini' or\n UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
+ "enabled": false,
+ "description": "It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..",
+ "alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d702dfcbfa0e142f86b935043ee7e380e5cd9916 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:19 +0000
Subject: [PATCH 094/375] Exported file: Cisco Umbrella - Request to
blocklisted file type.json.json
---
...la - Request to blocklisted file type.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
new file mode 100644
index 00000000..fd09a950
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| extend file_ext = extract(@'.*(\\.\\w+)$', 1, UrlOriginal)\n| extend Filename = extract(@'.*\\/*\\/(.*\\.\\w+)$', 1, UrlOriginal)\n| where file_ext in (file_ext_blocklist)\n| project TimeGenerated, SrcIpAddr, Identities, Filename\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request to blocklisted file type",
+ "enabled": false,
+ "description": "Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).",
+ "alertRuleTemplateName": "de58ee9e-b229-4252-8537-41a4c2f4045e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From afbdce28b4d97555f64df19351582ad876a4794b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:20 +0000
Subject: [PATCH 095/375] Exported file: Cisco Umbrella - URI contains IP
address.json.json
---
...co Umbrella - URI contains IP address.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
new file mode 100644
index 00000000..6dbbecf9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlOriginal matches regex @'\\Ahttp:\\/\\/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - URI contains IP address",
+ "enabled": false,
+ "description": "Malware can use IP address to communicate with C2.",
+ "alertRuleTemplateName": "ee1818ec-5f65-4991-b711-bcf2ab7e36c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3af86437fffabd4434bafa1e8d44bf1eaa9b9b67 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:21 +0000
Subject: [PATCH 096/375] Exported file: Cisco Umbrella - Windows PowerShell
User-Agent Detected.json.json
---
...indows PowerShell User-Agent Detected.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
new file mode 100644
index 00000000..81fa4a71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"WindowsPowerShell\"\n| extend Message = \"Windows PowerShell User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Windows PowerShell User-Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "b12b3dab-d973-45af-b07e-e29bb34d8db9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2654f6b0217f32bd004f73ac95586f5cb2e6e1d4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:21 +0000
Subject: [PATCH 097/375] Exported file: ClientDeniedAccess.json.json
---
.../ClientDeniedAccess.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ClientDeniedAccess.json
diff --git a/SentinelExported-AnalyticsRule/ClientDeniedAccess.json b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
new file mode 100644
index 00000000..2f672e37
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ClientDeniedAccess",
+ "enabled": false,
+ "description": "Creates an incident in the event a Client has an excessive amounts of denied access requests.",
+ "alertRuleTemplateName": "a9956d3a-07a9-44a6-a279-081a85020cae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8a725ae3bd94fce6ab02d2c5591579acd26e9eef Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:22 +0000
Subject: [PATCH 098/375] Exported file: Cognni Incidents for Highly Sensitive
Business Information.json.json
---
...Highly Sensitive Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
new file mode 100644
index 00000000..517e9271
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Business Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "44e80f00-b4f5-486b-a57d-4073746276df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d5e5aae0a270178f14f3db45d51f501307bb37b5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:23 +0000
Subject: [PATCH 099/375] Exported file: Cognni Incidents for Highly Sensitive
Financial Information.json.json
---
...ighly Sensitive Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
new file mode 100644
index 00000000..7fe66651
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "7ebb7386-6c99-4331-aab1-a185a603eb47"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8749c91b140be405296a38432dbe723a9ca977a2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:24 +0000
Subject: [PATCH 100/375] Exported file: Cognni Incidents for Highly Sensitive
Governance Information.json.json
---
...ghly Sensitive Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
new file mode 100644
index 00000000..aa613d21
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2926ce29-08d2-4654-b2e8-7d8df70095d9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b38f56e9286f8be0fff8ac8a935f95dab3bb6d39 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:25 +0000
Subject: [PATCH 101/375] Exported file: Cognni Incidents for Highly Sensitive
HR Information.json.json
---
...s for Highly Sensitive HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
new file mode 100644
index 00000000..d1fe6ab3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive HR Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "f68846cf-ec99-497d-9ce1-80a9441564fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e52cfc0ad49fcea12c54a4cebe37103b1a2d62ec Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:25 +0000
Subject: [PATCH 102/375] Exported file: Cognni Incidents for Highly Sensitive
Legal Information.json.json
---
...or Highly Sensitive Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
new file mode 100644
index 00000000..a5f7c589
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "4f45f43b-3a4b-491b-9cbe-d649603384aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From de3f7a2ba1f890a7b2d0496feeb8cb9f75762fe5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:26 +0000
Subject: [PATCH 103/375] Exported file: Cognni Incidents for Low Sensitivity
Business Information.json.json
---
... Low Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
new file mode 100644
index 00000000..88334c0e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity business information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "a0647a60-16f9-4175-b344-5cdd2934413f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 29833238cf3fbb95076cfecfb2415e4457427de8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:27 +0000
Subject: [PATCH 104/375] Exported file: Cognni Incidents for Low Sensitivity
Financial Information.json.json
---
...Low Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
new file mode 100644
index 00000000..fdb269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "77171efa-4502-4ab7-9d23-d12305ff5a5e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cca140ee0b5695076b9c634e902f8ba095181380 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:28 +0000
Subject: [PATCH 105/375] Exported file: Cognni Incidents for Low Sensitivity
Governance Information.json.json
---
...ow Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
new file mode 100644
index 00000000..d73c7c4e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity governance information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d2e40c79-fe8c-428e-8cb9-0e2282d4558c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5b0ad8653f610a9be49e34574c813081d725de07 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:28 +0000
Subject: [PATCH 106/375] Exported file: Cognni Incidents for Low Sensitivity
HR Information.json.json
---
...ts for Low Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
new file mode 100644
index 00000000..0eb51774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "ef8654b1-b2cf-4f6c-ae5c-eca635a764e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eee7bc9feefe9f154c1cbb71507da5e7669f8039 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:29 +0000
Subject: [PATCH 107/375] Exported file: Cognni Incidents for Low Sensitivity
Legal Information.json.json
---
...for Low Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
new file mode 100644
index 00000000..afb2cb58
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "8374ec0f-d857-4c17-b1e7-93d11800f8fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 430f85384706d00379087ec9ea3f4d485cd11eeb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:30 +0000
Subject: [PATCH 108/375] Exported file: Cognni Incidents for Medium
Sensitivity Business Information.json.json
---
...dium Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
new file mode 100644
index 00000000..6f89ae17
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/79061028-980a-4760-881b-52e79c1015c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/79061028-980a-4760-881b-52e79c1015c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2c286288-3756-4824-b599-d3c499836c11"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 133458b15557f8e625622bf0ea5fb711b938204b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:31 +0000
Subject: [PATCH 109/375] Exported file: Cognni Incidents for Medium
Sensitivity Financial Information.json.json
---
...ium Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
new file mode 100644
index 00000000..d4dd28c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d29b1d66-d4d9-4be2-b607-63278fc4fe6b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ee311c939125086f5dba67f4d5f658a2fc8fb17b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:32 +0000
Subject: [PATCH 110/375] Exported file: Cognni Incidents for Medium
Sensitivity Governance Information.json.json
---
...um Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
new file mode 100644
index 00000000..2d01b1d4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet goverence = 'Goverence Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == goverence\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "c1d4a005-e220-4d06-9e53-7326a22b8fe4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7d0a8a3824b324bbbafd3ccc8e9cd70165752cec Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:33 +0000
Subject: [PATCH 111/375] Exported file: Cognni Incidents for Medium
Sensitivity HR Information.json.json
---
...for Medium Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
new file mode 100644
index 00000000..d70dd2e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "75ff4f7d-0564-4a55-8b25-a75be951cde3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 97c7e3ff2fe43b92f8367a7964b9174720428d6b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:34 +0000
Subject: [PATCH 112/375] Exported file: Cognni Incidents for Medium
Sensitivity Legal Information.json.json
---
... Medium Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
new file mode 100644
index 00000000..18f5dc60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "db750607-d48f-4aef-b238-085f4a9882f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1911b7dd386c31f1845ba64289fbd66d4ba67326 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:35 +0000
Subject: [PATCH 113/375] Exported file: CoreBackUp Deletion in correlation
with other related security alerts.json.json
---
...on with other related security alerts.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
diff --git a/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
new file mode 100644
index 00000000..5c93e8a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityAlert\n| extend Extprop = parse_json(ExtendedProperties)\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\"Compromised Host\"]))), toupper(tostring(Extprop[\"Compromised Host\"])), tostring(parse_json(Entities)[0].HostName))\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\"User Name\"]))), tolower(tostring(Extprop[\"User Name\"])), tolower(tostring(Extprop[\"user name\"])))\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\"IpAddress\"]) \n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\n| join kind=inner\n(\nCoreAzureBackup\n| where State =~ \"Deleted\"\n| where OperationName =~ \"BackupItem\"\n| extend data = split(BackupItemUniqueId, \";\")\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\n)\non MachineName\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "CoreBackUp Deletion in correlation with other related security alerts",
+ "enabled": false,
+ "description": "This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.",
+ "alertRuleTemplateName": "011c84d8-85f0-4370-b864-24c13455aa94"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bbba69c4111d8b14ad247e8de6bad3472ba21037 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:35 +0000
Subject: [PATCH 114/375] Exported file: Correlate Unfamiliar sign-in
properties and atypical travel alerts.json.json
---
...properties and atypical travel alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
diff --git a/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
new file mode 100644
index 00000000..bf47e8ba
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let Alert1 = \nSecurityAlert\n| where AlertName == \"Unfamiliar sign-in properties\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert1Time = TimeGenerated\n| extend Alert1 = AlertName\n| extend Alert1Severity = AlertSeverity\n;\nlet Alert2 = \nSecurityAlert\n| where AlertName == \"Atypical travel\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert2Time = TimeGenerated\n| extend Alert2 = AlertName\n| extend Alert2Severity = AlertSeverity\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\n;\nAlert1\n| join kind=inner Alert2 on UserPrincipalName\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\n| extend TimeDelta = Alert1Time - Alert2Time\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\n| extend AccountCustomEntity = UserPrincipalName\n| extend IPCustomEntity = CurrentIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Correlate Unfamiliar sign-in properties and atypical travel alerts",
+ "enabled": false,
+ "description": "The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.",
+ "alertRuleTemplateName": "a3df4a32-4805-4c6d-8699-f3c888af2f67"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b6e5c3a5da297725f90058f47062aa48a1996b7f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:36 +0000
Subject: [PATCH 115/375] Exported file: Create Incident for XDR Alerts
(Critical & High).json.json
---
...dent for XDR Alerts (Critical & High).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
new file mode 100644
index 00000000..6e26ee7c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'high' or modelSeverity_s == 'critical'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Critical & High)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical & High Serverity Alerts)",
+ "alertRuleTemplateName": "0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fa0e0cf83d6b8aac4978845140cf678438edd9a7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:37 +0000
Subject: [PATCH 116/375] Exported file: Create Incident for XDR Alerts (Medium
& Low).json.json
---
...ncident for XDR Alerts (Medium & Low).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
new file mode 100644
index 00000000..912fc84b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'medium' or modelSeverity_s == 'low'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Medium & Low)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium & Low Serverity Alerts)",
+ "alertRuleTemplateName": "00282588-11e7-436d-90e8-011256c3c691"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 26ac9206c65e9dd49307c16cd0765be47caf4ee3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:38 +0000
Subject: [PATCH 117/375] Exported file: Creation of expensive computes in
Azure.json.json
---
...eation of expensive computes in Azure.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
new file mode 100644
index 00000000..f4c5db53
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Low",
+ "query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationList = dynamic([\"microsoft.compute/virtualmachines/write\", \"microsoft.resources/deployments/write\"]);\nAzureActivity\n| where tolower(OperationNameValue) in (operationList)\n| where ActivityStatusValue == \"Accepted\" \n| where isnotempty(Properties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Creation of expensive computes in Azure",
+ "enabled": false,
+ "description": "Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to evade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions",
+ "alertRuleTemplateName": "9736e5f1-7b6e-4bfb-a708-e53ff1d182c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From af0bf9b6e6121f5ba13a12a491414f53d641ecb8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:39 +0000
Subject: [PATCH 118/375] Exported file: Credential added after admin consented
to Application.json.json
---
... after admin consented to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
diff --git a/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
new file mode 100644
index 00000000..c2f0b7c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetResourceType = tostring(target.type)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend isAdminConsent = targetModifiedProp[0].newValue\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\n| extend Consent_Permissions = targetModifiedProp[4].newValue\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\n| extend UpdatedProperties = targetModifiedProp[1].newValue\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent > TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Credential added after admin consented to Application",
+ "enabled": false,
+ "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities",
+ "alertRuleTemplateName": "707494a5-8e44-486b-90f8-155d1797a8eb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eea3b49290ccb573d59d32ec549944a2a7cb1bd0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:39 +0000
Subject: [PATCH 119/375] Exported file: Critical Threat Detected.json.json
---
.../Critical Threat Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Critical Threat Detected.json
diff --git a/SentinelExported-AnalyticsRule/Critical Threat Detected.json b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
new file mode 100644
index 00000000..4a9bdb5e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 8;\nCarbonBlackNotifications_CL\n| where threatHunterInfo_score_d >= threshold\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\n| project-away count_\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Critical Threat Detected",
+ "enabled": false,
+ "description": "This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.",
+ "alertRuleTemplateName": "2ca4e7fc-c61a-49e5-9736-5da8035c47e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bcc0dae46a056591a8c1a7007f6400f1f10a6302 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:40 +0000
Subject: [PATCH 120/375] Exported file: DEV-0322 Serv-U related IOCs - July
2021.json.json
---
...-0322 Serv-U related IOCs - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
new file mode 100644
index 00000000..ba92a046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet parentprocess = (iocs | where Type =~ \"parentprocess\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (IPList), \"RequestUrl\",\"NoMatch\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, IPMatch == \"RequestUrl\", RequestURL, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Dev-0322 IOC match', Type\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = 'Dev-0322 IOC match', UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = 'Dev-0322 IOC match'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where SourceHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = 'Dev-0322 IOC match'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ParentImage = EventDetail.[20].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceProcessEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\n),\n( SecurityEvent\n| where EventID == 4688\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "DEV-0322 Serv-U related IOCs - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.",
+ "alertRuleTemplateName": "4759ddb4-2daf-43cb-b34e-d85b85b4e4a5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 747677597ed4078f2f21c82d9f36f5ef85ad3681 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:41 +0000
Subject: [PATCH 121/375] Exported file: DNS events related to ToR proxies
(Normalized DNS).json.json
---
...lated to ToR proxies (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
new file mode 100644
index 00000000..c67b1c6b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let torProxies=dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nimDns(domain_has_any=torProxies)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "3fe3c520-04f1-44b8-8398-782ed21435f8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4a5282147a6710074474d4347c7707332c03d3fd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:42 +0000
Subject: [PATCH 122/375] Exported file: DNS events related to ToR
proxies.json.json
---
.../DNS events related to ToR proxies.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
new file mode 100644
index 00000000..dce92719
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.",
+ "alertRuleTemplateName": "a83ef0f4-dace-4767-bce3-ebd32599d2a0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 11f8f15a0eace71fec1f74f54a9cea093ae0ee8e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:43 +0000
Subject: [PATCH 123/375] Exported file: DNS events related to mining pools
(Normalized DNS).json.json
---
...ated to mining pools (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
new file mode 100644
index 00000000..e374d5a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let minersDomains=dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\"]);\nimDns(domain_has_any=minersDomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c094384d-7ea7-4091-83be-18706ecca981"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ea8f81a2c71f9123a2753d524c33e9119754c317 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:43 +0000
Subject: [PATCH 124/375] Exported file: DNS events related to mining
pools.json.json
---
.../DNS events related to mining pools.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools.json b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
new file mode 100644
index 00000000..09a469a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.",
+ "alertRuleTemplateName": "0d76e9cf-788d-4a69-ac7d-f234826b5bed"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ea0ca3903cd9b9eac4af02132d450d416ef70b02 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:44 +0000
Subject: [PATCH 125/375] Exported file: Detect PIM Alert Disabling
activity.json.json
---
.../Detect PIM Alert Disabling activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
diff --git a/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
new file mode 100644
index 00000000..9628cbd3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where LoggedByService =~ \"PIM\"\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has \"Disable PIM Alert\"\n| extend IpAddress = case(\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Detect PIM Alert Disabling activity",
+ "enabled": false,
+ "description": "Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access",
+ "alertRuleTemplateName": "1f3b4dfd-21ff-4ed3-8e27-afc219e05c50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 244858178bc88982982f55644c72a7a1b359b77a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:45 +0000
Subject: [PATCH 126/375] Exported file: Dev-0228 File Path Hashes November
2021 - ASIM.json.json
---
...File Path Hashes November 2021 - ASIM.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
new file mode 100644
index 00000000..46c7c8c6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nimFileEvent\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\n// Increase risk score if recent alerts for the host\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021 - ASIM",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization",
+ "alertRuleTemplateName": "29a29e5d-354e-4f5e-8321-8b39d25047bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 56f7af835d176b265f9136d76c0e03cf218817ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:46 +0000
Subject: [PATCH 127/375] Exported file: Dev-0228 File Path Hashes November
2021.json.json
---
...v-0228 File Path Hashes November 2021.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
new file mode 100644
index 00000000..55d5f3f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nDeviceProcessEvents\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\n| extend DvcId = DeviceId\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.",
+ "alertRuleTemplateName": "3b443f22-9be9-4c35-ac70-a94757748439"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8d8f8bb77ad474981005e00404c9ea2f3a844843 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:47 +0000
Subject: [PATCH 128/375] Exported file: Distributed Password cracking attempts
in AzureAD.json.json
---
...Password cracking attempts in AzureAD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
new file mode 100644
index 00000000..ce24093f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\n| distinct *\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Distributed Password cracking attempts in AzureAD",
+ "enabled": false,
+ "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.",
+ "alertRuleTemplateName": "bfb1c90f-8006-4325-98be-c7fffbc254d6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 82318b91ec809cb2e17d7647051aa31cb2b235da Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:48 +0000
Subject: [PATCH 129/375] Exported file: Duplicate Rule DisplayName 1
(1).json.json
---
.../Duplicate Rule DisplayName 1 (1).json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
new file mode 100644
index 00000000..ff5257a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CampaignInfo",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 78f264ffbc5e7d31f1ba90e372be54fe147a4f49 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:48 +0000
Subject: [PATCH 130/375] Exported file: Duplicate Rule DisplayName 1.json.json
---
.../Duplicate Rule DisplayName 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
new file mode 100644
index 00000000..75316020
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "Duplicate Rule DisplayName 1",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9958047651931c3ef3c02675b57d4b62248d9390 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:49 +0000
Subject: [PATCH 131/375] Exported file: Email access via active sync.json.json
---
.../Email access via active sync.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Email access via active sync.json
diff --git a/SentinelExported-AnalyticsRule/Email access via active sync.json b/SentinelExported-AnalyticsRule/Email access via active sync.json
new file mode 100644
index 00000000..2f367c0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Email access via active sync.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet cmdList = dynamic([\"Set-CASMailbox\",\"ActiveSyncAllowedDeviceIDs\",\"add\"]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessCommandLine has_all (cmdList)\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| extend Type = strcat(Type, \": \", Source)\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Email access via active sync",
+ "enabled": false,
+ "description": "This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\n- Note that this query can be changed to use the KQL \"has_all\" operator, which hasn't yet been documented officially, but will be soon.\n In short, \"has_all\" will only match when the referenced field has all strings in the list.\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps",
+ "alertRuleTemplateName": "2f561e20-d97b-4b13-b02d-18b34af6e87c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e33eca47d2e1cf810358c82cc95b7ef4987ea818 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:50 +0000
Subject: [PATCH 132/375] Exported file: Excessive Amount of Denied Connections
from a Single Source.json.json
---
...nied Connections from a Single Source.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
new file mode 100644
index 00000000..5a4748f5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5000;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\" and Status =~ \"Deny\"\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Amount of Denied Connections from a Single Source",
+ "enabled": false,
+ "description": "This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.",
+ "alertRuleTemplateName": "3d645a88-2724-41a7-adea-db74c439cf79"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bcd130372a5acdbabb9ffba7e4016f12189efc47 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:51 +0000
Subject: [PATCH 133/375] Exported file: Excessive Denied Proxy
Traffic.json.json
---
.../Excessive Denied Proxy Traffic.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
new file mode 100644
index 00000000..7ff20617
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 100;\nSymantecProxySG \n| where sc_filter_result =~ \"DENIED\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\n| where count_ > threshold\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Denied Proxy Traffic",
+ "enabled": false,
+ "description": "This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.",
+ "alertRuleTemplateName": "7a58b253-0ef2-4248-b4e5-c350f15a8346"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9ede168d928362e1e372a63cc9c0c92cf1416e2f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:52 +0000
Subject: [PATCH 134/375] Exported file: Excessive Failed Authentication from
Invalid Inputs.json.json
---
...ed Authentication from Invalid Inputs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
new file mode 100644
index 00000000..d8b18864
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Failed Authentication from Invalid Inputs",
+ "enabled": false,
+ "description": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.",
+ "alertRuleTemplateName": "c775a46b-21b1-46d7-afa6-37e3e577a27b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3275cad4acf23ad03a146c7677a6c08fbbaf8185 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:53 +0000
Subject: [PATCH 135/375] Exported file: Excessive NXDOMAIN DNS Queries
(Normalized DNS).json.json
---
...NXDOMAIN DNS Queries (Normalized DNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
new file mode 100644
index 00000000..642acc92
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 200;\nimDns(responsecodename='NXDOMAIN')\n| where isnotempty(DnsResponseCodeName)\n//| where DnsResponseCodeName =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (imDns(responsecodename='NXDOMAIN')\n ) on SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries (Normalized DNS)",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c3b11fb2-9201-4844-b7b9-6b7bf6d9b851"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 58185071d68833e1a98295c7e01e681ccecef29d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:54 +0000
Subject: [PATCH 136/375] Exported file: Excessive NXDOMAIN DNS
Queries.json.json
---
.../Excessive NXDOMAIN DNS Queries.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
new file mode 100644
index 00000000..8a17da24
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 200;\nInfobloxNIOS\n| where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n| where isnotempty(ResponseCode)\n| where ResponseCode =~ \"NXDOMAIN\"\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n | where isnotempty(ResponseCode)\n | where ResponseCode =~ \"NXDOMAIN\"\n ) on Client_IP\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.",
+ "alertRuleTemplateName": "b8266f81-2715-41a6-9062-42486cbc9c73"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 98ebd5ee7ed7d8f51714c5a2e4b0735f1785e05e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:55 +0000
Subject: [PATCH 137/375] Exported file: Excessive Windows logon
failures.json.json
---
.../Excessive Windows logon failures.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
new file mode 100644
index 00000000..9d2bb8c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 0.333;\nlet countlimit = 50;\nSecurityEvent\n| where TimeGenerated >= ago(endtime)\n| where EventID == 4625 and AccountType =~ \"User\"\n| where IpAddress !in (\"127.0.0.1\", \"::1\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\n| join kind=leftouter (\n SecurityEvent \n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | where EventID == 4625 and AccountType =~ \"User\"\n | where IpAddress !in (\"127.0.0.1\", \"::1\")\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| extend WorkstationName = iff(WorkstationName == \"-\" or isempty(WorkstationName), Computer , WorkstationName) \n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\n| order by sum_CountToday desc nulls last \n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Windows logon failures",
+ "enabled": false,
+ "description": "User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.",
+ "alertRuleTemplateName": "2391ce61-8c8d-41ac-9723-d945b2e90720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d8735bad2484a1eb626574e8093257beb7506334 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:56 +0000
Subject: [PATCH 138/375] Exported file: Excessive number of failed connections
from a single source (ASIM Network Session schema).json.json
---
... source (ASIM Network Session schema).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
diff --git a/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
new file mode 100644
index 00000000..1471296f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 5000;\nimNetworkSession(eventresult='Failure')\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\n| where Count > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive number of failed connections from a single source (ASIM Network Session schema)",
+ "enabled": false,
+ "description": "This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "4902eddb-34f7-44a8-ac94-8486366e9494"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 50b5abdfd1aa551e744301326d31980753796945 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:56 +0000
Subject: [PATCH 139/375] Exported file: Exchange AuditLog disabled.json.json
---
.../Exchange AuditLog disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
diff --git a/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
new file mode 100644
index 00000000..cfee7baa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where UserType in~ (\"Admin\",\"DcAdmin\") \n// Only admin or global-admin can disable audit logging\n| where Operation =~ \"Set-AdminAuditLogConfig\" \n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\n| where AdminAuditLogEnabledValue =~ \"False\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Exchange AuditLog disabled",
+ "enabled": false,
+ "description": "Identifies when the exchange audit logging has been disabled which may be an adversary attempt\nto evade detection or avoid other defenses.",
+ "alertRuleTemplateName": "194dd92e-d6e7-4249-85a5-273350a7f5ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 88db76c7e7dafd6e5baa26f7941b2854ea4d4890 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:57 +0000
Subject: [PATCH 140/375] Exported file: Exchange OAB Virtual Directory
Attribute Containing Potential Webshell.json.json
---
...tribute Containing Potential Webshell.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
diff --git a/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
new file mode 100644
index 00000000..0cb51c74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityEvent\n// Look for specific Directory Service Changes and parse data\n| where EventID == 5136\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion = array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\n// Where changes relate to Exchange OAB\n| extend ObjectClass = column_ifexists(\"ObjectClass\", \"\")\n| where ObjectClass =~ \"msExchOABVirtualDirectory\"\n// Look for InternalHostName or ExternalHostName properties being changed\n| extend AttributeLDAPDisplayName = column_ifexists(\"AttributeLDAPDisplayName\", \"\")\n| where AttributeLDAPDisplayName in (\"msExchExternalHostName\", \"msExchInternalHostName\")\n// Look for suspected webshell activity\n| extend AttributeValue = column_ifexists(\"AttributeValue\", \"\")\n| where AttributeValue has \"script\"\n| project-rename LastSeen = TimeGenerated\n| extend ObjectDN = column_ifexists(\"ObjectDN\", \"\")\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange OAB Virtual Directory Attribute Containing Potential Webshell",
+ "enabled": false,
+ "description": "This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns",
+ "alertRuleTemplateName": "faf1a6ff-53b5-4f92-8c55-4b20e9957594"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 34477e5a48227d20f2a2e5e646908d34ef1f6028 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:58 +0000
Subject: [PATCH 141/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection (1).json.json
---
...todiscover ProxyShell - Detection (1).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
new file mode 100644
index 00000000..f884c9ec
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b82a0d4b3777b5cb133f964681bcedca7cd85edf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:21:59 +0000
Subject: [PATCH 142/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection.json.json
---
...F Autodiscover ProxyShell - Detection.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
new file mode 100644
index 00000000..54b461bc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "AzureResource",
+ "fieldMappings": [
+ {
+ "identifier": "ResourceId",
+ "columnName": "ResourceCustomEntity"
+ }
+ ]
+ }
+ ],
+ "templateVersion": "1.0.1",
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190"
+ ],
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": true,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From df285bf79b5326a8df89317675e982eed4f60794 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:00 +0000
Subject: [PATCH 143/375] Exported file: Exchange Server Vulnerabilities
Disclosed March 2021 IoC Match.json.json
---
...lities Disclosed March 2021 IoC Match.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
diff --git a/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
new file mode 100644
index 00000000..d1e23e0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n or\n TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(VMConnection\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\n| where SourceIp in (ips) or DestinationIp in (ips)\n| extend IPMatch = case( SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nDeviceNetworkEvents\n| where (RemoteIPType =~ \"Public\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\nDnsEvents\n| where SubType =~ \"LookupQuery\"\n| where Name has_any (domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n),\n(\nimDns(domain_has_any=domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange Server Vulnerabilities Disclosed March 2021 IoC Match",
+ "enabled": false,
+ "description": "This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/",
+ "alertRuleTemplateName": "d804b39c-03a4-417c-a949-bdbf21fa3305"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 892bf070904ff91b663cabc682e3694b82e6ffa5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:00 +0000
Subject: [PATCH 144/375] Exported file: Exchange workflow MailItemsAccessed
operation anomaly.json.json
---
...w MailItemsAccessed operation anomaly.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
new file mode 100644
index 00000000..1611fad8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 1.5;\nlet percentthreshold = 50;\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\nlet TimeSeriesData =\nOfficeActivity\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n| project TimeGenerated, Operation, MailboxOwnerUPN\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project TimeGenerated, Total, baseline, anomalies, score;\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\n OfficeActivity\n | where TimeGenerated > ago(2d)\n | extend DateHour = bin(TimeGenerated, 1h)\n | where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\n | order by HourlyCount desc \n) on TimeGenerated\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\n| order by PercentofTotal desc \n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Exchange workflow MailItemsAccessed operation anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed",
+ "alertRuleTemplateName": "b4ceb583-4c44-4555-8ecf-39f572e827ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 122020a423de19033a4a60f2e3ef2741aa2b8216 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:01 +0000
Subject: [PATCH 145/375] Exported file: Explicit MFA Deny.json.json
---
.../Explicit MFA Deny.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Explicit MFA Deny.json
diff --git a/SentinelExported-AnalyticsRule/Explicit MFA Deny.json b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
new file mode 100644
index 00000000..441d5de3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Explicit MFA Deny",
+ "enabled": false,
+ "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.",
+ "alertRuleTemplateName": "a22740ec-fc1e-4c91-8de6-c29c6450ad00"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c6f1b3c223bb5b79ce7ddfb26880bb6fc192a464 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:02 +0000
Subject: [PATCH 146/375] Exported file: External Upstream Source Added to
Azure DevOps Feed.json.json
---
...eam Source Added to Azure DevOps Feed.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
diff --git a/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
new file mode 100644
index 00000000..7091dc03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\nlet allowed_sources = dynamic([\"NuGet Gallery\"]);\nlet allowed_locations = dynamic([\"https://api.nuget.org/v3/index.json\"]);\nAzureDevOpsAuditing\n// Look for feeds created or modified at either the organization or project level\n| where OperationName matches regex \"Artifacts.Feed.(Org|Project).Modify\"\n| where Details has \"UpstreamSources, added\"\n| extend FeedName = tostring(Data.FeedName)\n| extend FeedId = tostring(Data.FeedId)\n| extend UpstreamsAdded = Data.UpstreamsAdded\n// As multiple feeds may be added expand these out\n| mv-expand UpstreamsAdded\n// Only focus on external feeds\n| where UpstreamsAdded.UpstreamSourceType !~ \"internal\"\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\n| extend SourceName = tostring(UpstreamsAdded.Name)\n// Exclude sources and locations in the allow list\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "External Upstream Source Added to Azure DevOps Feed",
+ "enabled": false,
+ "description": "The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.",
+ "alertRuleTemplateName": "adc32a33-1cd6-46f5-8801-e3ed8337885f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e2cb30afca7f4907c5490ee4c8676f16ac338e63 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:03 +0000
Subject: [PATCH 147/375] Exported file: External User Access Enabled.json.json
---
.../External User Access Enabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External User Access Enabled.json
diff --git a/SentinelExported-AnalyticsRule/External User Access Enabled.json b/SentinelExported-AnalyticsRule/External User Access Enabled.json
new file mode 100644
index 00000000..1d8faa74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External User Access Enabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nZoomLogs \n| where Event =~ \"account.settings_updated\" \n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend EnforceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\") \n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false' \n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"All settings changed\", \n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\", \n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\", \n EnforceLoginDomain == 'false', \"Enfored Domains Changed\", \n GuestAlerts == 'false', \"Guest Join Alerts Changed\", \n EnforceLogin == 'false', \"Enforced Logins Changed\", \n \"No Changes\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External User Access Enabled",
+ "enabled": false,
+ "description": "This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.",
+ "alertRuleTemplateName": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4c074415ee5a09bf272527b448d4b3d5dc459f95 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:04 +0000
Subject: [PATCH 148/375] Exported file: External guest invitations by default
guest followed by Azure AD powershell signin.json.json
---
...ollowed by Azure AD powershell signin.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
diff --git a/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
new file mode 100644
index 00000000..35faf84e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs \n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\",\"Invite external user with reset invitation status\")\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| where InitiatedByUser has_any (\"live.com#\", \"#EXT#\")\n| extend parsedUser = iff(InitiatedByUser has \"live.com#\", tostring(split(InitiatedByUser, \"#\")[1]),tostring(split(InitiatedByUser, \"#EXT#\")[1])) , InvitationTime = TimeGenerated\n| join ( \nSigninLogs \n| where UserType == \"Guest\" and AppDisplayName == \"Microsoft Azure PowerShell\"\n| extend SigninTime = TimeGenerated\n) on $left.parsedUser == $right.UserPrincipalName\n| project InvitationTime, SigninTime, InitiatedByUser, OperationName, AppDisplayName , IPAddress, UserType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess",
+ "Persistence",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "External guest invitations by default guest followed by Azure AD powershell signin",
+ "enabled": false,
+ "description": "By default guests have capability to invite more external guest user, who can do suspicious Azure AD enumeration. This detection will first look at guests \ninviting external guests users who are then logging via Azure AD powershell after accpeting invitation.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/",
+ "alertRuleTemplateName": "acc4c247-aaf7-494b-b5da-17f18863878a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d6471fc50348552b8f43d1d23acde6cb6d162d04 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:05 +0000
Subject: [PATCH 149/375] Exported file: External user added and removed in
short timeframe.json.json
---
... added and removed in short timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
diff --git a/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
new file mode 100644
index 00000000..faba53c0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberAdded\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n| join (\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberRemoved\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\n) on UPN\n| where TimeDeleted > TimeAdded\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External user added and removed in short timeframe",
+ "enabled": false,
+ "description": "This detection flags the occurances of external user accounts that are added to a Team and then removed within\none hour.",
+ "alertRuleTemplateName": "bff093b2-500e-4ae5-bb49-a5b1423cbd5b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d2c3530782e5f8024f8e45fb17652ec3024f98e1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:05 +0000
Subject: [PATCH 150/375] Exported file: Failed AWS Console logons but success
logon to AzureAD.json.json
---
...e logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
new file mode 100644
index 00000000..9181a3df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed AWS console logins\nlet aws_fails = AWSCloudTrail\n| where EventName == \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult != \"Success\"\n| where SourceIpAddress != \"127.0.0.1\"\n| summarize count() by SourceIpAddress\n| where count_ > signin_threshold\n| summarize make_list(SourceIpAddress);\n//See if any of those IPs have sucessfully logged into Azure AD.\nSigninLogs\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (aws_fails) \n| extend Reason = \"Multiple failed AWS Console logins from IP address\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AWS Console logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "910124df-913c-47e3-a7cd-29e1643fa55e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8064a8e30a73dfb5ad75404538568ae2336fd4b2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:06 +0000
Subject: [PATCH 151/375] Exported file: Failed AzureAD logons but success
logon to AWS Console, test-6_30_2022.json.json
---
... logon to AWS Console, test-6_30_2022.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
new file mode 100644
index 00000000..a21c7140
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit your environment\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold\nlet aadFunc = (tableName:string){\nlet Suspicious_signins = \ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in (\"127.0.0.1\", \"::1\")\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\nSuspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet Suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into the AWS console\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult =~ \"Success\"\n| where SourceIpAddress in (Suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to AWS Console, test-6/30/2022",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "643c2025-9604-47c5-833f-7b4b9378a1f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7c32dc1ece2a136cc4f0710448188ef4cbdfba41 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:07 +0000
Subject: [PATCH 152/375] Exported file: Failed AzureAD logons but success
logon to host.json.json
---
...reAD logons but success logon to host.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
new file mode 100644
index 00000000..ea33b6f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit the environment\nlet signin_threshold = 5;\n//Make a list of all IPs with failed signins to AAD above our threshold\nlet aadFunc = (tableName:string){\nlet suspicious_signins =\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in ('127.0.0.1', '::1')\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\n//See if any of these IPs have sucessfully logged into *nix hosts\nlet linux_logons =\nSyslog\n| where Facility contains \"auth\" and ProcessName != \"sudo\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\n//See if any of these IPs have sucessfully logged into Windows hosts\nlet win_logons =\nSecurityEvent\n| where EventID == 4624\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| where IpAddress in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\nunion isfuzzy=true linux_logons,win_logons\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to host",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "8ee967a2-a645-4832-85f4-72b635bcb3a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0dc5ed4480b02e19e0fdd7b12f9139dd2a7c01d8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:08 +0000
Subject: [PATCH 153/375] Exported file: Failed Logins from Unknown or Invalid
User.json.json
---
...d Logins from Unknown or Invalid User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
diff --git a/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
new file mode 100644
index 00000000..bb0c0a75
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed Logins from Unknown or Invalid User",
+ "enabled": false,
+ "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name",
+ "alertRuleTemplateName": "884be6e7-e568-418e-9c12-89229865ffde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cc69e006bc2168d5d2404aa53842b91b493d3b82 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:09 +0000
Subject: [PATCH 154/375] Exported file: Failed host logons but success logon
to AzureAD.json.json
---
...t logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
new file mode 100644
index 00000000..d6444aad
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed Windows host logins above threshold\nlet win_fails = \nSecurityEvent\n| where EventID == 4625\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| summarize count() by IpAddress\n| where count_ > signin_threshold\n| summarize make_list(IpAddress);\n//Make a list of IPs with failed *nix host logins above threshold\nlet nix_fails = \nSyslog\n| where Facility contains 'auth' and ProcessName != 'sudo'\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP != \"\" and SourceIP != \"127.0.0.1\"\n| summarize count() by SourceIP\n| where count_ > signin_threshold\n| summarize make_list(SourceIP);\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\n| extend Reason= \"Multiple failed host logins from IP address with successful Azure AD login\"\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed host logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "1ce5e766-26ab-4616-b7c8-3b33ae321e80"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9b5c986bbf1bb93c1e761f57516bce397841e107 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:11 +0000
Subject: [PATCH 155/375] Exported file: Failed login attempts to Azure
Portal.json.json
---
...Failed login attempts to Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
new file mode 100644
index 00000000..8746e489
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins \n) on UserPrincipalName, Id\n| where TimeGenerated > TimeGenerated1\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup \n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City)\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed login attempts to Azure Portal",
+ "enabled": false,
+ "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
+ "alertRuleTemplateName": "223db5c1-1bf8-47d8-8806-bed401b356a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 033cd826d8081655edd77945468a3b1498e42b35 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:12 +0000
Subject: [PATCH 156/375] Exported file: Failed logon attempts by valid
accounts within 10 mins.json.json
---
...mpts by valid accounts within 10 mins.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
new file mode 100644
index 00000000..51f35ef7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let threshold = 20;\nSecurityEvent \n| where EventID == 4625\n| where AccountType =~ \"User\"\n| where SubStatus !='0xc0000064' and Account !in ('\\\\', '-\\\\-')\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\n| extend ResourceId = column_ifexists(\"_ResourceId\", _ResourceId), SourceComputerId = column_ifexists(\"SourceComputerId\", SourceComputerId)\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\n| where FailedLogonCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts by valid accounts within 10 mins",
+ "enabled": false,
+ "description": "Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.",
+ "alertRuleTemplateName": "0777f138-e5d8-4eab-bec1-e11ddfbc2be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 95c544a0f1999d71eca7781ca18b3af2b3f42452 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:13 +0000
Subject: [PATCH 157/375] Exported file: Failed logon attempts in
authpriv.json.json
---
.../Failed logon attempts in authpriv.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
new file mode 100644
index 00000000..b0cdc9f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\n// are aggregated.\nlet authfail = Syslog\n| where Facility =~ \"authpriv\" // looks at authpriv messages\n| where SyslogMessage contains \"authentication failure\" and SyslogMessage contains \" uid=0\"\n| parse SyslogMessage with * \"rhost=\" ExternalIP\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \nlet userfail = Syslog \n| where Facility =~ \"authpriv\" \n| where SyslogMessage contains \"user unknown\"\n| project TimeGenerated, Computer, HostIP, ProcessID;\n// Join the two log messages above\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\n// Extract the EventTime of the first logon attempt\nlet firstfail = userauthfail\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\n// Extract the EventTime of the last logon attempt\nlet lastfail = userauthfail\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\n// Count the number of failed logon attempts by External IP and internal machine\nlet totalfails = userauthfail\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\n// Combine total attempts with timing data from above\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\n| order by DestinationHost asc nulls last;\nfinalfails \n| where TotalLogonAttempts >= threshold\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts in authpriv",
+ "enabled": false,
+ "description": "Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15.",
+ "alertRuleTemplateName": "e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6b722f0faa4b481804445adb619689b40ce25ee9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:13 +0000
Subject: [PATCH 158/375] Exported file: First access credential added to
Application or Service Principal where no credential was present.json.json
---
...cipal where no credential was present.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
diff --git a/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
new file mode 100644
index 00000000..b6d69ff1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set == \"[]\"\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "First access credential added to Application or Service Principal where no credential was present",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f79a2f5b3a247d02045b0d62d6ced6e5f6e19ec4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:14 +0000
Subject: [PATCH 159/375] Exported file: Fortinet - Beacon pattern
detected.json.json
---
.../Fortinet - Beacon pattern detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
diff --git a/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
new file mode 100644
index 00000000..ec5ccc3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 1d;\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\nlet PrivateIPregex = @\"^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.\"; // exclude destinations that fall into this category\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where TimeGenerated > ago(starttime)\n// eliminate bad data\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \"0.0.0.0\"\n// filter out deny, close, rst and SNMP to reduce data volume\n| where DeviceAction !in (\"close\", \"client-rst\", \"server-rst\", \"deny\") and DestinationPort != 161\n// map input fields\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// where destination IPs are public\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n// sort into source->destination 'sessions'\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\n| serialize\n// time diff the contact times between source and destination to get a list of deltas\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\n| extend TimeDeltainSeconds = datetime_diff(\"second\",nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\n// remove small time deltas below the set threshold\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// summarize the deltas by source->destination\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\n// expand the deltas and the outliers\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\n// replace outliers with the average of the distribution\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\n// summarize with the smoothed distribution\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\n// get stats on the smoothed distribution\n| extend series_stats(list_TimeDeltainSeconds_normalized)\n// match jitter tolerance on smoothed distrib\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\n// where the minimum beacon threshold is satisfied and there was some data transfer\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\n// final projection\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Fortinet - Beacon pattern detected",
+ "enabled": false,
+ "description": "Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\n detection is set to 4.\n Increase the lookback period to capture beacons with larger periodicities.\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\n automatically using series_outliers.\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.",
+ "alertRuleTemplateName": "3255ec41-6bd6-4f35-84b1-c032b18bbfcb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 821d47e8d2d14fc3d51f775223e2aa6483937e68 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:15 +0000
Subject: [PATCH 160/375] Exported file: Full Admin policy created and then
attached to Roles, Users or Groups.json.json
---
...en attached to Roles, Users or Groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
diff --git a/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
new file mode 100644
index 00000000..daa33fc5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let EventNameList = dynamic([\"AttachUserPolicy\",\"AttachRolePolicy\",\"AttachGroupPolicy\"]);\nlet createPolicy = \"CreatePolicy\";\nlet timeframe = 1d;\nlet lookback = 14d;\n// Creating Master table with all the events to use with materialize for better performance\nlet EventInfo = AWSCloudTrail\n| where TimeGenerated >= ago(lookback)\n| where EventName in (EventNameList) or EventName == createPolicy;\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\nlet FullAdminPolicyEvents = materialize( EventInfo\n| where TimeGenerated >= ago(lookback)\n| where EventName == createPolicy\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\n| mvexpand Statement\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\n| mvexpand Action\n| extend Action = tostring(Action)\n| where Effect =~ \"Allow\" and Action == \"*\" and Resource == \"*\"\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n| project-rename StartTime = TimeGenerated );\nlet PolicyAttach = materialize( EventInfo\n| where TimeGenerated >= ago(timeframe)\n| where EventName in (EventNameList)\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\"/\")[1])\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\n| extend AttachEvent = pack(\"StartTime\", StartTime, \"EndTime\", EndTime, \"EventName\", EventName, \"UserIdentityType\", UserIdentityType, \"UserIdentityArn\", UserIdentityArn, \"SourceIpAddress\", SourceIpAddress, \"UserIdentityUserName\", UserIdentityUserName)\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\n);\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\nFullAdminPolicyEvents\n| join kind=leftouter\n(\n PolicyAttach\n)\non PolicyName\n| project-away PolicyName1\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Full Admin policy created and then attached to Roles, Users or Groups",
+ "enabled": false,
+ "description": "Identity and Access Management (IAM) securely manages access to AWS services and resources. \nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "826bb2f8-7894-4785-9a6b-a8a855d8366f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 074262e97a656350f3c98c908e50bf03f87d5b8b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:16 +0000
Subject: [PATCH 161/375] Exported file: Gain Code Execution on ADFS Server via
Remote WMI Execution.json.json
---
... ADFS Server via Remote WMI Execution.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
new file mode 100644
index 00000000..533e89ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n| union isfuzzy=true (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n| distinct Computer);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where ParentProcessName has 'wmiprvse.exe'\n// Looking for rundll32.exe is based on intel from the blog linked in the description\n// This can be commented out or altered to filter out known internal uses\n| where CommandLine has_any ('rundll32') \n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n// Search for recent logons to identify lateral movement\n| join kind= inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4624 and LogonType == 3\n| where Account !endswith \"$\"\n| project TargetLogonId\n) on TargetLogonId\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n// Check for WMI Events\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| project TimeGenerated, EventType, Image, Computer, UserName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via Remote WMI Execution",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\n Failed to resolve scalar expression named \"[@Name]\"\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml",
+ "alertRuleTemplateName": "0bd65651-1404-438b-8f63-eecddcec87b4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d8b147a9b63b637999b0f4065dc27c53160667b6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:16 +0000
Subject: [PATCH 162/375] Exported file: Gain Code Execution on ADFS Server via
SMB + Remote Service or Scheduled Task.json.json
---
...MB + Remote Service or Scheduled Task.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
new file mode 100644
index 00000000..dd9c9768
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where Account !endswith \"$\"\n// Check for scheduled task events\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\n| extend EventDataParsed = parse_xml(EventData)\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\"#text\"])\n// Check specifically for access to IPC$ share and PIPE\\svcctl and PIPE\\atsvc for Service Control Services and Schedule Control Services\n| union ( \n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n | where Account !endswith \"$\"\n | where EventID == 5145\n | where RelativeTargetName =~ \"svcctl\" or RelativeTargetName =~ \"atsvc\"\n)\n// Check for lateral movement\n| join kind=inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Account !endswith \"$\"\n| where EventID == 4624 and LogonType == 3\n) on $left.SubjectLogonId == $right.TargetLogonId\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.",
+ "alertRuleTemplateName": "12dcea64-bec2-41c9-9df2-9f28461b1295"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4851f6f22c8adb2d09372b3d8f0c8a748dd97083 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:17 +0000
Subject: [PATCH 163/375] Exported file: GitHub Activites from a New
Country.json.json
---
.../GitHub Activites from a New Country.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
new file mode 100644
index 00000000..39ec52a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAudit\n| where Country != \"\");\n GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Activites from a New Country",
+ "enabled": false,
+ "description": "Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.",
+ "alertRuleTemplateName": "f041e01d-840d-43da-95c8-4188f6cef546"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 37d07dcf900de333f1da81957b12d2fca2330659 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:18 +0000
Subject: [PATCH 164/375] Exported file: GitHub Security Vulnerability in
Repository.json.json
---
... Security Vulnerability in Repository.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
new file mode 100644
index 00000000..f3242ab7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1e944163-f959-46f8-9760-95a54652437b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1e944163-f959-46f8-9760-95a54652437b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Informational",
+ "query": "\nGitHubRepo\n| where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "GitHub Security Vulnerability in Repository",
+ "enabled": false,
+ "description": "This alerts when there is a new security vulnerability in a GitHub repository.",
+ "alertRuleTemplateName": "5436f471-b03d-41cb-b333-65891f887c43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8c412493fc36fb48f6d0411f15dd9697c14605eb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:19 +0000
Subject: [PATCH 165/375] Exported file: GitHub Signin Burst from Multiple
Locations.json.json
---
... Signin Burst from Multiple Locations.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
new file mode 100644
index 00000000..2425d232
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName == \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > 1\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Signin Burst from Multiple Locations",
+ "enabled": false,
+ "description": "This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).",
+ "alertRuleTemplateName": "d3980830-dd9d-40a5-911f-76b44dfdce16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From db7e8392348fe082d463a80d54a1911faf23b007 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:20 +0000
Subject: [PATCH 166/375] Exported file: GitHub Two Factor Auth
Disable.json.json
---
.../GitHub Two Factor Auth Disable.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
new file mode 100644
index 00000000..f8a9e188
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nGitHubAudit\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Two Factor Auth Disable",
+ "enabled": false,
+ "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ",
+ "alertRuleTemplateName": "3ff0fffb-d963-40c0-b235-3404f915add7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0e67ba9d69d6726a3dd515428864e5a5b4459b77 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:21 +0000
Subject: [PATCH 167/375] Exported file: Group created then added to built in
domain local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
new file mode 100644
index 00000000..c85532e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet GroupAddition = SecurityEvent \n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group \n| where EventID in (\"4728\", \"4732\", \"4756\") \n| where AccountType =~ \"User\" and MemberName == \"-\"\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\nlet GroupCreated = SecurityEvent\n// 4727 - A security-enabled global group was created\n// 4731 - A security-enabled local group was created\n// 4754 - A security-enabled universal group was created\n| where EventID in (\"4727\", \"4731\", \"4754\")\n| where AccountType =~ \"User\"\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\nGroupCreated\n| join (\nGroupAddition\n) on GroupSid \n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Group created then added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.",
+ "alertRuleTemplateName": "a7564d76-ec6b-4519-a66b-fcc80c42332b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ebcb4c03b795e4749d42b6f3818f1c93f6f91175 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:21 +0000
Subject: [PATCH 168/375] Exported file: HAFNIUM New UM Service Child
Process.json.json
---
.../HAFNIUM New UM Service Child Process.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
new file mode 100644
index 00000000..41dbee52
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nSecurityEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| join kind=rightanti (\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where EventID == 4688) on NewProcessName\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM New UM Service Child Process",
+ "enabled": false,
+ "description": "This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "95a15f39-d9cc-4667-8cdd-58f3113691c9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a40ce15016c57db87d3919c67dd3b6a42e81bf51 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:22 +0000
Subject: [PATCH 169/375] Exported file: HAFNIUM Suspicious Exchange
Request.json.json
---
.../HAFNIUM Suspicious Exchange Request.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
new file mode 100644
index 00000000..ada898a7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let exchange_servers = (\nW3CIISLog\n| where TimeGenerated > ago(14d)\n| where sSiteName =~ \"Exchange Back End\"\n| summarize by Computer);\nW3CIISLog\n| where TimeGenerated > ago(1d)\n| where Computer in (exchange_servers)\n| where csUriQuery startswith \"t=\"\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious Exchange Request",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "23005e87-2d3a-482b-b03d-edbebd1ae151"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 07d58237177557de7913e650d584ee41f2b1fc18 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:23 +0000
Subject: [PATCH 170/375] Exported file: HAFNIUM Suspicious File
Downloads_.json.json
---
.../HAFNIUM Suspicious File Downloads_.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
new file mode 100644
index 00000000..cbeb0997
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where RawData contains \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^']*)\",2,RawData)\n| extend Extension = strcat(\".\",split(File, \".\")[-1])\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following line to alert only on interactive file download type\n//| where InteractiveFile =~ \"Yes\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious File Downloads.",
+ "enabled": false,
+ "description": "This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "03e04c97-8cae-48b3-9d2f-4ab262e4ffff"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 70d5f607084bc83ee259222a7a1e4bce659e379d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:24 +0000
Subject: [PATCH 171/375] Exported file: HAFNIUM Suspicious UM Service
Error.json.json
---
.../HAFNIUM Suspicious UM Service Error.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
new file mode 100644
index 00000000..e45f5345
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "Event\n| where EventLog =~ \"Application\"\n| where Source startswith \"MSExchange\"\n| where EventLevelName =~ \"error\"\n| where (RenderedDescription startswith \"Watson report\" and RenderedDescription contains \"umworkerprocess\" and RenderedDescription contains \"TextFormattingRunProperties\") or RenderedDescription startswith \"An unhandled exception occurred in a UM worker process\" or RenderedDescription startswith \"The Microsoft Exchange Unified Messaging service\" or RenderedDescription contains \"MSExchange Unified Messaging\"\n| where RenderedDescription !contains \"System.OutOfMemoryException\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious UM Service Error",
+ "enabled": false,
+ "description": "This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "0625fcce-6d52-491e-8c68-1d9b801d25b9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a27c493bfc0ecad55b547c91486c8e887c20d809 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:24 +0000
Subject: [PATCH 172/375] Exported file: HAFNIUM UM Service writing suspicious
file.json.json
---
...UM UM Service writing suspicious file.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
new file mode 100644
index 00000000..c3bd2707
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where ObjectName has_any (scriptExtensions)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n(imFileEvent\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n and\n TargetFileName has_any (scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where FileName has_any(scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM UM Service writing suspicious file",
+ "enabled": false,
+ "description": "This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4fed4653ad365d790b4604b85aaaa8974b827d8f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:25 +0000
Subject: [PATCH 173/375] Exported file: High Number of Urgent Vulnerabilities
Detected (1).json.json
---
...f Urgent Vulnerabilities Detected (1).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
new file mode 100644
index 00000000..500a2085
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| where Detections_s.Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "be52662c-3b23-435a-a6fa-f39bdfc849e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 061b2105ae9c414a1113f406032c92a85152d9ab Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:26 +0000
Subject: [PATCH 174/375] Exported file: High Number of Urgent Vulnerabilities
Detected.json.json
---
...er of Urgent Vulnerabilities Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
new file mode 100644
index 00000000..2cdfbc25
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| where Severity_s == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "3edb7215-250b-40c0-8b46-79093949242d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From df468444505d77662bd154b1900be368cfc226a4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:27 +0000
Subject: [PATCH 175/375] Exported file: High Urgency Cyberpion Action
Items.json.json
---
.../High Urgency Cyberpion Action Items.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
diff --git a/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
new file mode 100644
index 00000000..cd614521
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = 14d;\nlet time_generated_bucket = 1h;\nlet min_urgency = 9;\nlet maxTimeGeneratedBucket = toscalar(\n CyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe)\n | summarize max(bin(TimeGenerated, time_generated_bucket))\n );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe) and is_open_b == true\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\n | where urgency_d >= min_urgency\n | extend timestamp = opening_datetime_t\n | extend DNSCustomEntity = host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Urgency Cyberpion Action Items",
+ "enabled": false,
+ "description": "This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query.",
+ "alertRuleTemplateName": "8e0403b1-07f8-4865-b2e9-74d1e83200a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 998fb1eb241d74b3bf1942a66842f1182bd41835 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:27 +0000
Subject: [PATCH 176/375] Exported file: High count of connections by client IP
on many ports.json.json
---
...onnections by client IP on many ports.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
diff --git a/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
new file mode 100644
index 00000000..be38502a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet portThreshold = 30;\nW3CIISLog\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of attempts by client IP on many ports\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| extend portCount = arraylength(set_sPort)\n| where portCount >= portThreshold\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\n| order by portCount\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of connections by client IP on many ports",
+ "enabled": false,
+ "description": "Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \nThis could also simply indicate a misconfigured service or device.\nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "44a555d8-ecee-4a25-95ce-055879b4b14b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 52f7618edf77e0e01bb354388322ed784cfd6bd5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:28 +0000
Subject: [PATCH 177/375] Exported file: High count of failed attempts from
same client IP.json.json
---
...f failed attempts from same client IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
new file mode 100644
index 00000000..17f73e2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/837ae291-8946-4918-a036-a22f4da70456')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/837ae291-8946-4918-a036-a22f4da70456')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 1m;\nlet failedThreshold = 20;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed attempts from same client IP\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed attempts from same client IP",
+ "enabled": false,
+ "description": "Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \npotentially block these connections at the edge device.\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \nthat is associated with the client IP.\nReferences:\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "19e01883-15d8-4eb6-a7a5-3276cd668388"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b511d2ac809dd8701c7d16941cacde18a2cae0d6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:29 +0000
Subject: [PATCH 178/375] Exported file: High count of failed logons by a
user.json.json
---
...High count of failed logons by a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed logons by a user.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed logons by a user.json b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
new file mode 100644
index 00000000..83b847c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet failedThreshold = 100;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\n| extend csUriQuery = iff(csUriQuery startswith \"MailboxId=\", tostring(split(csUriQuery, \"&\")[0]) , csUriQuery )\n| extend csUriQuery = iff(csUriQuery startswith \"X-ARR-CACHE-HIT=\", strcat(tostring(split(csUriQuery, \"&\")[0]),tostring(split(csUriQuery, \"&\")[1])) , csUriQuery )\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed logons by a user\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed logons by a user",
+ "enabled": false,
+ "description": "Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\nThis could be indicative of attempted brute force based on known account information.\nThis could also simply indicate a misconfigured service or device. \nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "884c4957-70ea-4f57-80b9-1bca3890315b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c7d86072e9b5f1f04ca26aa5a5f7ebd635d642df Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:30 +0000
Subject: [PATCH 179/375] Exported file: IP with multiple failed Azure AD
logins successfully logs in to Palo Alto VPN.json.json
---
...successfully logs in to Palo Alto VPN.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
diff --git a/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
new file mode 100644
index 00000000..04938243
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold.\nlet aadFunc = (tableName:string){\nlet suspicious_signins = \n table(tableName)\n //Looking for logon failure results\n | where ResultType !in (\"0\", \"50125\", \"50140\")\n //Exclude localhost addresses to reduce the chance of FPs\n | where IPAddress !in (\"127.0.0.1\", \"::1\")\n | summarize count() by IPAddress\n | where count_ > signin_threshold\n | summarize make_set(IPAddress);\n suspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\nCommonSecurityLog\n //Select only PA VPN sucessful logons\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"globalprotect\"\n | where Message has \"GlobalProtect gateway user authentication succeeded\"\n //Parse out the logon source IP from the Message field to match on\n | extend SourceIP = extract(\"Login from: ([^,]+)\", 1, Message) \n | where SourceIP in (suspicious_signins)\n | extend Reason = \"Multiple failed AAD logins from SourceIP\"\n //Parse out other useful information from Message field\n | extend User = extract('User name: ([^,]+)', 1, Message) \n | extend ClientOS = extract('Client OS version: ([^,\\\"]+)', 1, Message)\n | extend Location = extract('Source region: ([^,]{2})',1, Message)\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN",
+ "enabled": false,
+ "description": "This query creates a list of IP addresses with a number failed login attempts to AAD \nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\nof these IPs within the same timeframe.",
+ "alertRuleTemplateName": "ba144bf8-75b8-406f-9420-ed74397f9479"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 15741864ee90759e88dbcc2bdd7cf4c6202e7177 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:31 +0000
Subject: [PATCH 180/375] Exported file: Known Barium IP.json.json
---
.../Known Barium IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium IP.json b/SentinelExported-AnalyticsRule/Known Barium IP.json
new file mode 100644
index 00000000..2834837f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"216.24.185.74\", \"107.175.189.159\", \"192.210.132.102\", \"67.230.163.214\", \n \"199.19.110.240\", \"107.148.130.176\", \"154.212.129.218\", \"172.86.75.54\", \"45.61.136.199\", \n \"149.28.150.195\", \"108.61.214.194\", \"144.202.98.198\", \"149.28.84.98\", \"103.99.209.78\", \n \"45.61.136.2\", \"176.122.162.149\", \"192.3.80.245\", \"149.28.23.32\", \"107.182.18.149\", \"107.174.45.134\", \n \"149.248.18.104\", \"65.49.192.74\", \"156.255.2.154\", \"45.76.6.149\", \"8.9.11.130\", \"140.238.27.255\", \n \"107.182.24.70\", \"176.122.188.254\", \"192.161.161.108\", \"64.64.234.24\", \"104.224.185.36\", \n \"104.233.224.227\", \"104.36.69.105\", \"119.28.139.120\", \"161.117.39.130\", \"66.42.100.42\", \"45.76.31.159\", \n \"149.248.8.134\", \"216.24.182.48\", \"66.42.103.222\", \"218.89.236.11\", \"180.150.227.249\", \"47.75.80.23\",\n \"124.156.164.19\", \"149.248.62.83\", \"150.109.76.174\", \"222.209.187.207\", \"218.38.191.38\", \n \"119.28.226.59\", \"66.42.98.220\", \"74.82.201.8\", \"173.242.122.198\", \"45.32.130.72\", \"89.35.178.10\", \n \"89.43.60.113\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer \n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer \n), \n(Event \n| where Source == \"Microsoft-Windows-Sysmon\" \n| where EventID == 3 \n| extend EvData = parse_xml(EventData) \n| extend EventDetail = EvData.DataItem.EventData.Data \n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"] \n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\") \n), \n(WireData \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n) \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium IP",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "6ee72a9e-2e54-459c-bc9a-9c09a6502a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1e2f3b09f8af21f118df338b59ae1c33980ddee2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:31 +0000
Subject: [PATCH 181/375] Exported file: Known Barium domains.json.json
---
.../Known Barium domains.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium domains.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium domains.json b/SentinelExported-AnalyticsRule/Known Barium domains.json
new file mode 100644
index 00000000..26b4f12c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium domains.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n ), \n (DnsEvents \n | extend DNSName = Name \n | where isnotempty(DNSName) \n | where DNSName has_any (DomainNames) \n | extend IPAddress = ClientIP \n ), \n (imDns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl in~ (DomainNames) \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (DomainNames) \n | extend DNSName = Request_Name\n | extend IPAddress = ClientIP \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames) \n | extend DNSName = DestinationHost \n | extend IPAddress = SourceHost\n ) \n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium domains",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "70b12a3b-4899-42cb-910c-5ffaf9d7997d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cbf1ad26b9a092e220743a08ab1a4956aaf6d8bb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:32 +0000
Subject: [PATCH 182/375] Exported file: Known CERIUM domains and
hashes.json.json
---
.../Known CERIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
new file mode 100644
index 00000000..6fdffb9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = \"miniodaum.ml\";\nlet SHA256Hash = dynamic ([\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\", \"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = ClientIP\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known CERIUM domains and hashes",
+ "enabled": false,
+ "description": "CERIUM malicious webserver and hash values for maldocs and malware. \n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.",
+ "alertRuleTemplateName": "c87fb346-ea3a-4c64-ba92-3dd383e0f0b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 89fa9e151f2cb35008cb15a0d47d8a5f5cf71ead Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:33 +0000
Subject: [PATCH 183/375] Exported file: Known GALLIUM domains and
hashes.json.json
---
.../Known GALLIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
new file mode 100644
index 00000000..360e64e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"asyspy256.ddns.net\",\"hotkillmail9sddcc.ddns.net\",\"rosaf112.ddns.net\",\"cvdfhjh1231.myftp.biz\",\"sz2016rose.ddns.net\",\"dffwescwer4325.myftp.biz\",\"cvdfhjh1231.ddns.net\"]);\nlet SHA1Hash = dynamic ([\"53a44c2396d15c3a03723fa5e5db54cafd527635\", \"9c5e496921e3bc882dc40694f1dcc3746a75db19\", \"aeb573accfd95758550cf30bf04f389a92922844\", \"79ef78a797403a4ed1a616c68e07fff868a8650a\", \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\", \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\", \"e841a63e47361a572db9a7334af459ddca11347a\", \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\", \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\", \"dd44133716b8a241957b912fa6a02efde3ce3025\", \"8793bf166cb89eb55f0593404e4e933ab605e803\", \"a39b57032dbb2335499a51e13470a7cd5d86b138\", \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\", \"d209430d6af54792371174e70e27dd11d3def7a7\", \"1c6452026c56efd2c94cea7e0f671eb55515edb0\", \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\", \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\", \"f201504bd96e81d0d350c3a8332593ee1c9e09de\", \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\"]);\nlet SHA256Hash = dynamic ([\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\", \"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\", \"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\", \"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\", \"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\", \"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\", \"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\", \"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\", \"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\", \"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\", \"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\", \"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\", \"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\", \"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\", \"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\", \"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\", \"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\", \"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\", \"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\"]);\nlet SigNames = dynamic([\"TrojanDropper:Win32/BlackMould.A!dha\", \"Trojan:Win32/BlackMould.B!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"Trojan:Win32/Sidelod.A!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n( imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA1=' SHA1 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA1Hash) \n| extend Account = UserName\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known GALLIUM domains and hashes",
+ "enabled": false,
+ "description": "GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ",
+ "alertRuleTemplateName": "26a3b261-b997-4374-94ea-6c37f67f4f39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d0e35ed138976f3238e9aedf9fb99ec184299154 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:34 +0000
Subject: [PATCH 184/375] Exported file: Known IRIDIUM IP.json.json
---
.../Known IRIDIUM IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
diff --git a/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
new file mode 100644
index 00000000..ca0ee39c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",\"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n|extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog \n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity \n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known IRIDIUM IP",
+ "enabled": false,
+ "description": "IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.",
+ "alertRuleTemplateName": "7ee72a9e-2e54-459c-bc8a-8c08a6532a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5cc24c2a46a4d644a9dc2feb9f9976b10d53184a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:35 +0000
Subject: [PATCH 185/375] Exported file: Known Malware Detected.json.json
---
.../Known Malware Detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Malware Detected.json
diff --git a/SentinelExported-AnalyticsRule/Known Malware Detected.json b/SentinelExported-AnalyticsRule/Known Malware Detected.json
new file mode 100644
index 00000000..4ab955a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Malware Detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCarbonBlackEvents_CL\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| where targetApp_effectiveReputation_s =~ \"KNOWN_MALWARE\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known Malware Detected",
+ "enabled": false,
+ "description": "This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.",
+ "alertRuleTemplateName": "9f86885f-f31f-4e66-a39d-352771ee789e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c7a7b630f00aaa65cd2385302d6ad3d3ee853702 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:36 +0000
Subject: [PATCH 186/375] Exported file: Known Manganese IP and UserAgent
activity.json.json
---
...n Manganese IP and UserAgent activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
diff --git a/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
new file mode 100644
index 00000000..74a8e5d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"45.63.52.41\",\"140.82.17.161\",\"207.148.101.95\",\"45.32.87.51\",\"66.42.98.156\",\"45.76.144.105\",\"217.163.28.35\",\"45.32.141.174\",\"149.28.165.249\",\"209.250.225.247\",\"45.63.100.115\",\"95.179.229.230\",\"209.250.233.247\",\"45.77.121.232\",\"45.76.175.65\",\"104.238.160.237\",\"45.77.181.97\",\"95.179.192.125\",\"149.28.93.184\",\"140.82.16.81\",\"45.76.173.103\",\"45.77.255.22\",\"45.32.11.71\",\"149.28.77.26\",\"45.32.54.50\",\"104.156.233.156\",\"45.32.21.118\",\"45.63.62.109\",\"45.77.244.202\",\"149.248.11.205\",\"104.238.190.244\"]);\nlet IOCTerms = \"\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\?\";\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\n| extend IPMatch = case(\nSourceIP in (IPList), \"SourceIP\", \nDestinationIP in (IPList), \"DestinationIP\",\n\"Message\") \n| where Message matches regex IOCTerms\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n| where isnotempty(UserAgent) and ClientIP in (IPList)\n| where UserAgent contains \"ExchangeServicesClient/0.0.0.0\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \"ClientIP\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Known Manganese IP and UserAgent activity",
+ "enabled": false,
+ "description": "Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\nReferences: \nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\nhttps://fortiguard.com/psirt/FG-IR-18-384",
+ "alertRuleTemplateName": "a04cf847-a832-4c60-b687-b0b6147da219"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9007d7d708ef3086e8917db0f54ac5d27b5ed11e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:36 +0000
Subject: [PATCH 187/375] Exported file: Known NICKEL domains and
hashes.json.json
---
.../Known NICKEL domains and hashes.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
new file mode 100644
index 00000000..9ebf81c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"beesweiserdog.com\", \n \"bluehostfit.com\", \n \"business-toys.com\", \n \"cleanskycloud.com\", \n \"cumberbat.com\", \n \"czreadsecurity.com\", \n \"dgtresorgouv.com\", \n \"dimediamikedask.com\", \n \"diresitioscon.com\", \n \"elcolectador.com\", \n \"elperuanos.org\", \n \"eprotectioneu.com\", \n \"fheacor.com\", \n \"followthewaterdata.com\", \n \"francevrteepress.com\", \n \"futtuhy.com\", \n \"gardienweb.com\", \n \"heimflugaustr.com\", \n \"ivpsers.com\", \n \"jkeducation.org\", \n \"micrlmb.com\", \n \"muthesck.com\", \n \"netscalertech.com\", \n \"newgoldbalmap.com\", \n \"news-laestrella.com\", \n \"noticialif.com\", \n \"opentanzanfoundation.com\", \n \"optonlinepress.com\", \n \"palazzochigi.com\", \n \"pandemicacre.com\", \n \"papa-ser.com\", \n \"pekematclouds.com\", \n \"pipcake.com\", \n \"popularservicenter.com\", \n \"projectsyndic.com\", \n \"qsadtv.com\", \n \"sankreal.com\", \n \"scielope.com\", \n \"seoamdcopywriting.com\", \n \"slidenshare.com\", \n \"somoswake.com\", \n \"squarespacenow.com\", \n \"subapostilla.com\", \n \"suzukicycles.net\", \n \"tatanotakeeps.com\", \n \"tijuanazxc.com\", \n \"transactioninfo.net\", \n \"eurolabspro.com\", \n \"adelluminate.com\", \n \"headhunterblue.com\", \n \"primenuesty.com\" \n ]);\nlet SHA256Hashes = dynamic ([\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\", \n \"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\", \n \"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\", \n \"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\", \n \"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\", \n \"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\", \n \"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\", \n \"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\", \n \"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\", \n \"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\", \n \"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\", \n \"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\", \n \"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\", \n \"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\", \n \"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\", \n \"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\", \n \"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\", \n \"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\", \n \"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\", \n \"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\", \n \"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\", \n \"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\", \n \"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\", \n \"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\", \n \"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\", \n \"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\", \n \"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\", \n \"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\", \n \"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\", \n \"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\"\n ]);\nlet SigNames = dynamic([\"Backdoor:Win32/Leeson\", \"Trojan:Win32/Kechang\", \"Backdoor:Win32/Nightimp!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"TrojanSpy:Win32/KeyLogger\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns(domain_has_any = DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hashes) \n| extend Account = UserName\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hashes)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known NICKEL domains and hashes",
+ "enabled": false,
+ "description": "IOC domains and hash values for tools and malware used by NICKEL. \n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.",
+ "alertRuleTemplateName": "9122a9cb-916b-4d98-a199-1b7b0af8d598"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3b3448991a32cd4b7e2f7a17b076b819f2c716d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:37 +0000
Subject: [PATCH 188/375] Exported file: Known PHOSPHORUS group domains_IP -
October 2020.json.json
---
...HORUS group domains_IP - October 2020.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
diff --git a/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
new file mode 100644
index 00000000..9e2d991a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known PHOSPHORUS group domains/IP - October 2020",
+ "enabled": false,
+ "description": "Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: ",
+ "alertRuleTemplateName": "7249500f-3038-4b83-8549-9cd8dfa2d498"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1202c615b3915588bd5e47f4f2a56dbeeb4d6b39 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:38 +0000
Subject: [PATCH 189/375] Exported file: Known Phosphorus group
domains_IP.json.json
---
.../Known Phosphorus group domains_IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
new file mode 100644
index 00000000..ac14a690
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"yahoo-verification.org\",\"support-servics.com\",\"verification-live.com\",\"com-mailbox.com\",\"com-myaccuants.com\",\"notification-accountservice.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\"verify-linkedin.net\", \n\"yahoo-verification.net\",\"yahoo-verify.net\",\"outlook-verify.net\",\"com-users.net\",\"verifiy-account.net\",\"te1egram.net\",\"account-verifiy.net\",\"myaccount-services.net\",\n\"com-identifier-servicelog.name\",\"microsoft-update.bid\",\"outlook-livecom.bid\",\"update-microsoft.bid\",\"documentsfilesharing.cloud\",\"com-microsoftonline.club\",\n\"confirm-session-identifier.info\",\"session-management.info\",\"confirmation-service.info\",\"document-share.info\",\"broadcast-news.info\",\"customize-identity.info\",\"webemail.info\",\n\"com-identifier-servicelog.info\",\"documentsharing.info\",\"notification-accountservice.info\",\"identifier-activities.info\",\"documentofficupdate.info\",\"recoveryusercustomer.info\",\n\"serverbroadcast.info\",\"account-profile-users.info\",\"account-service-management.info\",\"accounts-manager.info\",\"activity-confirmation-service.info\",\"com-accountidentifier.info\",\n\"com-privacy-help.info\",\"com-sessionidentifier.info\",\"com-useraccount.info\",\"confirmation-users-service.info\",\"confirm-identity.info\",\"confirm-session-identification.info\",\n\"continue-session-identifier.info\",\"customer-recovery.info\",\"customers-activities.info\",\"elitemaildelivery.info\",\"email-delivery.info\",\"identify-user-session.info\",\n\"message-serviceprovider.info\",\"notificationapp.info\",\"notification-manager.info\",\"recognized-activity.info\",\"recover-customers-service.info\",\"recovery-session-change.info\",\n\"service-recovery-session.info\",\"service-session-continue.info\",\"session-mail-customers.info\",\"session-managment.info\",\"session-verify-user.info\",\"shop-sellwear.info\",\n\"supportmailservice.info\",\"terms-service-notification.info\",\"user-activity-issues.info\",\"useridentity-confirm.info\",\"users-issue-services.info\",\"verify-user-session.info\",\n\"login-gov.info\",\"notification-signal-agnecy.info\",\"notifications-center.info\",\"identifier-services-sessions.info\",\"customers-manager.info\",\"session-manager.info\",\n\"customer-managers.info\",\"confirmation-recovery-options.info\",\"service-session-confirm.info\",\"session-recovery-options.info\",\"services-session-confirmation.info\",\n\"notification-managers.info\",\"activities-services-notification.info\",\"activities-recovery-options.info\",\"activity-session-recovery.info\",\"customers-services.info\",\n\"sessions-notification.info\",\"download-teamspeak.info\",\"services-issue-notification.info\",\"microsoft-upgrade.mobi\",\"broadcastnews.pro\",\"mobile-messengerplus.network\"]);\nlet IPList = dynamic([\"51.91.200.147\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \nor (isnotempty(Message) and MessageIP in (IPList))\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURLIP in (IPList), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP,IPMatch == \"Message\", MessageIP,\nIPMatch == \"RequestUrl\", RequestURLIP,\"NoMatch\"), Account = SourceUserID, Host = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(imDns\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer),\n(OfficeActivity\n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPCustomEntity = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Phosphorus group domains/IP",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.",
+ "alertRuleTemplateName": "155f40c6-610d-497d-85fc-3cf06ec13256"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a7a089a0fb297f8b0478841755f9e53c0214e2ba Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:39 +0000
Subject: [PATCH 190/375] Exported file: Known STRONTIUM group domains - July
2019.json.json
---
...n STRONTIUM group domains - July 2019.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
diff --git a/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
new file mode 100644
index 00000000..8400e3be
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"irf.services\",\"microsoft-onthehub.com\",\"msofficelab.com\",\"com-mailbox.com\",\"my-sharefile.com\",\"my-sharepoints.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\n\"onedrive-sharedfile.com\",\"onedrv-live.com\",\"transparencyinternational-my-sharepoint.com\",\"transparencyinternational-my-sharepoints.com\",\"soros-my-sharepoint.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\n(DnsEvents \n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\n(imDns (domain_has_any=DomainNames)\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPAddress = RemoteIp, Host = Computer),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost)\n)\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known STRONTIUM group domains - July 2019",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.",
+ "alertRuleTemplateName": "074ce265-f684-41cd-af07-613c5f3e6d0d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7bd23ffb42000e642fcf8f665bad38cd5f8045f3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:40 +0000
Subject: [PATCH 191/375] Exported file: Known ZINC Comebacker and Klackring
malware hashes.json.json
---
...mebacker and Klackring malware hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
new file mode 100644
index 00000000..e47bd107
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(DnsEvents\n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend Type = \"DnsEvents\", IPAddress = ClientIP\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC Comebacker and Klackring malware hashes",
+ "enabled": false,
+ "description": "ZINC attacks against security researcher campaign malware hashes.",
+ "alertRuleTemplateName": "09551db0-e147-4a0c-9e7b-918f88847605"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cfb96849582659b7f86c7111b91c62d42372e288 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:40 +0000
Subject: [PATCH 192/375] Exported file: Known ZINC related maldoc
hash.json.json
---
.../Known ZINC related maldoc hash.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
new file mode 100644
index 00000000..c3947948
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" ;\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA265 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC related maldoc hash",
+ "enabled": false,
+ "description": "Document hash used by ZINC in highly targeted spear phishing campaign.",
+ "alertRuleTemplateName": "3174a9ec-d0ad-4152-8307-94ed04fa450a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9ec8deba6dfc2ee1110454dde06ab9050455b299 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:41 +0000
Subject: [PATCH 193/375] Exported file: Linked Malicious Storage
Artifacts.json.json
---
.../Linked Malicious Storage Artifacts.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
diff --git a/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
new file mode 100644
index 00000000..ee6c08b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Collect the alert events\nlet alertData = SecurityAlert \n| where DisplayName has \"Potential malware uploaded to\" \n| extend Entities = parse_json(Entities) \n| mv-expand Entities;\n//Parse the IP address data\nlet ipData = alertData \n| where Entities['Type'] =~ \"ip\" \n| extend AttackerIP = tostring(Entities['Address']), AttackerCountry = tostring(Entities['Location']['CountryName']);\n//Parse the file data\nlet FileData = alertData \n| where Entities['Type'] =~ \"file\" \n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\n//Combine the File and IP data together\nipData \n| join (FileData) on VendorOriginalId \n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\n//Create a type column so we can track if it was a File storage or blobl storage upload \n| extend type = iff(DisplayName has \"file\", \"File\", \"Blob\") \n| join (\n union\n StorageFileLogs, \n StorageBlobLogs \n //File upload operations \n | where OperationName =~ \"PutBlob\" or OperationName =~ \"PutRange\"\n //Parse out the uploader IP \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0])\n //Extract the filename from the Uri \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri)\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don't work\n //We can work around this by making it an array then converting it to hex from an int \n | extend base64Char = base64_decode_toarray(ResponseMd5) \n | mv-expand base64Char \n | extend hexChar = tohex(toint(base64Char))\n | extend hexChar = iff(strlen(hexChar) < 2, strcat(\"0\", hexChar), hexChar) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \n | extend Md5Hash = strcat_array(list_hexChar, \"\")\n //Pack the file information the summarise into a ClientIP row \n | extend p = pack(\"FileName\", FileName, \"FileSize\", RequestBodySize, \"Md5Hash\", Md5Hash, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \n | join kind=leftouter (\n union\n StorageFileLogs,\n StorageBlobLogs \n | where OperationName =~ \"DeleteFile\" or OperationName =~ \"DeleteBlob\" \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0]) \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | extend p = pack(\"FileName\", FileName, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\n ) on ClientIP\n ) on $left.AttackerIP == $right.ClientIP \n| mvexpand UploadedFileInfo \n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \"MD5\", IPCustomEntity = AttackerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Linked Malicious Storage Artifacts",
+ "enabled": false,
+ "description": "An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.",
+ "alertRuleTemplateName": "b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f9cf5946bdd511ffd198381c0711dec43ca3e2f8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:42 +0000
Subject: [PATCH 194/375] Exported file: Log4j vulnerability exploit aka
Log4Shell IP IOC.json.json
---
...rability exploit aka Log4Shell IP IOC.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
diff --git a/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
new file mode 100644
index 00000000..d3dd465c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = externaldata(IPAddress:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"No Match\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, MessageIP, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch, LogType = Type \n| extend timestamp = StartTime, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"No Match\")\n),\n(OfficeActivity \n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account, LogType = Type\n),\n(DnsEvents\n| where IPAddresses has_any (IPList)\n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imNetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr, LogType = Type\n),\n (VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer, LogType = Type\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\"), LogType = Type\n),\n(WireData\n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, LogType = Type\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, LogType = Type\n),\n(AzureActivity\n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, LogType = Type\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, LogType = Type\n), \n( \nDeviceNetworkEvents\n| where isnotempty(RemoteIP)\n| where RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"java.exe\" and ProcessCommandLine has_all ('curl -s','wget') or\nProcessCommandLine has_all ('curl',@'${jndi') or \nProcessCommandLine has_any (\"${jndi:ldap://\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop://\",\"${jndi:\",'${web:','${jvmrunargs:')\n| extend LogType = Type\n),\n(\nDeviceNetworkEvents\n| where RemoteIP in(IPList) and ActionType != \"ConnectionFailed\"\n| extend LogType = Type\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Log4j vulnerability exploit aka Log4Shell IP IOC",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228",
+ "alertRuleTemplateName": "6e575295-a7e6-464c-8192-3e1d8fd6a990"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5c031d6e49e909287c4ba80d08d762d7addf08e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:43 +0000
Subject: [PATCH 195/375] Exported file: Login to AWS Management Console
without MFA.json.json
---
...to AWS Management Console without MFA.json | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
diff --git a/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
new file mode 100644
index 00000000..cde09b40
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\" \n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| where MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation",
+ "Persistence",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Login to AWS Management Console without MFA",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
+ "alertRuleTemplateName": "d25b1998-a592-4bc5-8a3a-92b39eedb1bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a8af80d07155c5904cafb174edad9e6f48c6da18 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:44 +0000
Subject: [PATCH 196/375] Exported file: MFA Rejected by User.json.json
---
.../MFA Rejected by User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA Rejected by User.json
diff --git a/SentinelExported-AnalyticsRule/MFA Rejected by User.json b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
new file mode 100644
index 00000000..bd685e97
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\"\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA Rejected by User",
+ "enabled": false,
+ "description": "Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "d99cf5c3-d660-436c-895b-8a8f8448da23"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 87133ea53468ecc4a7a5d7d7403c73659d423324 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:44 +0000
Subject: [PATCH 197/375] Exported file: MFA disabled for a user.json.json
---
.../MFA disabled for a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA disabled for a user.json
diff --git a/SentinelExported-AnalyticsRule/MFA disabled for a user.json b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
new file mode 100644
index 00000000..32292735
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(AuditLogs \n| where OperationName =~ \"Disable Strong Authentication\"\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\n),\n(AWSCloudTrail\n| where EventName in~ (\"DeactivateMFADevice\", \"DeleteVirtualMFADevice\") \n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\n)\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA disabled for a user",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ",
+ "alertRuleTemplateName": "65c78944-930b-4cae-bd79-c3664ae30ba7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3f39de5f336effea866aa07274b90ca7dff71fd3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:45 +0000
Subject: [PATCH 198/375] Exported file: MSHTML vulnerability CVE-2021-40444
attack.json.json
---
...L vulnerability CVE-2021-40444 attack.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
diff --git a/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
new file mode 100644
index 00000000..d7624dab
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "( union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| extend FileName = Process, ProcessCommandLine = CommandLine\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(DeviceProcessEvents\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\nor ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1 \n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\"), ProcessCommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend FileName = split(Image, '\\\\', -1)[-1]\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "MSHTML vulnerability CVE-2021-40444 attack",
+ "enabled": false,
+ "description": "This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \".cpl:../../msword.inf\"\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/",
+ "alertRuleTemplateName": "972c89fa-c969-4d12-932f-04d55d145299"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 70609ed102aecabe243fb963fb55244811e9c92f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:46 +0000
Subject: [PATCH 199/375] Exported file: Mail redirect via ExO transport
rule.json.json
---
.../Mail redirect via ExO transport rule.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
diff --git a/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
new file mode 100644
index 00000000..1da049e2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where OfficeWorkload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n| extend p = parse_json(Parameters)\n| extend RuleName = case(\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\n \"Unknown\"\n ) \n| mvexpand p\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\n| extend RedirectTo = p.Value\n| extend ClientIPOnly = case( \n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP,\":\")[0]), \n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP,\"-\")[0]), \n ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\n ClientIP\n ) \n| extend Port = case(\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP,\":\")[1]),\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP,\"-\")[1]),\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP,\"]:\")[1]),\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP,\"]-\")[1]),\n ClientIP\n )\n| extend ClientIP = ClientIPOnly\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Mail redirect via ExO transport rule",
+ "enabled": false,
+ "description": "Identifies when Exchange Online transport rule configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.",
+ "alertRuleTemplateName": "500415fb-bba7-4227-a08a-9857fb61b6a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 51a899890106a0b0dfb2d71e46e877a88e82c325 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:47 +0000
Subject: [PATCH 200/375] Exported file: Mail.Read Permissions Granted to
Application.json.json
---
...ad Permissions Granted to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
diff --git a/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
new file mode 100644
index 00000000..44975a82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nAuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\n| mv-expand props\n| extend UserAgent = tostring(AdditionalDetails[0].value)\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| extend DisplayName = tostring(props.displayName)\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\n| extend Type = tostring(TargetResources[0].type)\n| project-away props\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | extend AppName = tostring(TargetResources[0].displayName)\n | extend AppId = tostring(TargetResources[0].id)\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Mail.Read Permissions Granted to Application",
+ "enabled": false,
+ "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.",
+ "alertRuleTemplateName": "2560515c-07d1-434e-87fb-ebe3af267760"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0baa23ea47eae67a5b0a8606d0e737dd4e0b76c2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:47 +0000
Subject: [PATCH 201/375] Exported file: Malformed user agent.json.json
---
.../Malformed user agent.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malformed user agent.json
diff --git a/SentinelExported-AnalyticsRule/Malformed user agent.json b/SentinelExported-AnalyticsRule/Malformed user agent.json
new file mode 100644
index 00000000..085e69a9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malformed user agent.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(OfficeActivity | where UserAgent != \"\"),\n(OfficeActivity\n| where RecordType in (\"AzureActiveDirectory\", \"AzureActiveDirectoryStsLogon\")\n| extend OperationName = Operation\n| parse ExtendedProperties with * 'User-Agent\\\\\":\\\\\"' UserAgent2 '\\\\' *\n| parse ExtendedProperties with * 'UserAgent\", \"Value\": \"' UserAgent1 '\"' *\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', UserAgent1, UserAgent2)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(AzureDiagnostics\n| where ResourceType =~ \"APPLICATIONGATEWAYS\" \n| where OperationName =~ \"ApplicationGatewayAccess\" \n| extend ClientIP = columnifexists(\"clientIP_s\", \"None\"), UserAgent = columnifexists(\"userAgent_s\", \"None\")\n| where UserAgent != '-'\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\n),\n(\nW3CIISLog\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n),\n(SigninLogs\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n)\n)\n// Likely artefact of hardcoding\n| where UserAgent startswith \"User\" or UserAgent startswith '\\\"'\n// Incorrect casing\nor (UserAgent startswith \"Mozilla\" and not(UserAgent containscs \"Mozilla\"))\n// Incorrect casing\nor UserAgent containscs \"(Compatible;\"\n// Missing MSIE version\nor UserAgent matches regex @\"MSIE\\s?;\"\n// Incorrect spacing around MSIE version\nor UserAgent matches regex @\"MSIE(?:\\d|.{1,5}?\\d\\s;)\"\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Malformed user agent",
+ "enabled": false,
+ "description": "Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\nMalformed user agents can be an indication of such malware.",
+ "alertRuleTemplateName": "a357535e-f722-4afe-b375-cff362b2b376"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ae181a432e615bd397b2d14f41ac59d3d1bca3d8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:48 +0000
Subject: [PATCH 202/375] Exported file: Malicious Inbox Rule.json.json
---
.../Malicious Inbox Rule.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
diff --git a/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
new file mode 100644
index 00000000..42b68850
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\nOfficeActivity\n| where Operation =~ \"New-InboxRule\"\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" or Parameters has \"DeleteMessage\"\n| extend Events=todynamic(Parameters)\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\n| where SubjectContainsWords has_any (Keywords)\n or BodyContainsWords has_any (Keywords)\n or SubjectOrBodyContainsWords has_any (Keywords)\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malicious Inbox Rule",
+ "enabled": false,
+ "description": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/",
+ "alertRuleTemplateName": "7b907bf7-77d4-41d0-a208-5643ff75bf9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 59ae1020c247132e80441d8f0adfe7ca8eff501d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:49 +0000
Subject: [PATCH 203/375] Exported file: Malicious web application requests
linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)
alerts.json.json
---
...rmerly Microsoft Defender ATP) alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
diff --git a/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
new file mode 100644
index 00000000..bbd554cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet alertTimeWindow = 1h;\nlet logTimeWindow = 7d;\n// Define script extensions that suit your web application environment - a sample are provided below\nlet scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]); \nlet alertData = materialize(SecurityAlert \n| where TimeGenerated > ago(alertTimeWindow) \n| where ProviderName == \"MDATP\" \n// Parse and expand the alert JSON \n| extend alertData = parse_json(Entities) \n| mvexpand alertData);\nlet fileData = alertData\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\n| where alertData.Type =~ \"file\" \n| where alertData.Name has_any(scriptExtensions) \n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\nlet hostData = alertData\n// Extract server details from alerts and map to alert id\n| where alertData.Type =~ \"host\"\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\n| distinct HostName, DnsDomain, SystemAlertId;\n// Join the files on their impacted servers\nlet webshellData = fileData\n| join kind=inner (hostData) on SystemAlertId \n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\nwebshellData\n| join ( \n// Find requests that were made to this file on the impacted server in the W3CIISLog table \nW3CIISLog \n| where TimeGenerated > ago(logTimeWindow) \n// Restrict to accesses to script extensions \n| where csUriStem has_any(scriptExtensions)\n| extend splitUriStem = split(csUriStem, \"/\") \n| extend FileName = splitUriStem[-1], HostName = sComputerName\n// Summarize potential attacker activity\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \n) on FileName, HostName\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\n// Expose the attacker ip address as a custom entity\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts",
+ "enabled": false,
+ "description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment.",
+ "alertRuleTemplateName": "fbfbf530-506b-49a4-81ad-4030885a195c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 05317bad13052cc9485c8ac0c19272c3f79ef7e0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:50 +0000
Subject: [PATCH 204/375] Exported file: Malware in the recycle bin (Normalized
Process Events).json.json
---
...cycle bin (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
new file mode 100644
index 00000000..95da1d03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]); \nimProcessCreate\n| where CommandLine has \"recycler\"\n| where Process has_any (procList)\n| extend FileName = tostring(split(Process, '\\\\')[-1])\n| where FileName in~ (procList)\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "61988db3-0565-49b5-b8e3-747195baac6e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b8fc930d11e46d9dd38edf2255fb12fe4bcc370b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:51 +0000
Subject: [PATCH 205/375] Exported file: Malware in the recycle bin.json.json
---
.../Malware in the recycle bin.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin.json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin.json b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
new file mode 100644
index 00000000..89fa2d07
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]);\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents \n| where FileName in~ (procList)\n| where CommandLine contains \":\\\\recycler\"\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.",
+ "alertRuleTemplateName": "75bf9902-0789-47c1-a5d8-f57046aa72df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 033c44b7e3c8f00ce1c022d3b8462828449f544e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:52 +0000
Subject: [PATCH 206/375] Exported file: Mass secret retrieval from Azure Key
Vault.json.json
---
...secret retrieval from Azure Key Vault.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
diff --git a/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
new file mode 100644
index 00000000..830e90fb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventCountThreshold = 25;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList) \n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\n| where count_ > EventCountThreshold \n| join (\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where OperationName in~ (OperationList) \n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Mass secret retrieval from Azure Key Vault",
+ "enabled": false,
+ "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
+ "alertRuleTemplateName": "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0454851731f820b2e01c7eb03e0cb8305949a9f6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:52 +0000
Subject: [PATCH 207/375] Exported file: Microsoft COVID-19 file hash indicator
matches.json.json
---
... COVID-19 file hash indicator matches.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
diff --git a/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
new file mode 100644
index 00000000..da0a76f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\"] with (format=\"csv\"));\nlet fileHashIndicators = covidIndicators\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Microsoft COVID-19 file hash indicator matches",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/",
+ "alertRuleTemplateName": "2be4ef67-a93f-4d8a-981a-88158cb73abd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d82b398f9f76f3d0c6f94b83dfe7d0a7d8577cc6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:53 +0000
Subject: [PATCH 208/375] Exported file: Modified domain federation trust
settings.json.json
---
...fied domain federation trust settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
diff --git a/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
new file mode 100644
index 00000000..bc30cc1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n| mv-expand AdditionalDetails\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\n| where NewDomainValue has \"Federated\"\n)\n)\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Modified domain federation trust settings",
+ "enabled": false,
+ "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 04caee02b864b8ff31a55da5ec7255227fcd4f16 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:54 +0000
Subject: [PATCH 209/375] Exported file: Monitor AWS Credential abuse or
hijacking.json.json
---
...tor AWS Credential abuse or hijacking.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
diff --git a/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
new file mode 100644
index 00000000..3a788cd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"GetCallerIdentity\" and UserIdentityType =~ \"AssumedRole\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n| sort by EndTime desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Monitor AWS Credential abuse or hijacking",
+ "enabled": false,
+ "description": "Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html ",
+ "alertRuleTemplateName": "32555639-b639-4c2b-afda-c0ae0abefa55"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 69de4fe2ae14bc2426c54eb17744d3be5f9b323e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:55 +0000
Subject: [PATCH 210/375] Exported file: Multiple Password Reset by
user.json.json
---
.../Multiple Password Reset by user.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
new file mode 100644
index 00000000..d4e7b35e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet PerUserThreshold = 5;\nlet TotalThreshold = 100;\nlet action = dynamic([\"change\", \"changed\", \"reset\"]);\nlet pWord = dynamic([\"password\", \"credentials\"]);\nlet PasswordResetMultiDataSource =\n(union isfuzzy=true\n(//Password reset events\n//4723: An attempt was made to change an account's password\n//4724: An attempt was made to reset an accounts password\nSecurityEvent\n| where EventID in (\"4723\",\"4724\")\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\n(//Azure Active Directory Password reset events\nAuditLogs\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \"success\"\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \nTargetUserName = tolower(tostring(TargetResources[0].displayName))\n| project TimeGenerated, AccountType, Account, Computer = \"\", Type),\n(//OfficeActive ActiveDirectory Password reset events\nOfficeActivity\n| where OfficeWorkload == \"AzureActiveDirectory\" \n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\n| extend AccountType = UserType, Account = OfficeObjectId \n| project TimeGenerated, AccountType, Account, Type, Computer = \"\"),\n(// Unix syslog password reset events\nSyslog\n| where Facility in (\"auth\",\"authpriv\")\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\n| extend AccountType = iif(SyslogMessage contains \"root\", \"Root\", \"Non-Root\")\n| where SyslogMessage matches regex \".*password changed for.*\"\n| parse SyslogMessage with * \"password changed for\" Account\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\n);\nlet pwrmd = PasswordResetMultiDataSource\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\n(union isfuzzy=true \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\n| where Total > PerUserThreshold\n| extend ResetPivot = \"PerUserReset\"), \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\n| where Total > TotalThreshold\n| extend ResetPivot = \"TotalUserReset\")\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Password Reset by user",
+ "enabled": false,
+ "description": "This query will determine multiple password resets by user across multiple data sources. \nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \nand certain permission levels within an environment.",
+ "alertRuleTemplateName": "0b9ae89d-8cad-461c-808f-0494f70ad5c4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b3d4b1ab29a37e5ad7bc53cb4ee4a6d8adc17f7d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:55 +0000
Subject: [PATCH 211/375] Exported file: Multiple RDP connections from Single
System.json.json
---
...le RDP connections from Single System.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
diff --git a/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
new file mode 100644
index 00000000..7e1b85c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\nlet threshold = 2.0;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName\n| join kind=leftouter (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\n) on Account, IpAddress\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\n// Where the ratio of today to previous 7 days is more than double.\n| where Ratio > threshold\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Multiple RDP connections from Single System",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \nConnections from the same system with the same account within the same day.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "78422ef2-62bf-48ca-9bab-72c69818a425"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 132e5f52b51b4b4f9605dcbe103f6a1f839bbad2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:56 +0000
Subject: [PATCH 212/375] Exported file: Multiple Teams deleted by a single
user.json.json
---
...ltiple Teams deleted by a single user.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
new file mode 100644
index 00000000..71af8d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// Adjust this value to change how many Teams should be deleted before including\nlet max_delete_count = 3;\n// Adjust this value to change the timewindow the query runs over\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\" \n| where Operation =~ \"TeamDeleted\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\n| where array_length(DeletedTeams) > max_delete_count\n| extend timestamp = StartTime, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Teams deleted by a single user",
+ "enabled": false,
+ "description": "This detection flags the occurrences of deleting multiple teams within an hour.\nThis data is a part of Office 365 Connector in Microsoft Sentinel.",
+ "alertRuleTemplateName": "173f8699-6af5-484a-8b06-8c47ba89b380"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff424ec1ac6ad0477d0dead038af5c2f2809b728 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:57 +0000
Subject: [PATCH 213/375] Exported file: Multiple users email forwarded to same
destination.json.json
---
...s email forwarded to same destination.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
diff --git a/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
new file mode 100644
index 00000000..4346f1d9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where Operation =~ \"Set-Mailbox\"\n| where Parameters has \"ForwardingSmtpAddress\"\n| extend parsed = parse_json(Parameters)\n| mv-expand parsed\n| where parsed.Name == \"ForwardingSmtpAddress\"\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\n| where isnotempty(fwdingDestination)\n| extend ClientIPOnly = case( \nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[0]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[0]), \nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[0]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[0]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n) \n| extend Port = case(\nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[1]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[1]), \nClientIP has ']-', tostring(split(ClientIP,\"]-\")[1]), \nClientIP has ']:', tostring(split(ClientIP,\"]:\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[1]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\"]-\")[1]),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\"]:\")[1]),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n)\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \n| where DistinctUserCount > 1\n| mv-expand UserId\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Multiple users email forwarded to same destination",
+ "enabled": false,
+ "description": "Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.",
+ "alertRuleTemplateName": "871ba14c-88ef-48aa-ad38-810f26760ca3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 04c65a872d6428ac81d01b3b4be8644e4f867e35 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:58 +0000
Subject: [PATCH 214/375] Exported file: NOBELIUM - Domain and IP IOCs - March
2021.json.json
---
...IUM - Domain and IP IOCs - March 2021.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
new file mode 100644
index 00000000..bb90e636
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']);\nlet IPList = dynamic(['185.225.69.69']);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (DomainNames), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain and IP IOCs - March 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "bb8a3481-dd14-4e76-8dcc-bbec8776d695"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 22d0097661b1809df493bb2251b14d21a88ddf36 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:59 +0000
Subject: [PATCH 215/375] Exported file: NOBELIUM - Domain, Hash and IP IOCs -
May 2021.json.json
---
...- Domain, Hash and IP IOCs - May 2021.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
new file mode 100644
index 00000000..7c8dfcb9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256s = (iocs | where Type =~ \"SHA256\"| project IoC);\nlet ips = (iocs | where Type =~ \"IP\"| project IoC);\nlet IPList = dynamic([\"192.99.221.77\",\"83.171.237.173\"]);\nlet domains = (iocs | where Type =~ \"Domain\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = dynamic([\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\",\n\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\",\n\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\",\n\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\",\n\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\",\n\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (domains), \"RequestUrl\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) or ClientIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain, Hash and IP IOCs - May 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+ "alertRuleTemplateName": "677da133-e487-4108-a150-5b926591a92b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 835cbb9091b6731291bb2254fb58c540b59edbfb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:22:59 +0000
Subject: [PATCH 216/375] Exported file: NOBELIUM - Script payload stored in
Registry.json.json
---
...M - Script payload stored in Registry.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
new file mode 100644
index 00000000..6cef6629
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let cmdTokens0 = dynamic(['vbscript','jscript']);\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\nlet cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\nSecurityEvent\n| where TimeGenerated >= ago(14d)\n| where EventID == 4688\n| where CommandLine has @'\\Microsoft\\Windows\\CurrentVersion'\n| where not(CommandLine has_any (@'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', @'\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'))\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\n//| where CommandLine has_any (cmdTokens0)\n//| where CommandLine has_all (cmdTokens1)\n| where CommandLine has_all (cmdTokens2)\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Script payload stored in Registry",
+ "enabled": false,
+ "description": "This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "00cb180c-08a8-4e55-a276-63fb1442d5b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f20d75b75ed2d9c63960c37041c815bb766ee795 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:00 +0000
Subject: [PATCH 217/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript (Normalized Process Events).json.json
---
... vbscript (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
new file mode 100644
index 00000000..052758f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n| where Process hassuffix 'rundll32.exe'\n| where CommandLine has_any ('Execute','RegRead','window.close')\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "bdf04f58-242b-4729-b376-577c4bdf5d3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 02e352b9a8da67708e450dd5ce69ed3eee623060 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:01 +0000
Subject: [PATCH 218/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript.json.json
---
...us rundll32.exe execution of vbscript.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
new file mode 100644
index 00000000..db510457
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4688\n| where Process =~ 'rundll32.exe' \n| where CommandLine has_all ('Execute','RegRead','window.close')\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "d82e1987-4356-4a7b-bc5e-064f29b143c0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8dd846e74e22ac3f1346d0c487111e5606cca3e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:02 +0000
Subject: [PATCH 219/375] Exported file: NOBELIUM IOCs related to FoggyWeb
backdoor.json.json
---
...IUM IOCs related to FoggyWeb backdoor.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
new file mode 100644
index 00000000..aa714c41
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type == \"sha256\" | project IoC);\nlet FilePaths = (iocs | where Type =~ \"FilePath\" | project IoC);\nlet POST_URI = (iocs | where Type =~ \"URI1\" | project IoC);\nlet GET_URI = (iocs | where Type =~ \"URI2\" | project IoC);\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\nlet ADFS_Servers1 = datatable(Computer:string)\n[ \"..\",\n\"..\"\n];\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \"Microsoft.IdentityServer.ServiceHost.exe\".\nlet ADFS_Servers2 = \n(union isfuzzy=true\n(SecurityEvent\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n(DeviceProcessEvents\n| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'\n| extend Computer = DeviceName\n| distinct Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n);\nlet ADFS_Servers =\nADFS_Servers1\n| union (ADFS_Servers2 | distinct Computer);\n(union isfuzzy=true\n(DeviceNetworkEvents\n| where DeviceName in (ADFS_Servers)\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\" and EventID == '7'\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ImageLoaded = EventDetail.[5].[\"#text\"], Hashes = EventDetail.[11].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 '\",' *\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\n| extend Type = strcat(Type,\":\",EventID, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where DeviceName in (ADFS_Servers)\n| extend FilePath = strcat(FolderPath, '\\\\', FileName)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceImageLoadEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| where EventDetail has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(W3CIISLog \n| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \nby cIP, cIP_MethodCountType = \"Count of repeated entries, this is to reduce rowsets returned\", csMethod, \ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\n),\n(imFileEvent\n| where DvcHostname in (ADFS_Servers)\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM IOCs related to FoggyWeb backdoor",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\n Reference: https://aka.ms/nobelium-foggy-web",
+ "alertRuleTemplateName": "c37711a4-5f44-4472-8afc-0679bc0ef966"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5e78dc452004d680541b862ec512cebf6ba33449 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:03 +0000
Subject: [PATCH 220/375] Exported file: Network endpoint to host executable
correlation.json.json
---
...dpoint to host executable correlation.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
diff --git a/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
new file mode 100644
index 00000000..af693c3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d012df68-9c36-431a-acc1-704063e21101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d012df68-9c36-431a-acc1-704063e21101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endpointData = \n(SecurityEvent\n | where EventID == 4688\n | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n );\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Network endpoint to host executable correlation",
+ "enabled": false,
+ "description": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run.",
+ "alertRuleTemplateName": "01f64465-b1ef-41ea-a7f5-31553a11ad43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3bc66e33c66479f8b728bc28ffe13b5d0796ef3b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:03 +0000
Subject: [PATCH 221/375] Exported file: New Agent Added to Pool by New User or
Added to a New OS Type_.json.json
---
...y New User or Added to a New OS Type_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
diff --git a/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
new file mode 100644
index 00000000..9ce08ffd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\n// exclude allowed users from query such as the ADO service\nlet allowed_users = dynamic([\"Azure DevOps Service\"]);\nunion\n// Look for agents being added to a pool of a OS type not seen with that pool before\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])\n| project AgentPoolName, OsDescription\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])) on AgentPoolName, OsDescription),\n// Look for users addeing agents to a pool that they have not added agents to before.\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| where ActorUPN !in (allowed_users)\n| project AgentPoolName, ActorUPN\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n) on AgentPoolName, ActorUPN)\n| extend AgentName = tostring(Data.AgentName)\n| extend OsDescription = tostring(Data.OsDescription)\n| extend SystemDetails = Data.SystemCapabilities\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New Agent Added to Pool by New User or Added to a New OS Type.",
+ "enabled": false,
+ "description": "As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \nconfigurable allow list to allow for certain users to be excluded from the logic.",
+ "alertRuleTemplateName": "4ce177b3-56b1-4f0e-b83e-27eed4cb0b16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 463f567ba584323079462e830b9287181ceaa911 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:04 +0000
Subject: [PATCH 222/375] Exported file: New CloudShell User.json.json
---
.../New CloudShell User.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New CloudShell User.json
diff --git a/SentinelExported-AnalyticsRule/New CloudShell User.json b/SentinelExported-AnalyticsRule/New CloudShell User.json
new file mode 100644
index 00000000..52d70ed6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New CloudShell User.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet match_window = 3m;\nAzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/listKeys/action\") \n| where ActivityStatusValue == \"Success\"\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\n| join kind = inner\n(AzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/write\") \n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\n) on Caller, TimeKey\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New CloudShell User",
+ "enabled": false,
+ "description": "Identifies when a user creates an Azure CloudShell for the first time.\nMonitor this activity to ensure only expected user are using CloudShell",
+ "alertRuleTemplateName": "6d7214d9-4a28-44df-aafb-0910b9e6ae3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bb79664ea5de8153aa1a7c6fead376eafe1fb68a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:05 +0000
Subject: [PATCH 223/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts (1).json.json
---
...ty Detected Across Multiple Hosts (1).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
new file mode 100644
index 00000000..caab1b82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "6116dc19-475a-4148-84b2-efe89c073e27"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 69ac8b5a7a07eec82f3bbd400e973974c04313cd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:06 +0000
Subject: [PATCH 224/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts.json.json
---
...bility Detected Across Multiple Hosts.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
new file mode 100644
index 00000000..82fd3921
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "84cf1d59-f620-4fee-b569-68daf7008b7b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1a9a85b15331632c25856763b4ff7fcc31002e95 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:07 +0000
Subject: [PATCH 225/375] Exported file: New PA, PCA, or PCAS added to Azure
DevOps.json.json
---
...A, PCA, or PCAS added to Azure DevOps.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
diff --git a/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
new file mode 100644
index 00000000..3e492d79
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Group.UpdateGroupMembership.Add\"\n| where Details has_any (\"Project Administrators\", \"Project Collection Administrators\", \"Project Collection Service Accounts\", \"Build Administrator\")\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\n| extend timekey = bin(TimeGenerated, 1h)\n| extend ActorUserId = tostring(Data.MemberId)\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\n// Get details of operations conducted by user soon after elevation of permissions\n| join (AzureDevOpsAuditing\n| extend ActorUserId = tostring(Data.MemberId)\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New PA, PCA, or PCAS added to Azure DevOps",
+ "enabled": false,
+ "description": "In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \nshould also be conducted.",
+ "alertRuleTemplateName": "35ce9aff-1708-45b8-a295-5e9a307f5f17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5d8213bace02602bf535ecbd75a8dbe98625ec81 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:07 +0000
Subject: [PATCH 226/375] Exported file: New UserAgent observed in last 24
hours.json.json
---
...w UserAgent observed in last 24 hours.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
diff --git a/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
new file mode 100644
index 00000000..ffd6f64e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet UserAgentAll =\n(union isfuzzy=true\n(OfficeActivity\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(\nW3CIISLog\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n))\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\n| extend UserAgentNoHexAlphas = replace(\"([A-Fa-f]{4,})\", \"x\", UserAgent)\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\n| extend Tokens = extract_all(\"([A-Za-z]{4,})\", UserAgentNoHexAlphas)\n// concatenate extracted words to create a summarized user agent for baseline and comparison\n| extend NormalizedUserAgent = strcat_array(Tokens, \"|\")\n| project-away UserAgentNoHexAlphas, Tokens;\nUserAgentAll\n| where StartTime >= ago(endtime)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n| join kind=leftanti\n(\nUserAgentAll\n| where StartTime < ago(endtime)\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n)\non NormalizedUserAgent\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New UserAgent observed in last 24 hours",
+ "enabled": false,
+ "description": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections.",
+ "alertRuleTemplateName": "b725d62c-eb77-42ff-96f6-bdc6745fc6e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 397d36ba56a4a4adeaa61b8a60f663f1de9e38e4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:08 +0000
Subject: [PATCH 227/375] Exported file: New access credential added to
Application or Service Principal.json.json
---
...d to Application or Service Principal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
diff --git a/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
new file mode 100644
index 00000000..45837da8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New access credential added to Application or Service Principal",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "79566f41-df67-4e10-a703-c38a6213afd8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e5730197f1970a3023b311f0e35542aeee277d97 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:09 +0000
Subject: [PATCH 228/375] Exported file: New executable via Office FileUploaded
Operation.json.json
---
...ble via Office FileUploaded Operation.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
diff --git a/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
new file mode 100644
index 00000000..038be497
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// a threshold can be enabled, see commented line below for PrevSeenCount\nlet threshold = 2;\nlet uploadOp = 'FileUploaded';\n// Extensions that are interesting. Add/Remove to this list as you see fit\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\nlet starttime = 8d;\nlet endtime = 1d;\nOfficeActivity | where TimeGenerated >= ago(endtime)\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \"upload\" or Operation contains \"download\"\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\n| join kind= leftanti (\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\n//| where PrevSeenCount > threshold\n| mvexpand SourceRelativeUrl, UserId\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\n) on SourceFileName, SourceRelativeUrl, UserId \n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\.', '_',UserId))\n// identify when UserId is not a match to the specific site url personal folder reference\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "New executable via Office FileUploaded Operation",
+ "enabled": false,
+ "description": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\nAdditionally, identifies when a given user is uploading these files to another users workspace.\nThis may be indication of a staging location for malware or other malicious activity.",
+ "alertRuleTemplateName": "d722831e-88f5-4e25-b106-4ef6e29f8c13"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f483e298b6670126518b4f686f1fa14c1b7e45f9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:10 +0000
Subject: [PATCH 229/375] Exported file: New internet-exposed SSH
endpoints.json.json
---
.../New internet-exposed SSH endpoints.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
diff --git a/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
new file mode 100644
index 00000000..77ac33c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'; \nlet avgthreshold = 0;\nlet probabilityLimit = 0.01;\nlet ssh_logins = Syslog\n| where Facility contains \"auth\" and ProcessName =~ \"sshd\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage) \n| where isnotempty(SourceIP)\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\");\nssh_logins \n| summarize privatecount=countif(ipType==\"private\"), publiccount=countif(ipType==\"public\") by HostName, HostIP, bin(EventTime, 1d)\n| summarize \npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\n(\n order by todatetime(publicIPLoginHistory['logon_time']) asc\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\n)\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\n(\n order by todatetime(privateIPLoginHistory['logon_time']) asc\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\n)\n// Some logins from private IPs\n| where privateAverage > avgthreshold\n// There is a non-zero number of logins from public IPs\n| where publicAverage > avgthreshold\n// Approximate probability of seeing login from a public IP is < 1%\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\n| where probabilityPublic < probabilityLimit\n// Today has the highest number of logins from public IPs that we've seen in the last week\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\n| where publicLoginCountToday >= maxPublicLoginCount\n| extend HostCustomEntity = HostName\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\n// | join kind=rightsemi (\n// ssh_logins\n// | where ipType == \"public\"\n// ) on HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New internet-exposed SSH endpoints",
+ "enabled": false,
+ "description": "Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.",
+ "alertRuleTemplateName": "4915c713-ab38-432e-800b-8e2d46933de6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1e931ab6aebbf7ce2df9a07e11c7639cd85f9c48 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:11 +0000
Subject: [PATCH 230/375] Exported file: New user created and added to the
built-in administrators group.json.json
---
... to the built-in administrators group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
diff --git a/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
new file mode 100644
index 00000000..5c94c4cb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "SecurityEvent\n| where EventID == 4720\n| where AccountType == \"User\"\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\n| join (\nSecurityEvent \n| where AccountType == \"User\"\n// 4732 - A member was added to a security-enabled local group\n| where EventID == 4732\n//TargetSid is the builin Admins group: S-1-5-32-544\n| where TargetSid == \"S-1-5-32-544\"\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\n)\non CreatedUserSid\n//Create User first, then the add to the group.\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "New user created and added to the built-in administrators group",
+ "enabled": false,
+ "description": "Identifies when a user account was created and then added to the builtin Administrators group in the same day.\nThis should be monitored closely and all additions reviewed.",
+ "alertRuleTemplateName": "aa1eff90-29d4-49dc-a3ea-b65199f516db"
+ }
+ }
+ ]
+}
\ No newline at end of file
From accd8efccc7d9eaa1817a735d5a208d3c4e0253d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:11 +0000
Subject: [PATCH 231/375] Exported file: Non Domain Controller Active Directory
Replication.json.json
---
...ntroller Active Directory Replication.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
diff --git a/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
new file mode 100644
index 00000000..c5cfad18
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Enter a reference list of hostnames for your DC servers\n//let DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\nSecurityEvent\n//| where Computer in (DCServersList)\n| where EventID == 4662 and ObjectServer == 'DS'\n| where AccountType != 'Machine'\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\n| join kind=leftouter\n(\n SecurityEvent\n //| where Computer in (DCServersList)\n | where EventID == 4624 and LogonType == 3\n | where AccountType != 'Machine'\n | project TargetLogonId, IpAddress\n)\non $left.SubjectLogonId == $right.TargetLogonId\n| project-reorder TimeGenerated, Computer, Account, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Non Domain Controller Active Directory Replication",
+ "enabled": false,
+ "description": "This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html'",
+ "alertRuleTemplateName": "b9d2eebc-5dcb-4888-8165-900db44443ab"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6ffdfc4f47d6a0e64d598227c9dd501434ba5a27 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:13 +0000
Subject: [PATCH 232/375] Exported file: OMI Vulnerability
Exploitation.json.json
---
.../OMI Vulnerability Exploitation.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
diff --git a/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
new file mode 100644
index 00000000..c84ef3f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OMIVulnerabilityPatchVersion = \"OMIVulnerabilityPatchVersion:1.13.40-0\";\nHeartbeat\n| where Category == \"Direct Agent\"\n| summarize arg_max(TimeGenerated,*) by Computer\n| parse strcat(\"Version:\" , Version) with * \"Version:\" Major:long \".\"\nMinor:long \".\" Patch:long \"-\" *\n| parse OMIVulnerabilityPatchVersion with * \"OMIVulnerabilityPatchVersion:\"\nOMIVersionMajor:long \".\" OMIVersionMinor:long \".\" OMIVersionPatch:long \"-\" *\n| where Major
Date: Fri, 24 Feb 2023 02:23:13 +0000
Subject: [PATCH 233/375] Exported file: Office policy tampering.json.json
---
.../Office policy tampering.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Office policy tampering.json
diff --git a/SentinelExported-AnalyticsRule/Office policy tampering.json b/SentinelExported-AnalyticsRule/Office policy tampering.json
new file mode 100644
index 00000000..319b74f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Office policy tampering.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let opList = OfficeActivity \n| summarize by Operation\n//| where Operation startswith \"Remove-\" or Operation startswith \"Disable-\"\n| where Operation has_any (\"Remove\", \"Disable\")\n| where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\n| summarize make_set(Operation);\nOfficeActivity\n// Only admin or global-admin can disable/remove policy\n| where RecordType =~ \"ExchangeAdmin\"\n| where UserType in~ (\"Admin\",\"DcAdmin\")\n// Pass in interesting Operation list\n| where Operation in~ (opList)\n| extend ClientIPOnly = case( \nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), \nClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP\n) \n| extend Port = case(\nClientIP has \".\", (split(ClientIP,\":\")[1]),\nClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\nClientIP\n)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Office policy tampering",
+ "enabled": false,
+ "description": "Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.",
+ "alertRuleTemplateName": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 74d0c2e3d13dd3b2ac61b6fb54ad9f5989327db0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:14 +0000
Subject: [PATCH 234/375] Exported file: PIM Elevation Request
Rejected.json.json
---
.../PIM Elevation Request Rejected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
diff --git a/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
new file mode 100644
index 00000000..dec0deb4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result == \"failure\"\n| extend Role = tostring(TargetResources[3].displayName)\n| extend User = tostring(TargetResources[2].displayName)\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "PIM Elevation Request Rejected",
+ "enabled": false,
+ "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "7d7e20f8-3384-4b71-811c-f5e950e8306c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ccc915b8b3d2fda0b475a72eefed73a026ba78e8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:15 +0000
Subject: [PATCH 235/375] Exported file: Palo Alto - possible internal to
external port scanning.json.json
---
...le internal to external port scanning.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
new file mode 100644
index 00000000..1a1c74aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog \n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\") \n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\" \n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535)) \n| where Computer != \"\" \n| where DestinationIP !startswith \"10.\"\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \n| where AdditionalExtensions !has \"reason=aged-out\" \n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where AdditionalExtensions !has \"reason=tcp-fin\" \n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\" \n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\" \n| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - possible internal to external port scanning",
+ "enabled": false,
+ "description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK",
+ "alertRuleTemplateName": "5b72f527-e3f6-4a00-9908-8e4fee14da9f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6555a586ce93247e2d32a2c3055d920351e062d1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:16 +0000
Subject: [PATCH 236/375] Exported file: Palo Alto - potential beaconing
detected.json.json
---
...o Alto - potential beaconing detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
new file mode 100644
index 00000000..88c05774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (ago(starttime)..ago(endtime))\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - potential beaconing detected",
+ "enabled": false,
+ "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/",
+ "alertRuleTemplateName": "f0be259a-34ac-4946-aa15-ca2b115d5feb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From db9fce8c7c59351da859bf9f34bed82e1713c657 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:17 +0000
Subject: [PATCH 237/375] Exported file: Password spray attack against Azure AD
application.json.json
---
...y attack against Azure AD application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
diff --git a/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
new file mode 100644
index 00000000..a50426ef
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup \n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Password spray attack against Azure AD application",
+ "enabled": false,
+ "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "48607a29-a26a-4abf-8078-a06dbdd174a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e698485d9818a84fe439ffda89c5d42f673206c5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:18 +0000
Subject: [PATCH 238/375] Exported file: Port Scan Detected.json.json
---
.../Port Scan Detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Port Scan Detected.json
diff --git a/SentinelExported-AnalyticsRule/Port Scan Detected.json b/SentinelExported-AnalyticsRule/Port Scan Detected.json
new file mode 100644
index 00000000..9aee9b63
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Port Scan Detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\"\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\n| where dcount_Dst_Port > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Port Scan Detected",
+ "enabled": false,
+ "description": "This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.",
+ "alertRuleTemplateName": "427e4c9e-8cf4-4094-a684-a2d060dbca38"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ea10ff3f07cec39411f1e5d25e4e94ade10ac0bd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:18 +0000
Subject: [PATCH 239/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Oct 2020.json.json
---
...pted credential harvesting - Oct 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
new file mode 100644
index 00000000..90a1a987
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Oct 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.",
+ "alertRuleTemplateName": "68271db2-cbe9-4009-b1d3-bb3b5fe5713c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 29b5361257e16c5dbd9f0e7c88dddf3d4b2be2da Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:19 +0000
Subject: [PATCH 240/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Sept 2020.json.json
---
...ted credential harvesting - Sept 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
new file mode 100644
index 00000000..a0d47cdb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let IPs = dynamic ([\"199.249.230.\",\"185.220.101.\",\"23.129.64.\",\"109.70.100.\",\"185.220.102.\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = ExtendedProperties.Value\n| where ClientIP has_any (IPs)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 2500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Sept 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.",
+ "alertRuleTemplateName": "04384937-e927-4595-8f3c-89ff58ed231f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a1b30cf48f24ff29f0dc69924f0afbf184ad4bcd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:20 +0000
Subject: [PATCH 241/375] Exported file: Possible contact with a domain
generated by a DGA.json.json
---
...tact with a domain generated by a DGA.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
diff --git a/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
new file mode 100644
index 00000000..15c28f10
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet triThreshold = 500;\nlet startTime = 6h;\nlet dgaLengthThreshold = 8;\n// fetch the alexa top 1M domains\nlet top1M = (externaldata (Position:int, Domain:string) [@\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\"] with (format=\"csv\", zipPattern=\"*.csv\"));\n// extract tri grams that are above our threshold - i.e. are common\nlet triBaseline = top1M\n| extend Domain = tolower(extract(\"([^.]*).{0,7}$\", 1, Domain))\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", Domain), extract_all(\"(...)\", substring(Domain, 1)), extract_all(\"(...)\", substring(Domain, 2)))\n| mvexpand Trigram=AllTriGrams\n| summarize triCount=count() by tostring(Trigram)\n| sort by triCount desc\n| where triCount > triThreshold\n| distinct Trigram;\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\nlet allDataSummarized = CommonSecurityLog\n| where TimeGenerated > ago(startTime)\n| where isnotempty(DestinationHostName)\n| extend Name = tolower(DestinationHostName)\n| distinct Name\n| where Name has \".\"\n| where Name !endswith \".home\" and Name !endswith \".lan\"\n// extract DGA candidate\n| extend DGADomain = extract(\"([^.]*).{0,7}$\", 1, Name)\n| where strlen(DGADomain) > dgaLengthThreshold\n// throw out domains with number in them\n| where DGADomain matches regex \"^[A-Za-z]{0,}$\"\n// extract the tri grams from summarized data\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", DGADomain), extract_all(\"(...)\", substring(DGADomain, 1)), extract_all(\"(...)\", substring(DGADomain, 2)));\n// throw out domains that have repeating tri's and/or >=3 repeating letters\nlet nonRepeatingTris = allDataSummarized\n| join kind=leftanti\n(\n allDataSummarized\n | mvexpand AllTriGrams\n | summarize count() by tostring(AllTriGrams), DGADomain\n | where count_ > 1\n | distinct DGADomain\n)\non DGADomain;\n// find domains that do not have a common tri in the baseline\nlet dataWithRareTris = nonRepeatingTris\n| join kind=leftanti\n(\n nonRepeatingTris\n | mvexpand AllTriGrams\n | extend Trigram = tostring(AllTriGrams)\n | distinct Trigram, DGADomain\n | join kind=inner\n (\n triBaseline\n )\n on Trigram\n | distinct DGADomain\n)\non DGADomain;\ndataWithRareTris\n// join DGAs back on connection data\n| join kind=inner\n(\n CommonSecurityLog\n | where TimeGenerated > ago(startTime)\n | where isnotempty(DestinationHostName)\n | extend DestinationHostName = tolower(DestinationHostName)\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\n)\non Name\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Possible contact with a domain generated by a DGA",
+ "enabled": false,
+ "description": "Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.",
+ "alertRuleTemplateName": "4acd3a04-2fad-4efc-8a4b-51476594cec4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 352a936fcee9c90ad355c62e973bdea6f3018b80 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:21 +0000
Subject: [PATCH 242/375] Exported file: Potential Build Process Compromise -
MDE.json.json
---
...ential Build Process Compromise - MDE.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
new file mode 100644
index 00000000..7ddfad51
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([]);\nDeviceProcessEvents\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where FileName has_any (build_processes)\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nDeviceFileEvents\n| where TimeGenerated > ago(timeframe)\n| where InitiatingProcessFileName !in (allow_list)\n| where ActionType == \"FileCreated\" or ActionType == \"FileModified\"\n// Look for code files, edit this to include file extensions used in build.\n| where FileName endswith \".cs\" or FileName endswith \".cpp\"\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, DeviceName\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=DeviceName, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise - MDE",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "1bf6e165-5e32-420e-ab4f-0da8558a8be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0e2ee4b638ea7e774cb5a6064dce9793a76ef7d6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:22 +0000
Subject: [PATCH 243/375] Exported file: Potential Build Process
Compromise.json.json
---
.../Potential Build Process Compromise.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
new file mode 100644
index 00000000..5e33be49
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([\"\"]);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where EventID == 4688\n| where Process has_any (build_processes)\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for file modifications to code file\n| where EventID == 4663\n| where Process !in (allow_list)\n// Look for code files, edit this to include file extensions used in build.\n| where ObjectName endswith \".cs\" or ObjectName endswith \".cpp\"\n// 0x6 and 0x4 for file append, 0x100 for file replacements\n| where AccessMask == \"0x6\" or AccessMask == \"0x4\" or AccessMask == \"0X100\"\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, Computer\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=Computer, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "5ef06767-b37c-4818-b035-47de950d0046"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9db12aa77ed4addaf5e03f166511bb7809dc1a0d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:22 +0000
Subject: [PATCH 244/375] Exported file: Potential DGA detected
(ASimDNS).json.json
---
.../Potential DGA detected (ASimDNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
new file mode 100644
index 00000000..c02a471f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let referencestarttime = 10d;\nlet referenceendtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \n {imDns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)\n | where DnsQueryTypeName in (\"A\", \"AAAA\")\n | where ipv4_is_match(\"127.0.0.1\", SrcIpAddr) == False\n | where DnsQuery !contains \"/\" and DnsQuery contains \".\"};\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold\n // Filter out previously seen IPs\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold ) on SrcIpAddr\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected (ASimDNS)",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)'",
+ "alertRuleTemplateName": "983a6922-894d-413c-9f04-d7add0ecc307"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6bba47f57cdac11acfc242bf9d8b6ddbac73c881 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:23 +0000
Subject: [PATCH 245/375] Exported file: Potential DGA detected.json.json
---
.../Potential DGA detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected.json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected.json b/SentinelExported-AnalyticsRule/Potential DGA detected.json
new file mode 100644
index 00000000..9a4f96e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 10d;\nlet endtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = DnsEvents \n| where ResultCode == 3 \n| where QueryType in (\"A\", \"AAAA\")\n| where ipv4_is_match(\"127.0.0.1\", ClientIP) == False\n| where Name !contains \"/\"\n| where Name contains \".\";\nnxDomainDnsEvents\n| where TimeGenerated > ago(endtime)\n| extend sld = tostring(split(Name, \".\")[-2])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\n| where dcount_sld > threshold\n// Filter out previously seen IPs\n| join kind=leftanti (nxDomainDnsEvents\n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | extend sld = tostring(split(Name, \".\")[-2])\n | summarize dcount(sld) by ClientIP\n | where dcount_sld > threshold ) on ClientIP\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).",
+ "alertRuleTemplateName": "a0907abe-6925-4d90-af2b-c7e89dc201a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 408f32c839a2bc725bc4deab3e13ce92f88d0af8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:24 +0000
Subject: [PATCH 246/375] Exported file: Potential DHCP Starvation
Attack.json.json
---
.../Potential DHCP Starvation Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
new file mode 100644
index 00000000..f7eac851
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1000;\nInfobloxNIOS\n| where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n ) on ServerIP\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential DHCP Starvation Attack",
+ "enabled": false,
+ "description": "This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.",
+ "alertRuleTemplateName": "57e56fc9-417a-4f41-a579-5475aea7b8ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 70c14d6107d6273be66d7d4d3818ce84691b7b25 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:25 +0000
Subject: [PATCH 247/375] Exported file: Potential Kerberoasting.json.json
---
.../Potential Kerberoasting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Kerberoasting.json
diff --git a/SentinelExported-AnalyticsRule/Potential Kerberoasting.json b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
new file mode 100644
index 00000000..93218cde
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 1d;\nlet endtime = 1h;\nlet prev23hThreshold = 4;\nlet prev1hThreshold = 15;\nlet Kerbevent =\nSecurityEvent\n| where TimeGenerated >= ago(starttime)\n| where EventID == 4769\n| parse EventData with * 'TicketEncryptionType\">' TicketEncryptionType \"<\" *\n| where TicketEncryptionType == '0x17'\n| parse EventData with * 'TicketOptions\">' TicketOptions \"<\" *\n| where TicketOptions == '0x40810000'\n| parse EventData with * 'Status\">' Status \"<\" *\n| where Status == '0x0'\n| parse EventData with * 'ServiceName\">' ServiceName \"<\" *\n| where ServiceName !contains \"$\" and ServiceName !contains \"krbtgt\" \n| parse EventData with * 'TargetUserName\">' TargetUserName \"<\" *\n| where TargetUserName !contains \"$@\" and TargetUserName !contains ServiceName\n| parse EventData with * 'IpAddress\">::ffff:' ClientIPAddress \"<\" *;\nlet Kerbevent23h = Kerbevent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\n| where ServiceNameCountPrev23h < prev23hThreshold;\nlet Kerbevent1h = \nKerbevent\n| where TimeGenerated >= ago(endtime)\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\nKerbevent1h \n| join kind=leftanti\n(\nKerbevent23h\n) on TargetUserName, TargetDomainName\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\n| where ServiceNameCountPrev1h > prev1hThreshold\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\"\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Kerberoasting",
+ "enabled": false,
+ "description": "A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.",
+ "alertRuleTemplateName": "1572e66b-20a7-4012-9ec4-77ec4b101bc8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From dce9ca16e187a7823b65fd7ccf8c1410724df864 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:26 +0000
Subject: [PATCH 248/375] Exported file: Potential Password Spray Attack (Uses
Authentication Normalization).json.json
---
...k (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
new file mode 100644
index 00000000..3fc7a639
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let FailureThreshold = 15;\nimAuthentication\n| where EventType== 'Logon' and EventResult== 'Failure'\n// reason: creds \n| where EventResultDetails in ('No such user or password', 'Incorrect password')\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\n , Users = make_set(TargetUserId,100) \n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\n| where UserCount > FailureThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "6a2e2ff4-5568-475e-bef2-b95f12b9367b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a58b0a6458c90a6248923d127c19dcc35e0757b8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:27 +0000
Subject: [PATCH 249/375] Exported file: Potential Password Spray
Attack.json.json
---
.../Potential Password Spray Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
new file mode 100644
index 00000000..ac884a34
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOkta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack",
+ "alertRuleTemplateName": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 995f8b719993e8af961da217eda8ed3590775e6b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:27 +0000
Subject: [PATCH 250/375] Exported file: Powershell Empire cmdlets seen in
command line.json.json
---
...l Empire cmdlets seen in command line.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
diff --git a/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
new file mode 100644
index 00000000..1a6df223
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet regexEmpire = @\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\$Volume){\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\(\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\";\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nlet decodedPS = ProcessCreationEvents\n| where CommandLine contains \" -encodedCommand\"\n| parse kind=regex flags=i CommandLine with * \"-EncodedCommand \" encodedCommand\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\n| extend decodedCommand = translate('\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\n(decodedPS\n| union \n(ProcessCreationEvents\n| where FileName in~ (\"powershell.exe\",\"powershell_ise.exe\")\n| where CommandLine !contains \"-encodedcommand\")\n| extend StartTimeUtc = TimeGenerated\n)\n| where CommandLine matches regex regexEmpire\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Powershell Empire cmdlets seen in command line",
+ "enabled": false,
+ "description": "Identifies instances of PowerShell Empire cmdlets in powershell process command line data.",
+ "alertRuleTemplateName": "ef88eb96-861c-43a0-ab16-f3835a97c928"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f2b35822eaae1c51b50d829bf11254ca24df3765 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:28 +0000
Subject: [PATCH 251/375] Exported file: Privileged Accounts - Sign in Failure
Spikes.json.json
---
...ged Accounts - Sign in Failure Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
new file mode 100644
index 00000000..da1e5f2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\nIdentityInfo\n| where AssignedRoles contains \"Admin\"\n| mv-expand AssignedRoles\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\n| where Roles contains \"Admin\"\n| distinct Roles, AccountUPN\n| join kind=inner (\n // Failed Signins attempts with reasoning related to MFA.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n) on $left.AccountUPN == $right.UserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, Roles, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Accounts - Sign in Failure Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor",
+ "alertRuleTemplateName": "34c5aff9-a8c2-4601-9654-c7e46342d03b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 11233440b3f515dfadf817255c274ec8dd6642bd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:29 +0000
Subject: [PATCH 252/375] Exported file: Privileged Role Assigned Outside
PIM.json.json
---
.../Privileged Role Assigned Outside PIM.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
new file mode 100644
index 00000000..c112b51e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName =~ 'Add member to role (permanent)'\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Role Assigned Outside PIM",
+ "enabled": false,
+ "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "269435e3-1db8-4423-9dfc-9bf59997da1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 68bf80800caad895084ac536fd63b9cbf15eacad Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:30 +0000
Subject: [PATCH 253/375] Exported file: Probable AdFind Recon Tool Usage
(Normalized Process Events).json.json
---
...ool Usage (Normalized Process Events).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
new file mode 100644
index 00000000..e9ccfb0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nimProcessCreate\n//looks for execution from a shell\n| where ActingProcessName has_any (parentProcesses)\n| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\')[-1])\n| where ActingProcessFileName in~ (parentProcesses)\n// main filter\n| where Process hassuffix \"AdFind.exe\" or TargetProcessSHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or CommandLine has_any (args)\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = TargetProcessSHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "45076281-35ae-45e0-b443-c32aa0baf965"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b87831a206972e3aeacdbd5b89e0401b72b0c03d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:31 +0000
Subject: [PATCH 254/375] Exported file: Probable AdFind Recon Tool
Usage.json.json
---
.../Probable AdFind Recon Tool Usage.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
new file mode 100644
index 00000000..06834d6f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nDeviceProcessEvents\n//looks for execution from a shell\n| where InitiatingProcessFileName in (parentProcesses)\n// main filter\n| where FileName =~ \"AdFind.exe\" or SHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or ProcessCommandLine has_any (args)\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.",
+ "alertRuleTemplateName": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cd5643332043747e542e4d57779f175b104c887c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:31 +0000
Subject: [PATCH 255/375] Exported file: Process executed from binary hidden in
Base64 encoded file.json.json
---
... binary hidden in Base64 encoded file.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
diff --git a/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
new file mode 100644
index 00000000..73cfa20b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents;\n};\nProcessCreationEvents \n| where CommandLine contains \".decode('base64')\"\n or CommandLine contains \"base64 --decode\"\n or CommandLine contains \".decode64(\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Process executed from binary hidden in Base64 encoded file",
+ "enabled": false,
+ "description": "Encoding malicious software is a technique used to obfuscate files from detection. \nThe first CommandLine component is looking for Python decoding base64. \nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\nThe third one is looking for Ruby decoding base64.",
+ "alertRuleTemplateName": "d6190dde-8fd2-456a-ac5b-0a32400b0464"
+ }
+ }
+ ]
+}
\ No newline at end of file
From da2ddb82ca4cc38d27354709cb3bba659bc891d3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:32 +0000
Subject: [PATCH 256/375] Exported file: Process execution frequency
anomaly.json.json
---
.../Process execution frequency anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
new file mode 100644
index 00000000..c225444e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet TotalEventsThreshold = 5;\nlet ExeList = dynamic([\"powershell.exe\",\"cmd.exe\",\"wmic.exe\",\"psexec.exe\",\"cacls.exe\",\"rundll.exe\"]);\nlet TimeSeriesData =\nSecurityEvent\n| where EventID == 4688 | extend Process = tolower(Process)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where Process in (ExeList)\n| project TimeGenerated, Computer, AccountType, Account, Process\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project Process, TimeGenerated, Total, baseline, anomalies, score\n| where Total > TotalEventsThreshold);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\nSecurityEvent\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| where EventID == 4688 | extend Process = tolower(Process)\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\n) on Process, TimeGenerated\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Process execution frequency anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.",
+ "alertRuleTemplateName": "2c55fe7a-b06f-4029-a5b9-c54a2320d7b8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 67ece6717823ec44e16534d5916b718c84d4936e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:33 +0000
Subject: [PATCH 257/375] Exported file: ProofpointPOD - Binary file in
attachment.json.json
---
...fpointPOD - Binary file in attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
new file mode 100644
index 00000000..d7979346
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Binary file in attachment",
+ "enabled": false,
+ "description": "Detects when email recieved with binary file as attachment.",
+ "alertRuleTemplateName": "eb68b129-5f17-4f56-bf6d-dde48d5e615a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From aebc29a52f8dc1b60e5cb3ce1851627ca204b199 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:34 +0000
Subject: [PATCH 258/375] Exported file: ProofpointPOD - Email sender IP in TI
list.json.json
---
...pointPOD - Email sender IP in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
new file mode 100644
index 00000000..56d78c38
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcIpAddr)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\n )\non $left.TI_ipEntity == $right.ClientIP\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender IP in TI list",
+ "enabled": false,
+ "description": "Email sender IP in TI list.",
+ "alertRuleTemplateName": "78979d32-e63f-4740-b206-cfb300c735e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From da018f85b54f8d1494b80bb4b0988e4f3c0822eb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:34 +0000
Subject: [PATCH 259/375] Exported file: ProofpointPOD - Email sender in TI
list.json.json
---
...oofpointPOD - Email sender in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
new file mode 100644
index 00000000..15e29453
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(EmailSenderAddress)\n| extend TI_emailEntity = EmailSenderAddress\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcUserUpn)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\n \n)\non $left.TI_emailEntity == $right.ClientEmail\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender in TI list",
+ "enabled": false,
+ "description": "Email sender in TI list.",
+ "alertRuleTemplateName": "35a0792a-1269-431e-ac93-7ae2980d4dde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f331176d30bf6bbf18b7feb90887251d643bc988 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:35 +0000
Subject: [PATCH 260/375] Exported file: ProofpointPOD - High risk message not
discarded.json.json
---
...POD - High risk message not discarded.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
new file mode 100644
index 00000000..40125ada
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - High risk message not discarded",
+ "enabled": false,
+ "description": "Detects when email with high risk score was not rejected or discarded by filters.",
+ "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 312662200678d2d7742d9969682e7816708013ef Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:36 +0000
Subject: [PATCH 261/375] Exported file: ProofpointPOD - Multiple archived
attachments to the same recipient.json.json
---
...ved attachments to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
new file mode 100644
index 00000000..f4c3e6c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple archived attachments to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails where sent to the same recipient with large archived attachments.",
+ "alertRuleTemplateName": "bda5a2bd-979b-4828-a91f-27c2a5048f7f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f2eb7c530954a078e61753f3412f75bd67d221a0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:37 +0000
Subject: [PATCH 262/375] Exported file: ProofpointPOD - Multiple large emails
to the same recipient.json.json
---
...le large emails to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
new file mode 100644
index 00000000..51b6a7ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nlet msgszthreshold = 3000000;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where NetworkBytes > msgszthreshold\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple large emails to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails with lage size where sent to the same recipient.",
+ "alertRuleTemplateName": "d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 31a96cb3fd7f90796a05de09e521d768dc0a4c91 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:38 +0000
Subject: [PATCH 263/375] Exported file: ProofpointPOD - Multiple protected
emails to unknown recipient.json.json
---
...protected emails to unknown recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
new file mode 100644
index 00000000..46b01c27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet lbperiod = 14d;\nlet knownrecipients = ProofpointPOD\n| where TimeGenerated > ago(lbperiod)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where SrcUserUpn != ''\n| where array_length(todynamic(DstUserUpn)) == 1\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\n| extend commcol = SrcUserUpn;\nProofpointPOD\n| where TimeGenerated between (ago(lbtime) .. now())\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\n| join knownrecipients on commcol\n| where recipients !contains DstUserMail\n| project SrcUserUpn, DstUserMail\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple protected emails to unknown recipient",
+ "enabled": false,
+ "description": "Detects when multiple protected messages where sent to early not seen recipient.",
+ "alertRuleTemplateName": "f8127962-7739-4211-a4a9-390a7a00e91f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fb59194daa035ce98a347f0670504fc027759866 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:39 +0000
Subject: [PATCH 264/375] Exported file: ProofpointPOD - Possible data
exfiltration to private email.json.json
---
...le data exfiltration to private email.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
new file mode 100644
index 00000000..41839953
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where array_length(todynamic(DstUserUpn)) == 1\n| extend sender = extract(@'\\A(.*?)@', 1, SrcUserUpn)\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\n| extend recipient = extract(@'\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\n| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\n| where sender =~ recipient\n| where sender_domain != recipient_domain\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Possible data exfiltration to private email",
+ "enabled": false,
+ "description": "Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.",
+ "alertRuleTemplateName": "aedc5b33-2d7c-42cb-a692-f25ef637cbb1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6f4d91ec53f23257d77a2f6d09d8dcd8e7fc91a9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:39 +0000
Subject: [PATCH 265/375] Exported file: ProofpointPOD - Suspicious
attachment.json.json
---
...ProofpointPOD - Suspicious attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
new file mode 100644
index 00000000..92580185
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\n| where attachedExt in (disallowed_ext)\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Suspicious attachment",
+ "enabled": false,
+ "description": "Detects when email contains suspicious attachment (file type).",
+ "alertRuleTemplateName": "f6a51e2c-2d6a-4f92-a090-cfb002ca611f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 38b610e62236579e0f969d7a34686bacb519ec7d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:40 +0000
Subject: [PATCH 266/375] Exported file: ProofpointPOD - Weak ciphers.json.json
---
.../ProofpointPOD - Weak ciphers.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
new file mode 100644
index 00000000..bc4737a2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 1h;\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\nProofpointPOD\n| where EventType == 'message'\n| where TlsCipher in (tls_ciphers)\n| extend IpCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "ProofpointPOD - Weak ciphers",
+ "enabled": false,
+ "description": "Detects when weak TLS ciphers are used.",
+ "alertRuleTemplateName": "56b0a0cd-894e-4b38-a0a1-c41d9f96649a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3e809b68ab99c1a1e85f8fe5695b6d14920c9238 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:41 +0000
Subject: [PATCH 267/375] Exported file: PulseConnectSecure - Large Number of
Distinct Failed User Logins.json.json
---
...Number of Distinct Failed User Logins.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
new file mode 100644
index 00000000..ddd791b4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Large Number of Distinct Failed User Logins",
+ "enabled": false,
+ "description": "This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server",
+ "alertRuleTemplateName": "1fa1528e-f746-4794-8a41-14827f4cb798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cfb8e1c4dca928221ee9d9e6bed58236887f366c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:42 +0000
Subject: [PATCH 268/375] Exported file: PulseConnectSecure - Potential Brute
Force Attempts.json.json
---
...cure - Potential Brute Force Attempts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
new file mode 100644
index 00000000..09ccf3d3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
+ "enabled": false,
+ "description": "This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server",
+ "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 00a6e42d70d409316d5d219d90a9c5dfa564938f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:43 +0000
Subject: [PATCH 269/375] Exported file: RDP Nesting.json.json
---
.../RDP Nesting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/RDP Nesting.json
diff --git a/SentinelExported-AnalyticsRule/RDP Nesting.json b/SentinelExported-AnalyticsRule/RDP Nesting.json
new file mode 100644
index 00000000..93ec5a16
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/RDP Nesting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda14730-b43b-4099-a785-6145306928b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda14730-b43b-4099-a785-6145306928b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\nlet threshold = 5;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the first RDP connection time, computer and ip\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \n| join kind=inner (\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the second RDP connection time, computer and ip\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\n) on Account\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\n// where the second hop occurs within 30 minutes of the first hop\n| where SecondHop <= FirstHop+30m\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\n| where ComputerCount >= threshold\n| mvexpand set_Computer\n| extend Computer = toupper(set_Computer)\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "RDP Nesting",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \nto another system with the same account within the 60 minutes. Additionally, if historically daily \nRDP connections are indicated by the logged EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "69a45b05-71f5-45ca-8944-2e038747fb39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f2a3c20a2bf0557d1565ef779e0acff50a272571 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:44 +0000
Subject: [PATCH 270/375] Exported file: Rare RDP Connections.json.json
---
.../Rare RDP Connections.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare RDP Connections.json
diff --git a/SentinelExported-AnalyticsRule/Rare RDP Connections.json b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
new file mode 100644
index 00000000..84ec8eb1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 14 days that is not rare\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where EventID == 4624\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\n) on Account, Computer\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Rare RDP Connections",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "45b903c5-6f56-4969-af10-ae62ac709718"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ee12e63da3f956299f96b6510f0caf75062a065d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:44 +0000
Subject: [PATCH 271/375] Exported file: Rare and potentially high-risk Office
operations.json.json
---
...tentially high-risk Office operations.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
diff --git a/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
new file mode 100644
index 00000000..ee48f951
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nOfficeActivity\n| where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", \"Set-Mailbox\", \"New-ManagementRoleAssignment\")\nand not(UserId has_any ('NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare and potentially high-risk Office operations",
+ "enabled": false,
+ "description": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers.",
+ "alertRuleTemplateName": "957cb240-f45d-4491-9ba5-93430a3c08be"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a0679304ea5b4be1e3bde309e7d48fc38b6610c1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:45 +0000
Subject: [PATCH 272/375] Exported file: Rare application consent.json.json
---
.../Rare application consent.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare application consent.json
diff --git a/SentinelExported-AnalyticsRule/Rare application consent.json b/SentinelExported-AnalyticsRule/Rare application consent.json
new file mode 100644
index 00000000..66f56236
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare application consent.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed. \n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are \n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold\n;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| parse TargetResources.[0].modifiedProperties with * \"ConsentType: \" ConsentType \"]\" *\n| mv-expand AdditionalDetails\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "LateralMovement",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare application consent",
+ "enabled": false,
+ "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 764c4e734d07e3d685c6d6ad632586bf798e2aa2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:46 +0000
Subject: [PATCH 273/375] Exported file: Rare client observed with high reverse
DNS lookup count.json.json
---
...ed with high reverse DNS lookup count.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
diff --git a/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
new file mode 100644
index 00000000..d4f3d8ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents \n| where TimeGenerated > ago(endtime)\n| where Name contains \"in-addr.arpa\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \n| join kind=leftanti (DnsEvents \n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | where Name contains \"in-addr.arpa\" \n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n | where dcount_Name > threshold\n | project ClientIP , dcount_Name \n) on ClientIP\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Rare client observed with high reverse DNS lookup count",
+ "enabled": false,
+ "description": "Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.",
+ "alertRuleTemplateName": "15ae38a2-2e29-48f7-883f-863fb25a5a06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3e8a8a59c035b6003eb44b54eceb45fc4d4f88ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:47 +0000
Subject: [PATCH 274/375] Exported file: Rare subscription-level operations in
Azure.json.json
---
...ubscription-level operations in Azure.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
new file mode 100644
index 00000000..9d3c1cd9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet SensitiveOperationList = dynamic([\"microsoft.compute/snapshots/write\", \"microsoft.network/networksecuritygroups/write\", \"microsoft.storage/storageaccounts/listkeys/action\"]);\nlet SensitiveActivity = AzureActivity\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \"listkeys/action\"\n| where ActivityStatusValue =~ \"Succeeded\";\nSensitiveActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \nSensitiveActivity\n| where TimeGenerated >= ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \nby CallerIpAddress, Caller, OperationNameValue\n) on CallerIpAddress, Caller, OperationNameValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Rare subscription-level operations in Azure",
+ "enabled": false,
+ "description": "This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \n to dump hashes or extract sensitive information from the disk.",
+ "alertRuleTemplateName": "23de46ea-c425-4a77-b456-511ae4855d69"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cccb056c10666d7ea6bb9f9b22267803462a1006 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:48 +0000
Subject: [PATCH 275/375] Exported file: Request for single resource on
domain.json.json
---
...Request for single resource on domain.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Request for single resource on domain.json
diff --git a/SentinelExported-AnalyticsRule/Request for single resource on domain.json b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
new file mode 100644
index 00000000..edbd74c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet scriptExtensions = dynamic([\".php\", \".aspx\", \".asp\", \".cfml\"]);\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\nlet uriThreshold = 1;\nCommonSecurityLog\n// Only look at connections that were allowed through the web proxy\n| where DeviceVendor =~ \"Zscaler\" and DeviceAction =~ \"Allowed\"\n// Only look where some data was exchanged.\n| where SentBytes > 0 and ReceivedBytes > 0\n// Extract the Domain\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\n| extend GetData=iff(RequestURL == \"?\", 1, 0)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\n// Determine the number of URIs that have been visited for the domain\n| extend destinationURI = arraylength(list_RequestURL)\n| where destinationURI <= uriThreshold\n| where tostring(list_RequestURL) has_any(scriptExtensions)\n//Remove matches with referer\n| where max_RequestContext == \"\"\n//Keep requests where data was trasferred either in a GET with parameters or a POST\n| where set_RequestMethod in~ (\"POST\") or max_GetData == 1\n//Defeat email click tracking, may increase FN's while decreasing FP's\n| where list_RequestURL !has \"click\" and set_RequestMethod !has \"GET\"\n| mvexpand list_RequestURL, list_DestinationIP\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\n//Extend custom entitites for incidents\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Request for single resource on domain",
+ "enabled": false,
+ "description": "This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.",
+ "alertRuleTemplateName": "4d500e6d-c984-43a3-9f39-7edec8dcc04d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e419fc2ec56579a1874f115acec4864e5b3a4f33 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:48 +0000
Subject: [PATCH 276/375] Exported file: SOURGUM Actor IOC - July
2021.json.json
---
.../SOURGUM Actor IOC - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
new file mode 100644
index 00000000..67959ccf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\n (union isfuzzy=true\n(CommonSecurityLog\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\n| parse Message with * '(' DNSName ')' *\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\n| extend Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\n),\n(DnsEvents\n| where Name in~ (domains)\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DNSName = Name, Host = Computer , Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\n),\n(VMConnection\n| where RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where Image has_any (file_path1) or Image has_any (file_path3)\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = 'SOURGUM IOC detected'\n), \n(DeviceNetworkEvents\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = 'SOURGUM IOC detected', UrlCustomEntity =RemoteUrl\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = 'SOURGUM IOC detected'\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"]\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source), Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n),\n(DeviceRegistryEvents\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceProcessEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceFileEvents\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend CommandLine = InitiatingProcessCommandLine, Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SOURGUM Actor IOC - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
+ "alertRuleTemplateName": "94749332-1ad9-49dd-a5ab-5ff2170788fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 931eba23daa096bb13f4a5f0b49543b0906f1bd8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:49 +0000
Subject: [PATCH 277/375] Exported file: SSH - Potential Brute Force.json.json
---
.../SSH - Potential Brute Force.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
diff --git a/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
new file mode 100644
index 00000000..97991578
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 15;\nSyslog\n| where SyslogMessage contains \"Failed password for invalid user\"\n| where ProcessName =~ \"sshd\" \n| parse kind=relaxed SyslogMessage with * \"invalid user\" user \" from \" ip \" port\" port \" ssh2\"\n| project user, ip, port, SyslogMessage, EventTime\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\n| where PerHourCount > threshold\n| mvexpand EventTimes\n| extend EventTimes = tostring(EventTimes) \n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\n| extend UserList = tostring(UserList) \n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SSH - Potential Brute Force",
+ "enabled": false,
+ "description": "Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.",
+ "alertRuleTemplateName": "e1ce0eab-10d1-4aae-863f-9a383345ba88"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5374b3ee8c8a4919b5155162053e8f3fcd69540b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:50 +0000
Subject: [PATCH 278/375] Exported file: SUNBURST and SUPERNOVA backdoor hashes
(Normalized File Events).json.json
---
...kdoor hashes (Normalized File Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
new file mode 100644
index 00000000..49eef9f4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nimFileEvent\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = User, \n HostCustomEntity = DvcHostname,\n FileHashCustomEntity = TargetFileMD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "bc5ffe2a-84d6-48fe-bc7b-1055100469bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4772e7b97e1ef164ce2d5bbb3a4b793b41cb4021 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:51 +0000
Subject: [PATCH 279/375] Exported file: SUNBURST and SUPERNOVA backdoor
hashes.json.json
---
...UNBURST and SUPERNOVA backdoor hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
new file mode 100644
index 00000000..93fabf1d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nDeviceFileEvents\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "a3c144f9-8051-47d4-ac29-ffb0c312c910"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4eb9c38c674e7bd730847e138899d098646b2303 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:52 +0000
Subject: [PATCH 280/375] Exported file: SUNBURST network beacons.json.json
---
.../SUNBURST network beacons.json | 96 +++++++++++++++++++
1 file changed, 96 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST network beacons.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST network beacons.json b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
new file mode 100644
index 00000000..be9feb5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
@@ -0,0 +1,96 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet SunburstURL=dynamic([\"panhardware.com\",\"databasegalore.com\",\"avsvmcloud.com\",\"freescanonline.com\",\"thedoccloud.com\",\"deftsecurity.com\"]);\nDeviceNetworkEvents\n| where ActionType == \"ConnectionSuccess\"\n| where RemoteUrl in(SunburstURL)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = InitiatingProcessMD5, \n HashAlgorithm = 'MD5',\n URLCustomEntity = RemoteUrl,\n IPCustomEntity = RemoteIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST network beacons",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "ce1e7025-866c-41f3-9b08-ec170e05e73e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a4d46cf0b56f452c1992eace7d4aa6a6c153f00d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:53 +0000
Subject: [PATCH 281/375] Exported file: SUNBURST suspicious SolarWinds child
processes (Normalized Process Events).json.json
---
...processes (Normalized Process Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
new file mode 100644
index 00000000..19087bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nimProcessCreate\n| where Process hassuffix 'solarwinds.businesslayerhost.exe'\n| where not(Process has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = ActorUsername,\n HostCustomEntity = User,\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)'",
+ "alertRuleTemplateName": "631d02df-ab51-46c1-8d72-32d0cfec0720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2dfb91265d522976cfb868b7c4123afbaac80ba9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:53 +0000
Subject: [PATCH 282/375] Exported file: SUNBURST suspicious SolarWinds child
processes.json.json
---
...suspicious SolarWinds child processes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
new file mode 100644
index 00000000..ba56da8a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nDeviceProcessEvents\n| where InitiatingProcessFileName =~ \"solarwinds.businesslayerhost.exe\"\n| where not(FolderPath has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "4a3073ac-7383-48a9-90a8-eb6716183a54"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 98e9e7d35179f05f924b77c94784fa8de4fbf290 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:54 +0000
Subject: [PATCH 283/375] Exported file: SUNSPOT log file creation.json.json
---
.../SUNSPOT log file creation.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
new file mode 100644
index 00000000..5010a7fc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT log file creation",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 055572f1e592ef1ea774ed7c5d9ab259a1f5aae1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:55 +0000
Subject: [PATCH 284/375] Exported file: SUNSPOT malware hashes.json.json
---
.../SUNSPOT malware hashes.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
new file mode 100644
index 00000000..ae9509a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let SUNSPOT_Hashes = dynamic([\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\", \"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\"]);\nunion isfuzzy=true(\nDeviceEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\n(DeviceImageLoadEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT malware hashes",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "53e936c6-6c30-4d12-8343-b8a0456e8429"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d25b48611cbb58e7108a35013805b2afbdfd3369 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:56 +0000
Subject: [PATCH 285/375] Exported file: SUPERNOVA webshell.json.json
---
.../SUPERNOVA webshell.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
diff --git a/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
new file mode 100644
index 00000000..58eaf929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nW3CIISLog\n| where csMethod == 'GET'\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\n| where csUriStem contains \"logoimagehandler.ashx\"\n| where csUriQuery contains \"codes\" and csUriQuery contains \"clazz\" and csUriQuery contains \"method\" and csUriQuery contains \"args\"\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "SUPERNOVA webshell",
+ "enabled": false,
+ "description": "Identifies SUPERNOVA webshell based on W3CIISLog data.\n References:\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/",
+ "alertRuleTemplateName": "2acc91c3-17c2-4388-938e-4eac2d5894e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c887b32fb86a785b641765f4d3b4205cf1c4573e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:57 +0000
Subject: [PATCH 286/375] Exported file: Security Event log cleared.json.json
---
.../Security Event log cleared.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Event log cleared.json
diff --git a/SentinelExported-AnalyticsRule/Security Event log cleared.json b/SentinelExported-AnalyticsRule/Security Event log cleared.json
new file mode 100644
index 00000000..de1e55cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Event log cleared.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSecurityEvent\n| where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Event log cleared",
+ "enabled": false,
+ "description": "Checks for event id 1102 which indicates the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance.",
+ "alertRuleTemplateName": "80da0a8f-cfe1-4cd0-a895-8bc1771a720e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bc7ad338c9c782f2eb114756c58d6b360fe83587 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:57 +0000
Subject: [PATCH 287/375] Exported file: Security Service Registry ACL
Modification.json.json
---
...ity Service Registry ACL Modification.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
diff --git a/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
new file mode 100644
index 00000000..88f3794a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet servicelist = dynamic(['Services\\\\HealthService', 'Services\\\\Sense', 'Services\\\\WinDefend', 'Services\\\\MsSecFlt', 'Services\\\\DiagTrack', 'Services\\\\SgrmBroker', 'Services\\\\SgrmAgent', 'Services\\\\AATPSensorUpdater' , 'Services\\\\AATPSensor', 'Services\\\\mpssvc']);\nlet filename = dynamic([\"subinacl.exe\",'SetACL.exe']);\nlet parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\nlet FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\nlet timeframe = 1d;\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4670\n| where ObjectType == 'Key'\n| where ObjectName has_any (servicelist)\n| parse EventData with * 'OldSd\">' OldSd \"<\" *\n| parse EventData with * 'NewSd\">' NewSd \"<\" *\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\n),\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4688\n| extend ProcessName = tostring(split(NewProcessName, '\\\\')[-1])\n| where ProcessName in~ (filename) \n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessFileName in~ (filename) \n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Service Registry ACL Modification",
+ "enabled": false,
+ "description": "Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \n Reference on guidance for enabling registry auditing:\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\n - https://github.com/OTRF/Set-AuditRule \n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0",
+ "alertRuleTemplateName": "473d57e6-f787-435c-a16b-b38b51fa9a4b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4d132bd128e5ac59990fb9e7546d8aa315d1b7cb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:58 +0000
Subject: [PATCH 288/375] Exported file: SecurityEvent - Multiple
authentication failures followed by a success.json.json
---
...cation failures followed by a success.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
diff --git a/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
new file mode 100644
index 00000000..a237d536
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 6h;\nlet authenticationWindow = 1h;\nlet authenticationThreshold = 5;\nSecurityEvent\n| where TimeGenerated > ago(timeRange)\n| where EventID == 4624 or EventID == 4625\n| where IpAddress != \"-\" and isnotempty(Account)\n| extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n// bin outcomes into 5 minute windows to reduce the volume of data\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n// sort ready for sessionizing - by account and time of the authentication outcome\n| sort by Account asc, TimeGenerated asc\n| serialize \n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \"Success\")\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\n// the session must not start with a success, and must end with one\n| where array_index_of(list_Outcome, \"Success\") != 0\n| where array_index_of(list_Outcome, \"Success\") == array_length(list_Outcome) - 1\n| project-away SessionStartedUtc, list_Outcome \n// where the number of failures before the success is above the threshold \n| where FailureCountBeforeSuccess >= authenticationThreshold\n// expand out ip and computer for customer entity assignment\n| mvexpand set_IpAddress, set_Computer\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SecurityEvent - Multiple authentication failures followed by a success",
+ "enabled": false,
+ "description": "Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\npossible mis-configuration of a service account within an environment.\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\nof 5 failures followed by a success for an account within 1 hour to surface an alert.",
+ "alertRuleTemplateName": "cf3ede88-a429-493b-9108-3e46d3c741f7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b3e5636d29408897d2032abd929288a4566a1f5d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:23:59 +0000
Subject: [PATCH 289/375] Exported file: Sensitive Azure Key Vault
operations.json.json
---
.../Sensitive Azure Key Vault operations.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
diff --git a/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
new file mode 100644
index 00000000..7c838929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet SensitiveOperationList = dynamic(\n[\"VaultDelete\", \"KeyDelete\", \"SecretDelete\", \"SecretPurge\", \"KeyPurge\", \"SecretBackup\", \"KeyBackup\"]);\nAzureDiagnostics\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\" \n| where OperationName in~ (SensitiveOperationList) \n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Sensitive Azure Key Vault operations",
+ "enabled": false,
+ "description": "Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \nAny Backup operations should match with expected scheduled backup activity.",
+ "alertRuleTemplateName": "d6491be0-ab2d-439d-95d6-ad8ea39277c5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 17fb2f1a6c0cd4c630aa900845e93e556a0337b4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:00 +0000
Subject: [PATCH 290/375] Exported file: Several deny actions
registered.json.json
---
.../Several deny actions registered.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Several deny actions registered.json
diff --git a/SentinelExported-AnalyticsRule/Several deny actions registered.json b/SentinelExported-AnalyticsRule/Several deny actions registered.json
new file mode 100644
index 00000000..780cdb88
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Several deny actions registered.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1;\nAzureDiagnostics\n | where OperationName in (\"AzureFirewallApplicationRuleLog\",\"AzureFirewallNetworkRuleLog\")\n | extend msg_s_replaced0 = replace(@\"\\s\\s\",@\" \",msg_s)\n | extend msg_s_replaced1 = replace(@\"\\.\\s\",@\" \",msg_s_replaced0)\n | extend msg_a = split(msg_s_replaced1,\" \")\n | extend srcAddr_a = split(msg_a[3],\":\") , destAddr_a = split(msg_a[5],\":\")\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\n | where action == \"Deny\"\n | extend url = iff(destIp matches regex \"\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\",\"\",destIp)\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\n | where count_ >= [\"threshold\"]\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Several deny actions registered",
+ "enabled": false,
+ "description": "Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.",
+ "alertRuleTemplateName": "f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bd60391eb1f7ae82b8cb133ea2fff9ba16a21333 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:01 +0000
Subject: [PATCH 291/375] Exported file: SharePointFileOperation via devices
with previously unseen user agents.json.json
---
...es with previously unseen user agents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
new file mode 100644
index 00000000..890b9771
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where TimeGenerated > ago(endtime)\n| where isnotempty(UserAgent)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\n| order by recentCount desc, UserAgent\n// More than 5 downloads/uploads from a new user agent today\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated > ago(endtime) \n| where RecordType =~ szSharePointFileOperation \n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| join kind= inner (RareUserAgent)\non UserAgent, RecordType, Operation \n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via devices with previously unseen user agents",
+ "enabled": false,
+ "description": "Identifies if the number of documents uploaded or downloaded from device(s) associated\nwith a previously unseen user agent exceeds a threshold (default is 5).",
+ "alertRuleTemplateName": "5dd76a87-9f87-4576-bab3-268b0e2b338b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1f378e8c6f95353dcd7f38040c8f2f70e0bb5962 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:02 +0000
Subject: [PATCH 292/375] Exported file: SharePointFileOperation via previously
unseen IPs.json.json
---
...leOperation via previously unseen IPs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
new file mode 100644
index 00000000..379ae7e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where TimeGenerated > ago(endtime)\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\n// More than 50 downloads/uploads from a new IP\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated >= ago(endtime) \n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via previously unseen IPs",
+ "enabled": false,
+ "description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 50).",
+ "alertRuleTemplateName": "4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From adc56f1bf4d58c0570af8bf5c733e6d0c03a7088 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:03 +0000
Subject: [PATCH 293/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
new file mode 100644
index 00000000..0124366b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/595b910c-156b-4a20-996e-06c50a217133')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/595b910c-156b-4a20-996e-06c50a217133')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n , applicationsTargeted = dcount(TargetAppName)\n , applicationSet = make_set(TargetAppName) \n by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n imAuthentication\n | where EventResult=='Success'\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n )\n on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cd6033fc52c330bcf8625cea22d1c34786b1e515 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:03 +0000
Subject: [PATCH 294/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts.json.json
---
...attempt sign-ins to disabled accounts.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
new file mode 100644
index 00000000..e4ffdb36
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\" \n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \napplicationSet = make_set(AppDisplayName) by IPAddress, Type\n| order by disabledAccountLoginAttempts desc\n| join kind= leftouter (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n table(tableName)\n | where ResultType == 0\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n) on IPAddress \n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "500c103a-0319-4d56-8e99-3cec8d860757"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 38bdfb6406c5881dd0cf30b881741aa593fb2b2e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:04 +0000
Subject: [PATCH 295/375] Exported file: Solorigate Defender
Detections.json.json
---
.../Solorigate Defender Detections.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
new file mode 100644
index 00000000..d2be50b9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceInfo\n| extend DeviceName = tolower(DeviceName)\n| join (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where ThreatName has \"Solorigate\"\n| extend HostCustomEntity = tolower(CompromisedEntity)\n) on $left.DeviceName == $right.HostCustomEntity\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Defender Detections",
+ "enabled": false,
+ "description": "Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.",
+ "alertRuleTemplateName": "e70fa6e0-796a-4e85-9420-98b17b0bb749"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d6c61f83aa65688f0fca9c9e8a17602d54dd4aa7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:05 +0000
Subject: [PATCH 296/375] Exported file: Solorigate Domains Found in VM
Insights.json.json
---
...lorigate Domains Found in VM Insights.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
new file mode 100644
index 00000000..9ca5d68d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Domains Found in VM Insights",
+ "enabled": false,
+ "description": "Identifies connections to Solorigate-related DNS records based on VM insights data",
+ "alertRuleTemplateName": "ab4b6944-a20d-42ab-8b63-238426525801"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2937ef4573fa7b1f72938eea23ff1792d4f1264d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:06 +0000
Subject: [PATCH 297/375] Exported file: Solorigate Named Pipe.json.json
---
.../Solorigate Named Pipe.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
new file mode 100644
index 00000000..3567c779
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n(union isfuzzy=true\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID in (17,18)\n| where EventData has '583da945-62af-10e8-4902-a8f205c72b2e'\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend PipeName = column_ifexists(\"PipeName\", \"\")\n| extend Account = UserName\n),\n(\n SecurityEvent\n| where EventID == '5145'\n// %%4418 looks for presence of CreatePipeInstance value \n| where AccessList has '%%4418' \n| where RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Named Pipe",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095",
+ "alertRuleTemplateName": "11b4c19d-2a79-4da3-af38-b067e1273dee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a0356c9d62e3e3a86997f8a28b58c8595d494255 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:07 +0000
Subject: [PATCH 298/375] Exported file: Solorigate Network Beacon.json.json
---
.../Solorigate Network Beacon.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
new file mode 100644
index 00000000..5d0d4c2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\n ),\n(DnsEvents \n | extend DNSName = Name\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = ClientIP\n ),\n(imDns (domain_has_any=domains)\n | extend DNSName = DnsQuery\n | extend IPCustomEntity = SrcIpAddr\n ),\n(VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName \n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (domains) \n | extend DNSName = Request_Name\n | extend IPCustomEntity = ClientIP \n ),\n(AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (domains) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ) \n )\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Network Beacon",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1",
+ "alertRuleTemplateName": "cecdbd4c-4902-403c-8d4b-32eb1efe460b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6ccda068be08a71cf9e9fda0cd8359022d443be9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:07 +0000
Subject: [PATCH 299/375] Exported file: Squid proxy events for ToR
proxies.json.json
---
.../Squid proxy events for ToR proxies.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
new file mode 100644
index 00000000..54cd03c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == \"200\"\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events for ToR proxies",
+ "enabled": false,
+ "description": "Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\nhttp://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "90d3f6ec-80fb-48e0-9937-2c70c9df9bad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ba1a18da379861263927cb96bbbdec5c8cd3716e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:08 +0000
Subject: [PATCH 300/375] Exported file: Squid proxy events related to mining
pools.json.json
---
... proxy events related to mining pools.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
new file mode 100644
index 00000000..bc4e34de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \"xmrget.com\", \n\"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \"supportxmr.com\",\n\"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \"gntl.co.uk\", \"semipool.com\", \n\"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \"coinpoolit.webhop.me\", \"nanopool.org\", \n\"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \"extrmepool.org\", \"webcoin.me\", \n\"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \"dwarfpool.com\", \"hash-to-coins.com\", \n\"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \"moneropool.ru\", \"cryptonotepool.org.uk\",\n\"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\",\n\"shscrypto.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == '200'\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events related to mining pools",
+ "enabled": false,
+ "description": "Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \n http://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "80733eb7-35b2-45b6-b2b8-3c51df258206"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 838135c1fd2fd60533f29c821e7dbc8937031838 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:09 +0000
Subject: [PATCH 301/375] Exported file: Starting or Stopping HealthService to
Avoid Detection.json.json
---
...ping HealthService to Avoid Detection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
diff --git a/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
new file mode 100644
index 00000000..6ff4834f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4656\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\n| extend ObjectServer = column_ifexists('ObjectServer', \"\"), ObjectType = column_ifexists('ObjectType', \"\"), ObjectName = column_ifexists('ObjectName', \"\")\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\n| where ObjectServer =~ \"SC Manager\" and ObjectType =~ \"SERVICE OBJECT\" and ObjectName =~ \"HealthService\"\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \"NU.\"\n| join kind=leftouter (\n SecurityEvent\n | where EventID == 4624\n) on TargetLogonId\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Starting or Stopping HealthService to Avoid Detection",
+ "enabled": false,
+ "description": "This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\n The query requires a SACL to audit for access request to the service.",
+ "alertRuleTemplateName": "2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 74917254b0a02c016728ab88b2058b16f6f81ec2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:10 +0000
Subject: [PATCH 302/375] Exported file: Successful SSH brute force
attack.json.json
---
.../Successful SSH brute force attack.json | 104 ++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
diff --git a/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
new file mode 100644
index 00000000..f5336b5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
@@ -0,0 +1,104 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "Usage\r\n| extend User1 = \"Bob\"\r\n| extend User2 = \"Bill\"\r\n| extend Host1 = \"DC01\"\r\n| extend Host2 = \"Web-DMZ01\"\r\n| extend IP = \"185.32.177.53\"\r\n| take 1\r\n",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": true,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host1"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host2"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User1"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User2"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IP"
+ }
+ ]
+ }
+ ],
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": null,
+ "alertDescriptionFormat": "Analysis of host data has detected a successful brute force attack. The IP {{IP}} was seen making multiple login attempts. This means that the host may be compromised and controlled by a malicious actor.",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful SSH brute force attack",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From f153973832dada136078b1437c04427a19acbbc0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:11 +0000
Subject: [PATCH 303/375] Exported file: Successful logon from IP and failure
from a different IP.json.json
---
...om IP and failure from a different IP.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
diff --git a/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
new file mode 100644
index 00000000..4b8645f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet logonDiff = 10m;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where ResultType == \"0\" \n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1]), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\") \n | where ResultDescription !~ \"Other\" \n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\n) on UserPrincipalName, AppDisplayName \n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful logon from IP and failure from a different IP",
+ "enabled": false,
+ "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.",
+ "alertRuleTemplateName": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b7e6ce707cc8646aa135e37a72c91a74e061c04c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:11 +0000
Subject: [PATCH 304/375] Exported file: Suspicious Resource
deployment.json.json
---
.../Suspicious Resource deployment.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
new file mode 100644
index 00000000..5f4e2cf8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet szOperationNames = dynamic([\"Microsoft.Compute/virtualMachines/write\", \"Microsoft.Resources/deployments/write\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet RareCaller = AzureActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\n| join kind=rightantisemi (\nAzureActivity\n| where TimeGenerated > ago(endtime)\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n) on Caller, ResourceGroup \n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress);\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\n| sort by ActivityCountByCaller desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Resource deployment",
+ "enabled": false,
+ "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
+ "alertRuleTemplateName": "9fb57e58-3ed8-4b89-afcf-c8e786508b1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 198c45f0a708d602e30b89b3935870a7058d99f1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:12 +0000
Subject: [PATCH 305/375] Exported file: Suspicious Service Principal creation
activity.json.json
---
...s Service Principal creation activity.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
new file mode 100644
index 00000000..dbc7eb1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let timeframe = 60m;\nlet lookback = 10m;\nlet account_created =\nAuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\nAADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\nAuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\nAuditLogs\n | where OperationName contains \"Update application - Certificates and secrets management\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\nAuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n |summarize make_list(AssignedRoles) by AppID;\naccount_created \n | join kind= inner (account_activity) on AppID, AppID \n | join kind= inner (account_deleted) on AppID, AppID \n | join kind= inner (account_credentials) on AppID, AppID \n | join kind= inner (roles_assigned) on AppID, AppID\n | where deletionTime - creationTime < lookback\n | where tolong(deletionTime - creationTime) >= 0\n | where creationTime > ago(timeframe)\n | extend AliveTime = deletionTime - creationTime\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "PrivilegeEscalation",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Service Principal creation activity",
+ "enabled": false,
+ "description": "This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)",
+ "alertRuleTemplateName": "6852d9da-8015-4b95-8ecf-d9572ee0395d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 38dc00d79ed496b870e6688c602aed404fae2955 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:13 +0000
Subject: [PATCH 306/375] Exported file: Suspicious application consent for
offline access.json.json
---
...pplication consent for offline access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
new file mode 100644
index 00000000..7478c516
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"offline_access\" and ConsentFull contains \"Files.Read\" or ConsentFull contains \"Mail.Read\" or ConsentFull contains \"Notes.Read\" or ConsentFull contains \"ChannelMessage.Read\" or ConsentFull contains \"Chat.Read\" or ConsentFull contains \"TeamsActivity.Read\" or ConsentFull contains \"Group.Read\" or ConsentFull contains \"EWS.AccessAsUser.All\" or ConsentFull contains \"EAS.AccessAsUser.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent for offline access",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "3533f74c-9207-4047-96e2-0eb9383be587"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 75731b7ae5b977904c0949ab017c12386c31a3a4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:14 +0000
Subject: [PATCH 307/375] Exported file: Suspicious application consent similar
to O365 Attack Toolkit.json.json
---
...onsent similar to O365 Attack Toolkit.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
new file mode 100644
index 00000000..b43857d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"mailboxsettings\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"contacts.read\" and ConsentFull contains \"user.read\" and ConsentFull contains \"mail.read\" and ConsentFull contains \"notes.read.all\" and ConsentFull contains \"mailboxsettings.readwrite\" and ConsentFull contains \"Files.ReadWrite.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", tostring(AdditionalDetails[0].value), \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "f948a32f-226c-4116-bddd-d95e91d97eb9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bcbf3cd26cc22c3d48cedce99946bf641c8f301a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:15 +0000
Subject: [PATCH 308/375] Exported file: Suspicious application consent similar
to PwnAuth.json.json
---
...pplication consent similar to PwnAuth.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
new file mode 100644
index 00000000..cd0527f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"user.read\" and ConsentFull contains \"offline_access\" and ConsentFull contains \"mail.readwrite\" and ConsentFull contains \"mail.send\" and ConsentFull contains \"files.read.all\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to PwnAuth",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "39198934-62a0-4781-8416-a81265c03fd6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d9a9eb98a30583e17070e978f21f7a06a913972d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:15 +0000
Subject: [PATCH 309/375] Exported file: Suspicious granting of permissions to
an account.json.json
---
...granting of permissions to an account.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
new file mode 100644
index 00000000..e8e3617d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet createRoleAssignmentActivity = AzureActivity\n| where OperationNameValue =~ \"microsoft.authorization/roleassignments/write\";\ncreateRoleAssignmentActivity \n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \ncreateRoleAssignmentActivity\n| where TimeGenerated > ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\n) on CallerIpAddress, Caller\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious granting of permissions to an account",
+ "enabled": false,
+ "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.",
+ "alertRuleTemplateName": "b2c15736-b9eb-4dae-8b02-3016b6a45a32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6bef2922984ee1e4221d9bd7a0493e4029b53adc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:16 +0000
Subject: [PATCH 310/375] Exported file: Suspicious link sharing
pattern.json.json
---
.../Suspicious link sharing pattern.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
new file mode 100644
index 00000000..5cc525ae
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 3; \nZoomLogs \n| where Event =~ \"chat_message.sent\" \n| extend Channel = tostring(parse_json(ChatEvents).Channel) \n| extend Message = tostring(parse_json(ChatEvents).Message) \n| where Message matches regex \"http(s?):\\\\/\\\\/\" \n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\n| extend ChannelCount = arraylength(Channels) \n| where ChannelCount > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious link sharing pattern",
+ "enabled": false,
+ "description": "Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.",
+ "alertRuleTemplateName": "1218175f-c534-421c-8070-5dcaabf28067"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cbf531181577f26c9c38edc2d10991a5820693eb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:17 +0000
Subject: [PATCH 311/375] Exported file: Suspicious number of resource creation
or deployment activities.json.json
---
...rce creation or deployment activities.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
new file mode 100644
index 00000000..96915b2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet szOperationNames = dynamic([\"microsoft.compute/virtualMachines/write\", \"microsoft.resources/deployments/write\"]);\nlet starttime = 7d;\nlet endtime = 1d;\nAzureActivity\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2\n| join kind=leftsemi (\n// Last day's activity is anomalous\nAzureActivity\n| where TimeGenerated >= startofday(ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2 \n) on Caller, CallerIpAddress \n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious number of resource creation or deployment activities",
+ "enabled": false,
+ "description": "Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\nThe start of the day is considered 12am UTC time.",
+ "alertRuleTemplateName": "361dd1e3-1c11-491e-82a3-bb2e44ac36ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9bb1327aa4f5692752438ffdb0b814f22fd6957d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:18 +0000
Subject: [PATCH 312/375] Exported file: TEARDROP memory-only dropper.json.json
---
.../TEARDROP memory-only dropper.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
diff --git a/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
new file mode 100644
index 00000000..846ccdaf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceEvents\n| where ActionType has \"ExploitGuardNonMicrosoftSignedBlocked\"\n| where InitiatingProcessFileName contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \"SHA1\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "TEARDROP memory-only dropper",
+ "enabled": false,
+ "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "738702fd-0a66-42c7-8586-e30f0583f8fe"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ba5d3510ad7ae5f4190809158648ba35478ed90a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:19 +0000
Subject: [PATCH 313/375] Exported file: THALLIUM domains included in DCU
takedown.json.json
---
...LIUM domains included in DCU takedown.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
diff --git a/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
new file mode 100644
index 00000000..06378b01
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost \n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "THALLIUM domains included in DCU takedown",
+ "enabled": false,
+ "description": "THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ",
+ "alertRuleTemplateName": "70b12a3b-4896-42cb-910c-5ffaf8d7987d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 877352102b91151849b6274a1a65b720c5c7026f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:19 +0000
Subject: [PATCH 314/375] Exported file: TI map Domain entity to
CommonSecurityLog.json.json
---
...ap Domain entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
new file mode 100644
index 00000000..9f942723
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend DomainName = tolower(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "dd0a6029-ecef-4507-89c4-fc355ac52111"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fef3a2ebc907968a39c1bb9115e9ce481d8607ae Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:20 +0000
Subject: [PATCH 315/375] Exported file: TI map Domain entity to
DnsEvent.json.json
---
.../TI map Domain entity to DnsEvent.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
new file mode 100644
index 00000000..eeb3f542
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.Name\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to DnsEvent",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvent table from any Domain IOC from TI",
+ "alertRuleTemplateName": "85aca4d1-5d15-4001-abd9-acb86ca1786a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a04d1a1c8bc6398fddd924dd868f12b11f5a3c65 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:21 +0000
Subject: [PATCH 316/375] Exported file: TI map Domain entity to
PaloAlto.json.json
---
.../TI map Domain entity to PaloAlto.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
new file mode 100644
index 00000000..32541d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated > ago(ioc_lookBack)\n | where isnotempty(DomainName)\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to PaloAlto",
+ "enabled": false,
+ "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "ec21493c-2684-4acd-9bc2-696dbad72426"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bb228253ca53743124c9246f7df7aa4402de8621 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:22 +0000
Subject: [PATCH 317/375] Exported file: TI map Domain entity to
SecurityAlert.json.json
---
...TI map Domain entity to SecurityAlert.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
new file mode 100644
index 00000000..71a2d372
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated > ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n //Extract domain patterns from message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\", 1, tolower(Entities))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column extract hostname and IP address\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\n | extend Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n) on $left.DomainName==$right.domain\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI",
+ "alertRuleTemplateName": "87890d78-3e05-43ec-9ab9-ba32f4e01250"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e2a9994a314271c689500e88b6667ebd25baa4e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:23 +0000
Subject: [PATCH 318/375] Exported file: TI map Domain entity to
Syslog.json.json
---
.../TI map Domain entity to Syslog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
new file mode 100644
index 00000000..45bfae87
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to Syslog",
+ "enabled": false,
+ "description": "Identifies a match in Syslog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c2fb72e7fae9638d28a8afe06b6c2efa2e709a12 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:24 +0000
Subject: [PATCH 319/375] Exported file: TI map Email entity to
AzureActivity.json.json
---
.../TI map Email entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
new file mode 100644
index 00000000..87307357
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \nResourceGroup, SubscriptionId\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "cca3b4d9-ac39-4109-8b93-65bb284003e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From adce985191969362ea55565ddd7f345fa2ea85c4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:24 +0000
Subject: [PATCH 320/375] Exported file: TI map Email entity to
CommonSecurityLog.json.json
---
...map Email entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
new file mode 100644
index 00000000..dd6cb3d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI",
+ "alertRuleTemplateName": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 79c537fca28e890bea4130ce3bb92803e67343c3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:25 +0000
Subject: [PATCH 321/375] Exported file: TI map Email entity to
OfficeActivity.json.json
---
...TI map Email entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
new file mode 100644
index 00000000..1f3aee6d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\n | where UserId matches regex emailregex\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7aef2a4a6f1fb7b8b8ae119c3ef50f4182087730 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:26 +0000
Subject: [PATCH 322/375] Exported file: TI map Email entity to
SecurityAlert.json.json
---
.../TI map Email entity to SecurityAlert.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
new file mode 100644
index 00000000..e93dc3e4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert \n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others",
+ "alertRuleTemplateName": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fb14c81679dfd59d66ff494b3c7e0a1b9e91a825 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:27 +0000
Subject: [PATCH 323/375] Exported file: TI map Email entity to
SecurityEvent.json.json
---
.../TI map Email entity to SecurityEvent.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
new file mode 100644
index 00000000..9040d0eb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend TargetUserName = tolower(TargetUserName)\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\n | extend SecurityEvent_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityEvent",
+ "enabled": false,
+ "description": "Identifies a match in SecurityEvent table from any Email IOC from TI",
+ "alertRuleTemplateName": "2fc5d810-c9cc-491a-b564-841427ae0e50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e58cff7eb411d2b1db97635ea8d0ba58a6aac752 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:28 +0000
Subject: [PATCH 324/375] Exported file: TI map Email entity to
SigninLogs.json.json
---
.../TI map Email entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
new file mode 100644
index 00000000..90b58046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | where UserPrincipalName matches regex emailregex\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming timestamp column so it is clear the log this came from SigninLogs table\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs table from any Email IOC from TI",
+ "alertRuleTemplateName": "30fa312c-31eb-43d8-b0cc-bcbdfb360822"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 25547af1004d8cb89fafd43116839e1af930b391 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:28 +0000
Subject: [PATCH 325/375] Exported file: TI map File Hash to CommonSecurityLog
Event.json.json
---
... File Hash to CommonSecurityLog Event.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
new file mode 100644
index 00000000..87ccc2ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to CommonSecurityLog Event",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI",
+ "alertRuleTemplateName": "5d33fc63-b83b-4913-b95e-94d13f0d379f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 571f9d2165035334210590c8ee7d2669b9e4e938 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:29 +0000
Subject: [PATCH 326/375] Exported file: TI map File Hash to Security
Event.json.json
---
.../TI map File Hash to Security Event.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
new file mode 100644
index 00000000..ea816559
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to Security Event",
+ "enabled": false,
+ "description": "Identifies a match in Security Event data from any File Hash IOC from TI",
+ "alertRuleTemplateName": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0da11274090ac9dc6083fd74755693a8def689f3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:30 +0000
Subject: [PATCH 327/375] Exported file: TI map IP entity to
AWSCloudTrail.json.json
---
.../TI map IP entity to AWSCloudTrail.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
new file mode 100644
index 00000000..fb100404
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SourceIpAddress\n| where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AWSCloudTrail",
+ "enabled": false,
+ "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI",
+ "alertRuleTemplateName": "f110287e-1358-490d-8147-ed804b328514"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5f8d50f44dd8655d21d4f1625c749611fdb3150a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:31 +0000
Subject: [PATCH 328/375] Exported file: TI map IP entity to
AppServiceHTTPLogs.json.json
---
...I map IP entity to AppServiceHTTPLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
new file mode 100644
index 00000000..1ecbb4dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n // renaming time column so it is clear the log this came from\n | extend AppService_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CIp\n| where AppService_TimeGenerated < ExpirationDateTime\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \nWebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AppServiceHTTPLogs",
+ "enabled": false,
+ "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f9949656-473f-4503-bf43-a9d9890f7d08"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ae611e914e561c07f14559ec5c1992ad10b1bcd3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:32 +0000
Subject: [PATCH 329/375] Exported file: TI map IP entity to Azure Key Vault
logs.json.json
---
...map IP entity to Azure Key Vault logs.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
new file mode 100644
index 00000000..30687ab8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n)\non $left.TI_ipEntity == $right.ClientIP\n| where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n| extend timestamp = KeyVaultEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure Key Vault logs",
+ "enabled": false,
+ "description": "Identifies a match in Azure Key Vault logsfrom any IP IOC from TI",
+ "alertRuleTemplateName": "57c7e832-64eb-411f-8928-4133f01f4a25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8e03617a725aecf399828e0a8d389e40be1fc6e6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:32 +0000
Subject: [PATCH 330/375] Exported file: TI map IP entity to Azure SQL Security
Audit Events.json.json
---
...ty to Azure SQL Security Audit Events.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
new file mode 100644
index 00000000..c6db79c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\"), Action = column_ifexists(\"action_name_s\", \"Not Available\"), \n Application = column_ifexists(\"application_name_s\", \"Not Available\"), HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n)\non $left.TI_ipEntity == $right.ClientIP\n| where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure SQL Security Audit Events",
+ "enabled": false,
+ "description": "Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bcfdcd675baea0e2d377331539d73ec11d529ac1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:33 +0000
Subject: [PATCH 331/375] Exported file: TI map IP entity to
AzureActivity.json.json
---
.../TI map IP entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
new file mode 100644
index 00000000..3cc5e808
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "2441bce9-02e4-407b-8cc7-7d597f38b8b0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d45a159f43c708b0149bc2847d3e05d1b2df966c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:34 +0000
Subject: [PATCH 332/375] Exported file: TI map IP entity to
AzureFirewall.json.json
---
.../TI map IP entity to AzureFirewall.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
new file mode 100644
index 00000000..d28e4d71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\n | where isnotempty(RemoteIP)\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where AzureFirewall_TimeGenerated < ExpirationDateTime\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureFirewall",
+ "enabled": false,
+ "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI",
+ "alertRuleTemplateName": "0b904747-1336-4363-8d84-df2710bfe5e7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 975d78d2dffd5f6d4061fe164e88307542ef4222 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:35 +0000
Subject: [PATCH 333/375] Exported file: TI map IP entity to
AzureNetworkAnalytics_CL (NSG Flow Logs).json.json
---
...reNetworkAnalytics_CL (NSG Flow Logs).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
new file mode 100644
index 00000000..aa067349
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n)\non $left.TI_ipEntity == $right.PIP\n| where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\n| where FlowStatus_s == \"A\"\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
+ "enabled": false,
+ "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed",
+ "alertRuleTemplateName": "a4025a76-6490-4e6b-bb69-d02be4b03f07"
+ }
+ }
+ ]
+}
\ No newline at end of file
From da05e3b6e00e8f8d9ef549952e9a5ee9f413dbcf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:36 +0000
Subject: [PATCH 334/375] Exported file: TI map IP entity to
DnsEvents.json.json
---
.../TI map IP entity to DnsEvents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
new file mode 100644
index 00000000..867984dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SingleIP\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to DnsEvents",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "69b7723c-2889-469f-8b55-a2d355ed9c87"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e16281a62801eda50f64fcf3f0bb35351b65a09b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:36 +0000
Subject: [PATCH 335/375] Exported file: TI map IP entity to Duo
Security.json.json
---
.../TI map IP entity to Duo Security.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
new file mode 100644
index 00000000..83f1a1ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Duo Security",
+ "enabled": false,
+ "description": "Identifies a match in DuoSecurity from any IP IOC from TI",
+ "alertRuleTemplateName": "d23ed927-5be3-4902-a9c1-85f841eb4fa1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0f0219856878bbb07f9f578035412f3ed1a58484 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:37 +0000
Subject: [PATCH 336/375] Exported file: TI map IP entity to
GitHub_CL.json.json
---
.../TI map IP entity to GitHub_CL.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
new file mode 100644
index 00000000..09aeb7aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nThreatIntelligenceIndicator\n| where Action == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n GitHubAudit\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to GitHub_CL",
+ "enabled": false,
+ "description": "Identifies a match in GitHub_CL table from any IP IOC from TI",
+ "alertRuleTemplateName": "aac495a9-feb1-446d-b08e-a1164a539452"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5203cd342c4b7b2e90cd631673d0daee6acdb55d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:38 +0000
Subject: [PATCH 337/375] Exported file: TI map IP entity to
OfficeActivity.json.json
---
.../TI map IP entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
new file mode 100644
index 00000000..78721a0a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.ClientIP\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "f15370f4-c6fa-42c5-9be4-1d308f40284e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d48b1524d192d7a73a31aac385869d55c2424584 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:39 +0000
Subject: [PATCH 338/375] Exported file: TI map IP entity to
SigninLogs.json.json
---
.../TI map IP entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
new file mode 100644
index 00000000..d42c80cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming time column so it is clear the log this came from\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.TI_ipEntity == $right.IPAddress\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f2eb15bd-8a88-4b24-9281-e133edfba315"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a9193364f5f376dd50f7f32f5a1b2279bae6a62 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:40 +0000
Subject: [PATCH 339/375] Exported file: TI map IP entity to
VMConnection.json.json
---
.../TI map IP entity to VMConnection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
new file mode 100644
index 00000000..6144c2fa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend VMConnection_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIp\n| where VMConnection_TimeGenerated < ExpirationDateTime\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to VMConnection",
+ "enabled": false,
+ "description": "Identifies a match in VMConnection from any IP IOC from TI",
+ "alertRuleTemplateName": "9713e3c0-1410-468d-b79e-383448434b2d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a431a941991669aa13cf49abaf64be2f4fea536d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:40 +0000
Subject: [PATCH 340/375] Exported file: TI map IP entity to
W3CIISLog.json.json
---
.../TI map IP entity to W3CIISLog.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
new file mode 100644
index 00000000..2d186704
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n // renaming time column so it is clear the log this came from\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.cIP\n| where W3CIISLog_TimeGenerated < ExpirationDateTime\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to W3CIISLog",
+ "enabled": false,
+ "description": "Identifies a match in W3CIISLog from any IP IOC from TI",
+ "alertRuleTemplateName": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1d9d4e933b69c19de60e0c3fafb187d1d427f74a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:41 +0000
Subject: [PATCH 341/375] Exported file: TI map IP entity to WireData.json.json
---
.../TI map IP entity to WireData.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
new file mode 100644
index 00000000..a8cbfc13
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n WireData | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(RemoteIP)\n // renaming time column so it is clear the log this came from\n | extend WireData_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where WireData_TimeGenerated < ExpirationDateTime\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to WireData",
+ "enabled": false,
+ "description": "Identifies a match in WireData from any IP IOC from TI",
+ "alertRuleTemplateName": "a50766a7-0674-4ccb-8845-15dc55a80ba1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f39bab98bf8a6c64c206864222fc51233881c9db Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:42 +0000
Subject: [PATCH 342/375] Exported file: TI map URL entity to
AuditLogs.json.json
---
.../TI map URL entity to AuditLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
new file mode 100644
index 00000000..0db2b994
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated\n) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to AuditLogs",
+ "enabled": false,
+ "description": "Identifies a match in AuditLogs from any URL IOC from TI",
+ "alertRuleTemplateName": "712fab52-2a7d-401e-a08c-ff939cc7c25e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 82cc70a5125bcd5754652f06c35838e5bb3d7a55 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:43 +0000
Subject: [PATCH 343/375] Exported file: TI map URL entity to OfficeActivity
data.json.json
---
...map URL entity to OfficeActivity data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
new file mode 100644
index 00000000..03f38954
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n //Extract the Url from a number of potential fields\n | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n | where isnotempty(Url)\n // Ensure we get a clean URL\n | extend Url = tostring(split(Url, ';')[0])\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n // Project a single user identity that we can use for entity mapping\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \n) on Url\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \nUserType, OfficeWorkload, Parameters, Url, User\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to OfficeActivity data",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity data from any URL IOC from TI",
+ "alertRuleTemplateName": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1bd1b8600677cd8dea53e8a698c50192e251e8ca Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:44 +0000
Subject: [PATCH 344/375] Exported file: TI map URL entity to PaloAlto
data.json.json
---
.../TI map URL entity to PaloAlto data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
new file mode 100644
index 00000000..c1250d23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to PaloAlto data",
+ "enabled": false,
+ "description": "Identifies a match in PaloAlto data from any URL IOC from TI",
+ "alertRuleTemplateName": "106813db-679e-4382-a51b-1bfc463befc3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 19222d6d9ab5d8095b5b476a14077330247aaa48 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:44 +0000
Subject: [PATCH 345/375] Exported file: TI map URL entity to SecurityAlert
data.json.json
---
... map URL entity to SecurityAlert data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
new file mode 100644
index 00000000..1349ea09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract URL from JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,Entities)\n // We only want alerts that actually contain URL data\n | where isnotempty(Url)\n // Extract hostname from JSON data for entity mapping\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n | extend Alert_TimeGenerated = TimeGenerated\n) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to SecurityAlert data",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert data from any URL IOC from TI",
+ "alertRuleTemplateName": "f30a47c1-65fb-42b1-a7f4-00941c12550b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2209ca7f68b019082e2fbed08ac62894d1f9325c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:45 +0000
Subject: [PATCH 346/375] Exported file: TI map URL entity to Syslog
data.json.json
---
.../TI map URL entity to Syslog data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
new file mode 100644
index 00000000..1d5cd75b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to Syslog data",
+ "enabled": false,
+ "description": "Identifies a match in Syslog data from any URL IOC from TI",
+ "alertRuleTemplateName": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0907b5203ed28ca5117c49ec6ee6ee0d9f396d9f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:46 +0000
Subject: [PATCH 347/375] Exported file: Threats detected by Eset.json.json
---
.../Threats detected by Eset.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Threats detected by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Threats detected by Eset.json b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
new file mode 100644
index 00000000..f18c55d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "CredentialAccess",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Threats detected by Eset",
+ "enabled": false,
+ "description": "Escalates threats detected by Eset.",
+ "alertRuleTemplateName": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd9b17dced3eb74478a4179018671fb2caa9863e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:47 +0000
Subject: [PATCH 348/375] Exported file: Time series anomaly detection for
total volume of traffic.json.json
---
...detection for total volume of traffic.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
new file mode 100644
index 00000000..959377cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet percentotalthreshold = 50;\nlet TimeSeriesData = CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\n// Filtering specific records associated with spikes as outliers\nlet TimeSeriesAlerts=materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\n| extend AnomalyHour = TimeGeneratedHour\n) on AnomalyHour, DeviceVendor\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\n| where PercentTotal > percentotalthreshold\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly detection for total volume of traffic",
+ "enabled": false,
+ "description": "Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "06a9b845-6a95-4432-a78b-83919b28c375"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cc17d147349ea3db27368eb128fb35d35df659d5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:48 +0000
Subject: [PATCH 349/375] Exported file: Time series anomaly for data size
transferred to public internet.json.json
---
...a size transferred to public internet.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
new file mode 100644
index 00000000..c701785c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet bytessentperhourthreshold = 10;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet TimeSeriesData = (union isfuzzy=true\n(\nVMConnection\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| project TimeGenerated, BytesSent, DeviceVendor\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n),\n(\nCommonSecurityLog\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| project TimeGenerated, SentBytes, DeviceVendor\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n)\n);\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n//Union of all BaseLogs aggregated per hour\nlet BaseLogs = (union isfuzzy=true\n(\nCommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n),\n(\nVMConnection\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n)\n);\n// Join against base logs to retrive records associated with the hour of anomoly\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\n) on DeviceVendor, AnomalyHour | sort by score desc\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly for data size transferred to public internet",
+ "enabled": false,
+ "description": "Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "f2dd4a3a-ebac-4994-9499-1a859938c947"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f0578c76af9323c34feb518dfcd19e100cc05e15 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:49 +0000
Subject: [PATCH 350/375] Exported file: Trust Monitor Event.json.json
---
.../Trust Monitor Event.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Trust Monitor Event.json
diff --git a/SentinelExported-AnalyticsRule/Trust Monitor Event.json b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
new file mode 100644
index 00000000..66054f76
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeframe = ago(5m);\nDuoSecurityTrustMonitor_CL\n| where TimeGenerated >= timeframe\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Trust Monitor Event",
+ "enabled": false,
+ "description": "This query identifies when a new trust monitor event is detected.",
+ "alertRuleTemplateName": "8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b790b141b70c395fd7376d4e0151d4625f2e5866 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:49 +0000
Subject: [PATCH 351/375] Exported file: User Accessed Suspicious URL
Categories.json.json
---
...er Accessed Suspicious URL Categories.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
diff --git a/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
new file mode 100644
index 00000000..079df84a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "User Accessed Suspicious URL Categories",
+ "enabled": false,
+ "description": "Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.",
+ "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eb9c9dba70d04dd87d5567666a2efe59afc77dba Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:50 +0000
Subject: [PATCH 352/375] Exported file: User Accounts - Sign in Failure due to
CA Spikes.json.json
---
...ts - Sign in Failure due to CA Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
diff --git a/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
new file mode 100644
index 00000000..39dd9a72
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\n| project TimeGenerated, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Accounts - Sign in Failure due to CA Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c733797a38fa6b17a793812a82c495ab616b12a9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:51 +0000
Subject: [PATCH 353/375] Exported file: User Assigned Privileged
Role.json.json
---
.../User Assigned Privileged Role.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
diff --git a/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
new file mode 100644
index 00000000..27d37b55
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "User Assigned Privileged Role",
+ "enabled": false,
+ "description": "Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "050b9b3d-53d0-4364-a3da-1b678b8211ec"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a6b85883320c1deab02da4c58f939d7a7db379a7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:52 +0000
Subject: [PATCH 354/375] Exported file: User Login from Different Countries
within 3 hours.json.json
---
...om Different Countries within 3 hours.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
diff --git a/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
new file mode 100644
index 00000000..0835b8b6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet timeframe = ago(3h);\nlet threshold = 2;\nOkta_CL\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Login from Different Countries within 3 hours",
+ "enabled": false,
+ "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours",
+ "alertRuleTemplateName": "2954d424-f786-4677-9ffc-c24c44c6e7d5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f31f4f01d7dc1acc40918a8257f1cd956d108d92 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:53 +0000
Subject: [PATCH 355/375] Exported file: User account added to built in domain
local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
new file mode 100644
index 00000000..721fa067
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nSecurityEvent \n// When MemberName contains '-' this indicates addition of a group to a group\n| where AccountType == \"User\" and MemberName != \"-\"\n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group\n| where EventID in (4728, 4732, 4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\",OU|,CN\") - 3)\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a user account has been added to a privileged built in domain local group or global group \nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.",
+ "alertRuleTemplateName": "a35f2c18-1b97-458f-ad26-e033af18eb99"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6866f9942d3b5b3aca0286a6a747687f97551780 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:54 +0000
Subject: [PATCH 356/375] Exported file: User account created and deleted
within 10 mins.json.json
---
...nt created and deleted within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
new file mode 100644
index 00000000..c2087015
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was created\n| where EventID == 4720\n| where AccountType =~ \"User\"\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was deleted\n | where EventID == 4726\n| where AccountType == \"User\"\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where deletionTime - creationTime < spanoftime\n| extend TimeDelta = deletionTime - creationTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account created and deleted within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "4b93c5af-d20b-4236-b696-a28b8c51407f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 05aa117b2dd9a0f18af3bffe35aa61f000fce2ea Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:55 +0000
Subject: [PATCH 357/375] Exported file: User account enabled and disabled
within 10 mins.json.json
---
...t enabled and disabled within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
new file mode 100644
index 00000000..e20a7721
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was enabled\n| where EventID == 4722\n| where AccountType =~ \"User\"\n| where TargetAccount !hassuffix \"$\"\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was disabled\n | where EventID == 4725\n| where AccountType =~ \"User\"\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where DisableTime - EnableTime < spanoftime\n| extend TimeDelta = DisableTime - EnableTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account enabled and disabled within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "3d023f64-8225-41a2-9570-2bd7c2c4535e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ec9072c6820d68cabc39862178633ab4209a2317 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:56 +0000
Subject: [PATCH 358/375] Exported file: User added to Azure Active Directory
Privileged Groups.json.json
---
...re Active Directory Privileged Groups.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
diff --git a/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
new file mode 100644
index 00000000..7ef1fb82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-expand TargetResources\n| extend modProps = parse_json(TargetResources).modifiedProperties\n| mv-expand bagexpansion=array modProps\n| evaluate bag_unpack(modProps)\n| extend displayName = column_ifexists(\"displayName\", \"NotAvailable\"), newValue = column_ifexists(\"newValue\", \"NotAvailable\")\n| where displayName =~ \"Role.WellKnownObjectName\"\n| extend DisplayName = displayName, GroupName = replace('\"','',newValue)\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\n| extend AppId = initByApp.appId, \nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \"not available\"),\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\nUserId = initByUser.id,\nUserIPAddress = initByUser.ipAddress,\nUserRoles = initByUser.roles,\nUserPrincipalName = tostring(initByUser.userPrincipalName),\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \"not available\")\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User added to Azure Active Directory Privileged Groups",
+ "enabled": false,
+ "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
+ "alertRuleTemplateName": "4d94d4a9-dc96-410a-8dea-4d4d4584188b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7f5d4c34145428bd7cdbba2793db7fb7b08df1d7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:57 +0000
Subject: [PATCH 359/375] Exported file: User agent search for log4j
exploitation attempt.json.json
---
...search for log4j exploitation attempt.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
diff --git a/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
new file mode 100644
index 00000000..c379ac60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\nlet UARegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\n(union isfuzzy=true\n(OfficeActivity\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\n),\n(\nW3CIISLog\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\n),\n(\nAWSCloudTrail\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(SigninLogs\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AADNonInteractiveUserSignInLogs \n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(imWebSessions\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, URL, Type\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = URL\n),\n(imNetworkSession\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Type, Url\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User agent search for log4j exploitation attempt",
+ "enabled": false,
+ "description": "This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
+ "alertRuleTemplateName": "29283b22-a1c0-4d16-b0a9-3460b655a46a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 21202147951ae37357f9fe2c94cb7cf51fea1472 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:58 +0000
Subject: [PATCH 360/375] Exported file: User joining Zoom meeting from
suspicious timezone.json.json
---
...Zoom meeting from suspicious timezone.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
diff --git a/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
new file mode 100644
index 00000000..4cd66a44
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet schedule_lookback = 14d; \nlet join_lookback = 1d; \n// If you want to whitelist specific timezones include them in a list here\nlet tz_whitelist = dynamic([]);\nlet meetings = ( \nZoomLogs \n| where TimeGenerated >= ago(schedule_lookback) \n| where Event =~ \"meeting.created\" \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \nZoomLogs \n| where TimeGenerated >= ago(join_lookback) \n| where Event =~ \"meeting.participant_joined\" \n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| where JoinedTimeZone !in (tz_whitelist)\n| join (meetings) on MeetingId \n| where SchedTimezone != JoinedTimeZone \n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User joining Zoom meeting from suspicious timezone",
+ "enabled": false,
+ "description": "The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones",
+ "alertRuleTemplateName": "58fc0170-0877-4ea8-a9ff-d805e361cfae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2bcf82998f2a8b94373022305f580613643ce4e2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:24:59 +0000
Subject: [PATCH 361/375] Exported file: User login from different countries
within 3 hours (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
new file mode 100644
index 00000000..6bd39a50
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = ago(3h);\nlet threshold = 2;\nimAuthentication\n| where TimeGenerated > timeframe\n| where EventType=='Logon' and EventResult=='Success'\n| where isnotempty(SrcGeoCountry)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\n , NumOfCountries = dcount(SrcGeoCountry)\n by TargetUserId, TargetUsername, TargetUserType\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User login from different countries within 3 hours (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for successful user logins from different countries within 3 hours.\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "09ec8fa2-b25f-4696-bfae-05a7b85d7b9e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 153e1d5b8aaacd01eaf96482c922c4c952810256 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:00 +0000
Subject: [PATCH 362/375] Exported file: Users searching for VIP user
activity.json.json
---
...Users searching for VIP user activity.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
diff --git a/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
new file mode 100644
index 00000000..cd2e9241
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "// Replace these with the username or emails of your VIP users you wish to monitor for.\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\nlet allowed_users = dynamic([]);\nLAQueryLogs\n| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist(\"VIPUsers\")', \"_GetWatchlist('VIPUsers')\")\n| where AADEmail !in (allowed_users)\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Users searching for VIP user activity",
+ "enabled": false,
+ "description": "This query monitors for users running Log Analytics queries that contain filters\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\nUse this detection to alert for users specifically searching for activity of sensitive users.",
+ "alertRuleTemplateName": "f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8801ee767eb5b82806f8a63c46f4c0cd76c72d3f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:01 +0000
Subject: [PATCH 363/375] Exported file: Valid Analytic Rule 1.json.json
---
.../Valid Analytic Rule 1.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
diff --git a/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
new file mode 100644
index 00000000..809909b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "SecurityAlert",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": "alert name {{AlertName}}",
+ "alertDescriptionFormat": "DESC test {{Description}}",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "Valid Analytic Rule 1",
+ "enabled": true,
+ "description": "DESCRIPTION CHECK",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3f2153534688bf94ced4b599df772f24a8a0cf8a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:02 +0000
Subject: [PATCH 364/375] Exported file: Vectra AI Detect - Detections with
High Severity.json.json
---
...etect - Detections with High Severity.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
new file mode 100644
index 00000000..5276902f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\n//default threshold is 7 (meaning a threat score of 70)\nlet severity_threshold = 7.0;\n//Map by default to High Severity in Sentinel\nlet Severity = \"High\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\"\n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| where todecimal(LogSeverity) >= severity_threshold\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Detections with High Severity",
+ "enabled": false,
+ "description": "Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \nThe severity_threshold variable can be adjusted as desired.",
+ "alertRuleTemplateName": "39e48890-2c02-487e-aa9e-3ba494061798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3f62294e0c19f79804a9705190d06ed5769abec0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:03 +0000
Subject: [PATCH 365/375] Exported file: Vectra AI Detect - New Campaign
Detected.json.json
---
...tra AI Detect - New Campaign Detected.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
new file mode 100644
index 00000000..efaa9e94
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID contains \"campaign\"\n| where DeviceAction == \"START\"\n| extend reason = extract(\"reason=(.+?)$\", 1, AdditionalExtensions)\n| project-rename vectra_URL = DeviceCustomString4\n| project Activity,SourceHostName, reason, vectra_URL\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - New Campaign Detected",
+ "enabled": false,
+ "description": "Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.",
+ "alertRuleTemplateName": "a34d0338-eda0-42b5-8b93-32aae0d7a501"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 281d9076e2051ab66b38d8755beb9b5b24564e6e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:03 +0000
Subject: [PATCH 366/375] Exported file: Vectra AI Detect - Suspected
Compromised Account.json.json
---
...etect - Suspected Compromised Account.json | 74 +++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
new file mode 100644
index 00000000..e5c6ffe8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nlet upn_has_prefix = \":\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"asc\"\n| extend saccount = extract(\"saccount=(.+?);\", 1, AdditionalExtensions)\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[0]) ,\"network\" ) \n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[1]) , saccount )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by saccount\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Account",
+ "enabled": false,
+ "description": "Create an incident when an Account is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "321f9dbd-64b7-4541-81dc-08cf7732ccb0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2bbf915cba672b4e504474625008ef4e15b4682a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:04 +0000
Subject: [PATCH 367/375] Exported file: Vectra AI Detect - Suspected
Compromised Host.json.json
---
...I Detect - Suspected Compromised Host.json | 83 +++++++++++++++++++
1 file changed, 83 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
new file mode 100644
index 00000000..05d83de4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
@@ -0,0 +1,83 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"hsc\"\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by SourceHostName\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Host",
+ "enabled": false,
+ "description": "Create an incident when a Host is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4f008e7a7d7613e2cb57b7d611ae095417182f73 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:05 +0000
Subject: [PATCH 368/375] Exported file: Vectra AI Detect - Suspicious
Behaviors.json.json
---
...ctra AI Detect - Suspicious Behaviors.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
new file mode 100644
index 00000000..af7df314
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\" \n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename triaged = DeviceCustomString5\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity , Activity\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspicious Behaviors",
+ "enabled": false,
+ "description": "Create an incident for each new malicious behavior detected by Vectra Detect. \nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.",
+ "alertRuleTemplateName": "6cb75f65-231f-46c4-a0b3-50ff21ee6ed3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a2a4da5931dc7b5f4e3674b028f043632e75e95f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:06 +0000
Subject: [PATCH 369/375] Exported file: Vulnerable Machines related to OMIGOD
CVE-2021-38647.json.json
---
...ines related to OMIGOD CVE-2021-38647.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
new file mode 100644
index 00000000..2f384871
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+ "alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5458406032e2aa557b2ff89a6cf22fcacf7d3a73 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:07 +0000
Subject: [PATCH 370/375] Exported file: Vulnerable Machines related to log4j
CVE-2021-44228.json.json
---
...hines related to log4j CVE-2021-44228.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
new file mode 100644
index 00000000..7586f07a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-44228'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to log4j CVE-2021-44228",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271",
+ "alertRuleTemplateName": "3d71fc38-f249-454e-8479-0a358382ef9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ecd3454263097eaa00f598b3de0dddb5a9a2909a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:08 +0000
Subject: [PATCH 371/375] Exported file: Wazuh - Large Number of Web errors
from an IP.json.json
---
...Large Number of Web errors from an IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
diff --git a/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
new file mode 100644
index 00000000..87204239
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog\n| where DeviceProduct =~ \"Wazuh\"\n| where Activity has \"Web server 400 error code.\"\n| where Message has \"403\"\n| extend HostName=substring(split(DeviceCustomString1,\")\")[0],1)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\n| where NumberOfErrors > 400\n| sort by NumberOfErrors desc\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Wazuh - Large Number of Web errors from an IP",
+ "enabled": false,
+ "description": "Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst",
+ "alertRuleTemplateName": "2790795b-7dba-483e-853f-44aa0bc9c985"
+ }
+ }
+ ]
+}
\ No newline at end of file
From db3d61f32e8aa1981c2858732ce99659de1a29a2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:09 +0000
Subject: [PATCH 372/375] Exported file: Web sites blocked by Eset.json.json
---
.../Web sites blocked by Eset.json | 88 +++++++++++++++++++
1 file changed, 88 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
new file mode 100644
index 00000000..7722ffc8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
@@ -0,0 +1,88 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == 'FilteredWebsites_Event'\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration",
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Web sites blocked by Eset",
+ "enabled": false,
+ "description": "Create alert on web sites blocked by Eset.",
+ "alertRuleTemplateName": "84ad2f8a-b64c-49bc-b669-bdb4fd3071e9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 818a13feddd7806b155b64d649a17bb675233714 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:10 +0000
Subject: [PATCH 373/375] Exported file: Zoom E2E Encryption Disabled.json.json
---
.../Zoom E2E Encryption Disabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
new file mode 100644
index 00000000..e1fea2e8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend NewE2ESetting = columnifexists(\"payload_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| extend OldE2ESetting = columnifexists(\"payload_old_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Zoom E2E Encryption Disabled",
+ "enabled": false,
+ "description": "This alerts when end to end encryption is disabled for Zoom meetings.",
+ "alertRuleTemplateName": "e4779bdc-397a-4b71-be28-59e6a1e1d16b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9099d03f4c798ab58bcc5e9260fbee11af4d5acd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:11 +0000
Subject: [PATCH 374/375] Exported file: new file added -- 2_14_2013.json.json
---
.../new file added -- 2_14_2013.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
diff --git a/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
new file mode 100644
index 00000000..07598ea9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [
+ "ResourceDevelopment"
+ ],
+ "techniques": [
+ "T1583",
+ "T1586",
+ "T1584"
+ ],
+ "displayName": "new file added -- 2/14/2013",
+ "enabled": true,
+ "description": "new file added -- 2/14/2013",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From a5f85fb7c9931ce4b7a34b87b69e58b5bafc4a81 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Fri, 24 Feb 2023 02:25:12 +0000
Subject: [PATCH 375/375] Exported file: new test rule 1.json.json
---
.../new test rule 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new test rule 1.json
diff --git a/SentinelExported-AnalyticsRule/new test rule 1.json b/SentinelExported-AnalyticsRule/new test rule 1.json
new file mode 100644
index 00000000..ed09e71a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new test rule 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": false,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "new test rule 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file