From d9c507c0ab16cb68643695e71f53879da2152d91 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:02 +0000
Subject: [PATCH 001/375] Exported file:
./.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json.json
---
..._c4780b67-8059-45a5-8dc8-0301570477c0.json | 376 ++++++++++++++++++
1 file changed, 376 insertions(+)
create mode 100644 .sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
diff --git a/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
new file mode 100644
index 00000000..e2d864b0
--- /dev/null
+++ b/.sentinel/exported_contents_map_c4780b67-8059-45a5-8dc8-0301570477c0.json
@@ -0,0 +1,376 @@
+{
+ "64ce2f23-eab3-4e96-899a-bd2403d21a86": "\"a7004ad4-0000-0800-0000-63d45e2f0000\"",
+ "c48bc19c-dba4-4da3-b215-c9086150d26f": "\"a70052d4-0000-0800-0000-63d45e300000\"",
+ "c2cab3a7-b80c-4b53-8126-9affe3ef96d4": "\"35002d68-0000-0800-0000-63f5638f0000\"",
+ "6a14a7a3-8278-47a8-b17a-2f9f1571362c": "\"3500554e-0000-0800-0000-63f55b050000\"",
+ "835a2032-8b67-4e89-a5c6-2d3c04526a70": "\"35007b4c-0000-0800-0000-63f557450000\"",
+ "bbe16dbb-c5b1-4796-a640-23be2e6e1e6f": "\"35007e4c-0000-0800-0000-63f557590000\"",
+ "29579f11-7599-48db-9ded-b81730a99f26": "\"3500844c-0000-0800-0000-63f5576e0000\"",
+ "9f7a0194-705a-45f9-a54d-a1a1d29354e0": "\"3500a24c-0000-0800-0000-63f557a90000\"",
+ "1dbb9018-2cb3-4818-87e0-8a4a5a1980dc": "\"3500ab4c-0000-0800-0000-63f557c40000\"",
+ "4d197e7a-078d-4401-9359-9c84a2335885": "\"3500b14c-0000-0800-0000-63f557d90000\"",
+ "118cc3d5-6ab5-493a-a0a9-793c9dd09875": "\"250037d3-0000-0800-0000-63ec4af90000\"",
+ "84af311a-0ca0-4e6e-9626-65cbcd255ceb": "\"3500b54c-0000-0800-0000-63f557f20000\"",
+ "fa3714b9-e6fa-4839-92cf-c7a3329e0edb": "\"3500ce4c-0000-0800-0000-63f558410000\"",
+ "2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd": "\"3500d34c-0000-0800-0000-63f558540000\"",
+ "3bef0ebd-28b7-465d-9f37-f2e69d390dbc": "\"3500ed4c-0000-0800-0000-63f558a60000\"",
+ "b129d496-e02c-479f-a5c7-16cc71ef63ad": "\"3500404d-0000-0800-0000-63f558bc0000\"",
+ "62e59eb2-2ac3-4a04-b73e-9aaea7a00c90": "\"35009f4d-0000-0800-0000-63f558d00000\"",
+ "8628a3cf-01b4-40ff-b06c-1ff6d5678535": "\"3500c34d-0000-0800-0000-63f558ea0000\"",
+ "2cca3599-da9a-4231-a9d2-b1f733201dbd": "\"3500c94d-0000-0800-0000-63f559010000\"",
+ "ee43dc07-3a2f-4c4d-b460-557389385470": "\"3500ce4d-0000-0800-0000-63f5591f0000\"",
+ "45f5eb6b-e221-44e3-928c-a372d76d1a6d": "\"3500d74d-0000-0800-0000-63f559350000\"",
+ "7b61a883-0219-4ac3-8058-29afe81b8e7e": "\"3500df4d-0000-0800-0000-63f559540000\"",
+ "5835ecfd-6b56-4f8e-9719-74d85e34c077": "\"3500e24d-0000-0800-0000-63f5596c0000\"",
+ "798fde9b-d47c-4158-99e0-326a7f4e29d6": "\"3500ea4d-0000-0800-0000-63f559830000\"",
+ "a4490aac-93b0-4262-b08d-fb4bc4e74dd6": "\"3500f44d-0000-0800-0000-63f559990000\"",
+ "fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246": "\"3500fa4d-0000-0800-0000-63f559c30000\"",
+ "5892dbb0-9d3b-485a-b4cf-147e30b22cbe": "\"3500fe4d-0000-0800-0000-63f559d40000\"",
+ "75e2a7e7-535e-47ca-9fea-d30a0f0f104d": "\"3500064e-0000-0800-0000-63f559ee0000\"",
+ "288cca7e-3f39-42fc-ada2-eca124936ec2": "\"35000b4e-0000-0800-0000-63f55a000000\"",
+ "769308db-305a-47ed-9837-bfb6bec71ea7": "\"35001f4e-0000-0800-0000-63f55a5c0000\"",
+ "24b268fb-0acf-4315-808e-f1e941506be3": "\"3500264e-0000-0800-0000-63f55a740000\"",
+ "10254512-df08-4fea-8619-c505e87d377b": "\"3500354e-0000-0800-0000-63f55a870000\"",
+ "aa392189-9ff4-40f3-af07-3c2e454d5b22": "\"3500384e-0000-0800-0000-63f55a9b0000\"",
+ "78389019-b3c8-476c-9867-dee37f00f6ea": "\"35003c4e-0000-0800-0000-63f55ab20000\"",
+ "c2397090-face-41f6-ae70-89fc66312292": "\"3500474e-0000-0800-0000-63f55ac90000\"",
+ "edb16bf3-eeca-4545-901f-6b4d79a41be9": "\"35004a4e-0000-0800-0000-63f55add0000\"",
+ "6d3d9221-367e-4954-836b-a53bfb08d042": "\"35004f4e-0000-0800-0000-63f55af20000\"",
+ "09171b34-9e5d-4554-8675-f564c77f739d": "\"3500584e-0000-0800-0000-63f55b170000\"",
+ "0993b38b-fb86-4dc8-8b3d-8531f0b2e12b": "\"3500654e-0000-0800-0000-63f55b300000\"",
+ "15ce6bf5-76f6-4160-a6ab-cae48ccd14c7": "\"3500804e-0000-0800-0000-63f55b440000\"",
+ "defe98a5-5be4-4a6c-9808-eef4c1946f37": "\"3500004f-0000-0800-0000-63f55b600000\"",
+ "ebbc52fe-8427-412b-98a7-6804d5506f7d": "\"35003a4f-0000-0800-0000-63f55b740000\"",
+ "44975607-3f23-4632-871e-b08b59ebd68c": "\"3500834f-0000-0800-0000-63f55b880000\"",
+ "74a06942-f4b8-440a-bcbb-829dc41948ba": "\"3500be4f-0000-0800-0000-63f55b9a0000\"",
+ "4e137990-3aad-4695-8ea5-eac1e16a9451": "\"35001150-0000-0800-0000-63f55bb00000\"",
+ "dea3bd60-9ee8-49fd-a859-3bab903451e5": "\"35005550-0000-0800-0000-63f55bc20000\"",
+ "0bffacb7-52da-463c-8ae4-62c09da8c510": "\"35009c50-0000-0800-0000-63f55bd70000\"",
+ "d6f670a3-6443-47c0-8c9e-387a1d0e58c0": "\"35000f51-0000-0800-0000-63f55bea0000\"",
+ "05c4ea76-9c7f-4865-824b-178cbb899a82": "\"35006a51-0000-0800-0000-63f55c030000\"",
+ "7bf49942-c5ad-448a-bf6b-893f39186ea2": "\"3500ef51-0000-0800-0000-63f55c200000\"",
+ "5410fda8-a757-41b6-97f1-79a08f07dd0f": "\"35004852-0000-0800-0000-63f55c330000\"",
+ "41f05d3b-cc19-40f4-942e-d6748668eb18": "\"35008b52-0000-0800-0000-63f55c460000\"",
+ "4f53eb74-71dc-4775-a62c-ff48580a8bb2": "\"3500cc52-0000-0800-0000-63f55c580000\"",
+ "4413d174-435c-48a7-8a3c-437db7ff3939": "\"35001753-0000-0800-0000-63f55c6d0000\"",
+ "ece1918c-59f2-43ec-841a-7ef0e99c3b7f": "\"35006a53-0000-0800-0000-63f55c800000\"",
+ "29e3406d-b57c-411b-8604-4b77ff01e36f": "\"3500c153-0000-0800-0000-63f55c920000\"",
+ "d06f4dc9-2343-4bd9-85a1-86436bcf45fb": "\"35001554-0000-0800-0000-63f55ca60000\"",
+ "094a8752-7d9e-4873-84ee-ff561e73b3c0": "\"35007854-0000-0800-0000-63f55cbd0000\"",
+ "afa9ee13-2d74-4ca6-bb7e-8193ba946d40": "\"35008954-0000-0800-0000-63f55cd40000\"",
+ "872545df-734f-481c-acd9-4a2d7af889e3": "\"35008f54-0000-0800-0000-63f55ce80000\"",
+ "6be5f005-18ec-4034-8f0d-13b8ce42b11a": "\"3500a054-0000-0800-0000-63f55cfb0000\"",
+ "7d5851b1-5d59-44da-9b51-5a0482707723": "\"3500a454-0000-0800-0000-63f55d0e0000\"",
+ "d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a": "\"3500a754-0000-0800-0000-63f55d2c0000\"",
+ "814a077a-8846-4195-af81-d17d1bbfd54d": "\"3500c354-0000-0800-0000-63f55d4a0000\"",
+ "2888ae98-ce2c-44e9-a841-001e775b0b7a": "\"3500ca54-0000-0800-0000-63f55d610000\"",
+ "a438db5b-f71f-4cb7-98ad-335e3b8ba533": "\"3500ce54-0000-0800-0000-63f55d730000\"",
+ "cda5807c-80cb-4159-adcb-884589deef20": "\"3500d654-0000-0800-0000-63f55d8f0000\"",
+ "4a9a7b49-4e79-4f64-b778-209a63227af1": "\"3500e154-0000-0800-0000-63f55da10000\"",
+ "56bd3d9c-25ae-42f7-80b5-b3be274f9971": "\"35000655-0000-0800-0000-63f55df70000\"",
+ "fc32fc57-e12b-4823-b40a-86ede70b5af7": "\"35001d55-0000-0800-0000-63f55e0d0000\"",
+ "1ffcf2eb-7b20-4385-add1-d47244784479": "\"35009c55-0000-0800-0000-63f55e200000\"",
+ "a095755b-fc1c-4311-a607-118eb9170048": "\"3500b056-0000-0800-0000-63f55e340000\"",
+ "9bcc4a9b-d85e-4927-a32e-b8284cfa5422": "\"3500ba57-0000-0800-0000-63f55e470000\"",
+ "aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4": "\"3500bc58-0000-0800-0000-63f55e5a0000\"",
+ "3df7345e-b037-4478-a753-dd23d194b187": "\"3500165a-0000-0800-0000-63f55e740000\"",
+ "8e494d49-35d6-4cea-b30d-29f22c179aab": "\"35008a5b-0000-0800-0000-63f55e8c0000\"",
+ "f6dda353-e32a-41e2-b892-87012ab48a79": "\"35002d5d-0000-0800-0000-63f55eaa0000\"",
+ "ece332c1-3f76-49d9-92fb-c94bc4af948d": "\"3500755e-0000-0800-0000-63f55ebf0000\"",
+ "b40835ac-6aa1-44c8-94ee-9634550cbf43": "\"35005a60-0000-0800-0000-63f55eda0000\"",
+ "af215a8a-6d4d-4018-9e57-232303ee41d6": "\"3500c561-0000-0800-0000-63f55eed0000\"",
+ "ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e": "\"3500df63-0000-0800-0000-63f55f060000\"",
+ "eef3a7d9-3be0-461b-9136-dfd2485f0fe5": "\"3500b064-0000-0800-0000-63f55f1b0000\"",
+ "4715c9ad-d4c0-4eed-b1a7-fa0a808deff4": "\"3500b664-0000-0800-0000-63f55f360000\"",
+ "6769d928-39db-442b-8af3-4477e02f38fc": "\"3500bb64-0000-0800-0000-63f55f490000\"",
+ "fd78be72-fc73-4cb5-aef3-b9f61b35c1be": "\"3500bf64-0000-0800-0000-63f55f5e0000\"",
+ "08df1b8f-e53a-4f2e-9bd3-b3908f512f46": "\"3500c264-0000-0800-0000-63f55f730000\"",
+ "9aa0f3fe-1c85-48de-b37f-63b61b97b3d6": "\"3500c964-0000-0800-0000-63f55f8a0000\"",
+ "6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974": "\"3500cc64-0000-0800-0000-63f55f9f0000\"",
+ "33e7e266-a87e-454d-8e09-6d3e131d75ee": "\"3500d264-0000-0800-0000-63f55fb80000\"",
+ "881f8a7b-1178-4f35-9b02-7fc5414ba7f8": "\"3500df64-0000-0800-0000-63f55fcd0000\"",
+ "79061028-980a-4760-881b-52e79c1015c6": "\"35007565-0000-0800-0000-63f55fdf0000\"",
+ "b674088a-825a-4b49-ad10-7ffa5d483059": "\"35006b66-0000-0800-0000-63f55ff50000\"",
+ "f740a0e2-386b-4470-8b13-284d2ee5dce5": "\"35000467-0000-0800-0000-63f560170000\"",
+ "fd536808-fae9-4fc6-b046-9cd28b7e9e19": "\"35000867-0000-0800-0000-63f5602a0000\"",
+ "3e4f6960-6e74-4b97-960b-6eca2383de68": "\"35001f67-0000-0800-0000-63f560440000\"",
+ "41da3e01-b685-4352-bded-ae2646b20c5c": "\"35002667-0000-0800-0000-63f560680000\"",
+ "8e545f53-bfa1-47e0-997d-d7f67d02eda4": "\"35002b67-0000-0800-0000-63f5607d0000\"",
+ "bde332b1-a602-44eb-b834-99dc1e0b42d9": "\"35002e67-0000-0800-0000-63f5608e0000\"",
+ "bc94a765-bab8-4692-9cec-86978582f1b8": "\"35003467-0000-0800-0000-63f560a40000\"",
+ "7791c2cc-28ac-4387-87e7-9ddda54c2543": "\"35003767-0000-0800-0000-63f560b70000\"",
+ "99d7dd4b-3f78-4f82-b514-82a22fe2eb3a": "\"35003a67-0000-0800-0000-63f560cd0000\"",
+ "3c22319a-c4d1-411e-8764-72a96333f21e": "\"35004b67-0000-0800-0000-63f561270000\"",
+ "0ae05016-a937-41c9-92ab-9c347b0ea127": "\"35005167-0000-0800-0000-63f561410000\"",
+ "534eed88-50e6-4584-a8f0-c245d16537e9": "\"35005767-0000-0800-0000-63f561530000\"",
+ "f440c27a-949f-44a8-8617-6533617ce4c6": "\"35006367-0000-0800-0000-63f561660000\"",
+ "f41c2cf0-14ea-42fb-a07e-c7514a198d17": "\"35006a67-0000-0800-0000-63f5617c0000\"",
+ "8931ab6f-b308-4242-9876-014014c6b8ff": "\"35007167-0000-0800-0000-63f561950000\"",
+ "a21f9398-0e6d-4d8a-a9cf-4becee5853b0": "\"35007667-0000-0800-0000-63f561ad0000\"",
+ "b0a0ec4e-ca45-42df-aaca-8487d921115d": "\"35007967-0000-0800-0000-63f561c20000\"",
+ "4e451694-0fbc-4df8-83ca-1cbc82d3e019": "\"35007e67-0000-0800-0000-63f561da0000\"",
+ "511e0713-a13f-4f83-8021-b8a22bb9bcc4": "\"35008267-0000-0800-0000-63f561ed0000\"",
+ "176ecb24-2007-4d65-a832-af6efe88afb5": "\"35008667-0000-0800-0000-63f562010000\"",
+ "a37d6c4a-630f-40f1-8ed7-85033c97b226": "\"35008a67-0000-0800-0000-63f562160000\"",
+ "3e0c16d9-b987-4982-8917-261b9b619c83": "\"35008f67-0000-0800-0000-63f562280000\"",
+ "a48aee53-b375-4d5c-b0e2-9d534f99bed8": "\"35009267-0000-0800-0000-63f5623a0000\"",
+ "a52b38c6-0473-4282-b1ac-a34022f46447": "\"35009867-0000-0800-0000-63f562520000\"",
+ "b52679aa-c825-444f-8dc3-2e679658b552": "\"35009b67-0000-0800-0000-63f5626c0000\"",
+ "d12000f0-f1b6-4344-bb3c-a8988e77eb75": "\"35009f67-0000-0800-0000-63f5627f0000\"",
+ "75cbd5b7-4158-4e21-8ce3-8197e05caa7f": "\"3500ab67-0000-0800-0000-63f562940000\"",
+ "675ea0df-9fff-4dc5-b0ee-521faf737c55": "\"3500b367-0000-0800-0000-63f562a80000\"",
+ "215089a8-4173-47cc-801b-56f449b9e978": "\"3500b667-0000-0800-0000-63f562bd0000\"",
+ "efea115d-c997-4be7-adcb-95afd6643a0a": "\"3500bd67-0000-0800-0000-63f562da0000\"",
+ "da88214f-a4b3-48fc-b8c3-fa71bb3ef678": "\"3500c267-0000-0800-0000-63f562f10000\"",
+ "149a0db6-2ad7-4e69-bf36-0c4f62873101": "\"35000568-0000-0800-0000-63f5633f0000\"",
+ "789aca0f-8766-49a2-84b7-1d68e2db7652": "\"35000b68-0000-0800-0000-63f563550000\"",
+ "481c342f-c33a-455b-82d5-2205b068f5d0": "\"35002668-0000-0800-0000-63f563660000\"",
+ "204119a5-daf5-4bfb-a565-a6bbf5dec2ad": "\"35002a68-0000-0800-0000-63f563780000\"",
+ "eb68e7af-1e04-45c3-985f-76e076002f57": "\"35004a68-0000-0800-0000-63f563aa0000\"",
+ "b42fd648-56d8-405b-8303-ecbf32e7f3be": "\"35005468-0000-0800-0000-63f563bd0000\"",
+ "f25caf39-8a25-48d1-b564-3098bfb1a4b3": "\"35006b68-0000-0800-0000-63f563d10000\"",
+ "d7b90ebc-9243-4837-bc04-15808d6fffdf": "\"35007968-0000-0800-0000-63f563e50000\"",
+ "e6926bd2-1c73-494e-b193-b5853be6b838": "\"35007c68-0000-0800-0000-63f563f80000\"",
+ "5178c35e-cf89-4442-b41b-ff963659f9a5": "\"35008168-0000-0800-0000-63f564120000\"",
+ "25bd255a-bf5e-4c83-b39f-fb8570442411": "\"35008468-0000-0800-0000-63f564250000\"",
+ "b7d192e4-4786-463b-acef-ae7ea5569a06": "\"35008968-0000-0800-0000-63f564370000\"",
+ "a6e2aa27-43bc-45b2-b96d-48b735364839": "\"35008d68-0000-0800-0000-63f564550000\"",
+ "eb2153ae-e569-42cf-8467-40f05affa51f": "\"35009868-0000-0800-0000-63f564680000\"",
+ "f801914e-c351-43d7-b2a7-ba58f064fda6": "\"3500a268-0000-0800-0000-63f5647b0000\"",
+ "c655ec79-ccbb-4940-b53f-a1f0a6583a53": "\"3500ac68-0000-0800-0000-63f564920000\"",
+ "ba38e02e-2c7c-4744-9292-8df5f3fc28ac": "\"3500b068-0000-0800-0000-63f564aa0000\"",
+ "a649754e-0850-48be-af9d-9ae66e282259": "\"3500b368-0000-0800-0000-63f564bd0000\"",
+ "048acbb1-a65f-405e-b6bd-da47b59dffa7": "\"3500b768-0000-0800-0000-63f564d10000\"",
+ "432364d6-323c-41fb-a646-12ae79e3d321": "\"3500c268-0000-0800-0000-63f564ea0000\"",
+ "1b1e0484-a8d7-4116-bbc0-294d9d45aa1d": "\"3500c968-0000-0800-0000-63f564fe0000\"",
+ "a203a1c1-5360-4d2b-a61e-7e02066ef891": "\"3500d968-0000-0800-0000-63f565170000\"",
+ "e9f798a0-8821-4cde-9667-21d84cc45915": "\"3500df68-0000-0800-0000-63f5652c0000\"",
+ "58279f6d-5629-40b2-852b-66c575dbb0ca": "\"3500e368-0000-0800-0000-63f565480000\"",
+ "689e109d-46e0-4f54-b0b4-1377167cd660": "\"3500ff68-0000-0800-0000-63f5655e0000\"",
+ "f3f94d19-f440-483e-b11a-231f93731fe8": "\"35000469-0000-0800-0000-63f565730000\"",
+ "f9862418-b01a-40d9-84e1-bece0e2e89bb": "\"35000a69-0000-0800-0000-63f565850000\"",
+ "bf490122-cedd-48e7-ba93-246d9ba9bfae": "\"35000f69-0000-0800-0000-63f5659c0000\"",
+ "9aab9ad2-d911-4d72-95ba-0fa53d80af93": "\"35001569-0000-0800-0000-63f565af0000\"",
+ "338cfd75-5f86-4e98-91a0-87733bd4698e": "\"35001a69-0000-0800-0000-63f565c30000\"",
+ "9970db1b-bed7-4ca6-a5ea-effa3aac7b05": "\"35001f69-0000-0800-0000-63f565da0000\"",
+ "c6b7994e-ae58-499c-bdac-a7035e8858de": "\"35002269-0000-0800-0000-63f565ec0000\"",
+ "59b0b0bc-b313-42b4-a3d9-7c5dc383b448": "\"35002669-0000-0800-0000-63f565ff0000\"",
+ "36af90d3-daf0-4785-a195-afa11219595f": "\"35002c69-0000-0800-0000-63f566130000\"",
+ "c4f34b46-8c20-46f0-b790-23d2bd555b6a": "\"35004769-0000-0800-0000-63f5665f0000\"",
+ "17cf26a4-edee-458d-a467-5933e8c1a1aa": "\"35004f69-0000-0800-0000-63f566830000\"",
+ "6b67df71-a90e-424c-8725-e7f9574d716f": "\"35005369-0000-0800-0000-63f566990000\"",
+ "68b67702-32ef-41ac-a8b2-f793d9689274": "\"35006969-0000-0800-0000-63f566af0000\"",
+ "a814a61a-672f-431f-9b2b-869e9bcaa534": "\"35007569-0000-0800-0000-63f566ca0000\"",
+ "f45e4a0d-2bbf-417c-97b7-643c7d4a0f93": "\"35007969-0000-0800-0000-63f566e30000\"",
+ "837ae291-8946-4918-a036-a22f4da70456": "\"35008169-0000-0800-0000-63f566fd0000\"",
+ "7fa27bab-66bb-4d8c-a80e-843f48e2a3b0": "\"35008469-0000-0800-0000-63f567140000\"",
+ "04adf3cf-371a-475f-9f03-f7991a6f3aa3": "\"3500a169-0000-0800-0000-63f567400000\"",
+ "16b51acb-d11f-4570-ad5b-2a33fb52e25f": "\"3500a969-0000-0800-0000-63f567590000\"",
+ "af5d8d85-ac5f-4ef7-bf10-7b43986ec91d": "\"3500ac69-0000-0800-0000-63f5676e0000\"",
+ "4ef59b89-0b97-4fca-99d0-6b3f861142cf": "\"3500c969-0000-0800-0000-63f567c00000\"",
+ "e001fc5b-00f7-47eb-ad14-4f68ac4b56fa": "\"3500cd69-0000-0800-0000-63f567d30000\"",
+ "8adb0ef2-02b3-4efd-81b3-20f79556d862": "\"3500d469-0000-0800-0000-63f567ed0000\"",
+ "a36172b6-4acf-4915-b0c5-ea8be7d05c86": "\"3500d769-0000-0800-0000-63f568010000\"",
+ "516cc0be-cc97-486b-928e-0e222352ba46": "\"3500dc69-0000-0800-0000-63f568130000\"",
+ "4515ed4c-edac-40b7-9ba0-1e96b7db4572": "\"3500e069-0000-0800-0000-63f568270000\"",
+ "4059cc8c-74ef-43f9-abed-bb067aa015ae": "\"3500e369-0000-0800-0000-63f568390000\"",
+ "8fb31b17-e360-4b59-a281-19c4fe483909": "\"3500e769-0000-0800-0000-63f5684c0000\"",
+ "edec3f95-3e38-4140-a078-96c6bf105d1a": "\"3500ee69-0000-0800-0000-63f568640000\"",
+ "4e52f7d5-cb46-4880-9b3a-279444078bcf": "\"3500016a-0000-0800-0000-63f568780000\"",
+ "dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46": "\"3500076a-0000-0800-0000-63f568940000\"",
+ "74893bd0-8ffa-4e9f-83a5-58ed055824bc": "\"35000d6a-0000-0800-0000-63f568ad0000\"",
+ "2f33cb73-78b6-4886-8434-f319deea8d62": "\"3500146a-0000-0800-0000-63f568be0000\"",
+ "9d356cdc-fd63-4071-bc5b-f06d5effc36f": "\"35001a6a-0000-0800-0000-63f568e30000\"",
+ "e669ef82-838e-40b8-8423-efd8303206c6": "\"3500206a-0000-0800-0000-63f568fe0000\"",
+ "beb39f94-ac53-4ab4-b1c2-7b591497b571": "\"3500246a-0000-0800-0000-63f569120000\"",
+ "20412a8c-a3a7-41a5-8620-6d4c724d3092": "\"35002b6a-0000-0800-0000-63f569290000\"",
+ "595b910c-156b-4a20-996e-06c50a217133": "\"3500486a-0000-0800-0000-63f569430000\"",
+ "22cf036c-2193-4352-9fb5-869ed7dc00a6": "\"35004d6a-0000-0800-0000-63f569580000\"",
+ "a0ee0fdf-b347-449d-8cdb-b750cc062e02": "\"3500516a-0000-0800-0000-63f5696c0000\"",
+ "2c3d7a74-362a-4a6e-836a-279bc1fd8813": "\"3500756a-0000-0800-0000-63f5697e0000\"",
+ "32d3c923-7729-41bc-8b18-790e97726d79": "\"35008d6a-0000-0800-0000-63f569920000\"",
+ "49325680-a0e6-4b0d-b9ea-cc4991de4c73": "\"3500ba6a-0000-0800-0000-63f569aa0000\"",
+ "d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d": "\"3500ce6a-0000-0800-0000-63f569df0000\"",
+ "34be0f95-d845-4501-a64f-3f272d3e7d52": "\"3500d16a-0000-0800-0000-63f569f30000\"",
+ "5fa2554b-b319-4605-ad60-92601ac5d7ba": "\"3500e76a-0000-0800-0000-63f56a0a0000\"",
+ "ab212c5e-07ce-439e-a2d3-cba34ff1cc1d": "\"3500006b-0000-0800-0000-63f56a240000\"",
+ "58d21291-77aa-4e73-9603-1cefbe80b39c": "\"35002e6b-0000-0800-0000-63f56a9d0000\"",
+ "eba9eb63-e5e8-4617-87f7-492aedad803a": "\"3500396b-0000-0800-0000-63f56ab20000\"",
+ "bedfc0cf-b75b-4574-9de6-1b38a51fc987": "\"3500496b-0000-0800-0000-63f56ac90000\"",
+ "ed27aa54-2adc-4774-ae30-6f84a1de0213": "\"3a004472-0000-0800-0000-63f81ea90000\"",
+ "7c192267-ac8a-4182-9336-f5e7647fe9e5": "\"1f00d02a-0000-0800-0000-63e711b10000\"",
+ "63d1052b-e396-4366-a76f-4665b4b8f319": "\"2500f8ce-0000-0800-0000-63ec43700000\"",
+ "927ca451-fe12-4de3-983d-bd50cc359b7f": "\"250013cf-0000-0800-0000-63ec43920000\"",
+ "895522a3-ae18-4771-add7-334f7b4a3124": "\"25007dd2-0000-0800-0000-63ec492b0000\"",
+ "fcd7bae2-0354-454d-9884-18880ff95fe8": "\"2500e9d2-0000-0800-0000-63ec4ad60000\"",
+ "02ca5f41-a642-413b-aec0-51b9e20cce8a": "\"35008869-0000-0800-0000-63f567280000\"",
+ "8ccf4287-558c-445f-9331-ebb58c2be800": "\"35006b6b-0000-0800-0000-63f56ae90000\"",
+ "0a9646c6-c11c-4190-83be-ff0440581ebd": "\"35006f6b-0000-0800-0000-63f56afc0000\"",
+ "324b11f6-6382-45b4-934b-3f60ff4457a3": "\"3500756b-0000-0800-0000-63f56b240000\"",
+ "8e6cbbe1-93ba-45ab-8731-82d2802a60df": "\"3500796b-0000-0800-0000-63f56b360000\"",
+ "c3ec0a36-7cf7-47df-a82c-fc32720db69f": "\"35007d6b-0000-0800-0000-63f56b490000\"",
+ "fe7d80f1-5bd1-409b-89df-c48b2f340b80": "\"35008b6b-0000-0800-0000-63f56b5c0000\"",
+ "0f5a5c06-ca09-4075-890a-e46be2ee412a": "\"35009a6b-0000-0800-0000-63f56b6e0000\"",
+ "64c74af9-0412-4732-89f8-86f46e4897eb": "\"3500b56b-0000-0800-0000-63f56b820000\"",
+ "3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646": "\"3500bb6b-0000-0800-0000-63f56b950000\"",
+ "1ef21999-d53f-4840-bde9-6b90ee767bb7": "\"3500da6b-0000-0800-0000-63f56bb00000\"",
+ "6392295f-31e9-45da-8c14-5554a2b3fb7c": "\"3500f76b-0000-0800-0000-63f56bc10000\"",
+ "1217fe0b-489f-434b-9c6d-877c44610d0b": "\"3500fb6b-0000-0800-0000-63f56bd40000\"",
+ "86475faa-04ff-4383-86b2-ebca93ca8097": "\"3500136c-0000-0800-0000-63f56be60000\"",
+ "52bb7be6-1fb5-424b-bb24-84d427d91626": "\"35002a6c-0000-0800-0000-63f56c030000\"",
+ "4af76a04-0e2a-4892-ae63-3de3b4e9ead2": "\"35002f6c-0000-0800-0000-63f56c210000\"",
+ "a0021314-e49e-45d9-801f-e7bca20e9046": "\"3500336c-0000-0800-0000-63f56c320000\"",
+ "84cfa531-ea08-4c84-a1a1-d85c55c45f06": "\"3500376c-0000-0800-0000-63f56c4a0000\"",
+ "89bbc939-d47e-4b36-82dc-bcec562f0763": "\"3500486c-0000-0800-0000-63f56c5c0000\"",
+ "6f4474f5-8c95-4248-a56d-510a85fb07b3": "\"35006e6c-0000-0800-0000-63f56c780000\"",
+ "91d5304a-0628-4ab8-9c57-670bb4da620b": "\"35007c6c-0000-0800-0000-63f56c8b0000\"",
+ "8cfd3e23-2616-4c6f-b061-a8e47d0536bb": "\"35008d6c-0000-0800-0000-63f56c9f0000\"",
+ "2636af24-3225-405a-aa4b-7b455f326445": "\"35009e6c-0000-0800-0000-63f56cbb0000\"",
+ "9abf000c-f4ad-413f-9cd7-405d95349988": "\"3500a66c-0000-0800-0000-63f56cd50000\"",
+ "6e485f07-3a11-4eb5-ac2a-d1b82aca8c62": "\"3500b56c-0000-0800-0000-63f56ce70000\"",
+ "fd68f806-d8b0-4c8f-aa0f-3b78b59f157f": "\"3500cd6c-0000-0800-0000-63f56cfa0000\"",
+ "704b2418-b2bd-4b4a-8f9e-cf47562e133d": "\"3500d16c-0000-0800-0000-63f56d0c0000\"",
+ "b3345cc6-ee8c-46d4-abc9-8adae4b877d1": "\"3500e26c-0000-0800-0000-63f56d270000\"",
+ "3aa3ab52-566f-46a0-a5c9-caba62eaa518": "\"3500e96c-0000-0800-0000-63f56d3b0000\"",
+ "cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0": "\"3500ed6c-0000-0800-0000-63f56d4d0000\"",
+ "9df8fa13-f28b-41d5-8065-9d7e234aaa26": "\"3500f16c-0000-0800-0000-63f56d660000\"",
+ "c20c6d74-5470-4242-a748-d5625abb65b1": "\"3500f56c-0000-0800-0000-63f56d790000\"",
+ "340041fc-2cb7-423b-9da9-ec04a258f864": "\"3500f86c-0000-0800-0000-63f56d8b0000\"",
+ "d012df68-9c36-431a-acc1-704063e21101": "\"3500fb6c-0000-0800-0000-63f56d9d0000\"",
+ "bb49283b-b564-43d4-868c-2a6186144d8e": "\"3500186d-0000-0800-0000-63f56db20000\"",
+ "fa482a76-22d1-469d-8a47-510e71286ddd": "\"35001d6d-0000-0800-0000-63f56dc30000\"",
+ "bb0035d3-3ac9-40d5-976e-6076f906473c": "\"3500216d-0000-0800-0000-63f56dda0000\"",
+ "61a3f08d-ad2d-49cb-baac-9edc6235e968": "\"3500256d-0000-0800-0000-63f56df20000\"",
+ "f88f852a-b2cb-4e34-b282-36549eb50b2b": "\"35002b6d-0000-0800-0000-63f56e090000\"",
+ "efe3369b-f57f-4fb2-9570-d7a9fe32b526": "\"35002f6d-0000-0800-0000-63f56e1f0000\"",
+ "2950dda7-bc3f-4e83-9528-80df8dbe1368": "\"3500466d-0000-0800-0000-63f56e350000\"",
+ "e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e": "\"3500576d-0000-0800-0000-63f56e4f0000\"",
+ "fe861c55-a355-4af2-8e9e-2e2d8f7a68d9": "\"35005c6d-0000-0800-0000-63f56e620000\"",
+ "b63935f5-aae3-45b5-bd0d-f2da794fd126": "\"35005f6d-0000-0800-0000-63f56e750000\"",
+ "57b338f9-1c0e-42ee-9b56-1af8886e2047": "\"3500626d-0000-0800-0000-63f56e860000\"",
+ "ce11fda8-f604-4547-af58-fa313e8a8146": "\"3500676d-0000-0800-0000-63f56e990000\"",
+ "3d7a19b1-33bc-429e-b5d3-b6d0ab02216c": "\"35006d6d-0000-0800-0000-63f56eb30000\"",
+ "b131e363-3009-4942-a35c-14d5c7284ead": "\"3500706d-0000-0800-0000-63f56ec70000\"",
+ "916dae72-d95a-41c4-9370-30ff57177fbf": "\"3500736d-0000-0800-0000-63f56eda0000\"",
+ "066d6852-04de-4dab-9b95-bd3d2835a859": "\"3500776d-0000-0800-0000-63f56eed0000\"",
+ "b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b": "\"35007c6d-0000-0800-0000-63f56f050000\"",
+ "fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2": "\"3500816d-0000-0800-0000-63f56f180000\"",
+ "c34a8927-e01b-4de6-ae5f-52fb6ac204f9": "\"3500866d-0000-0800-0000-63f56f2b0000\"",
+ "00f4fd35-801a-4996-a1c5-bde58605be5c": "\"35008b6d-0000-0800-0000-63f56f3d0000\"",
+ "e901d93b-d192-4fac-8c53-9e023b8ef3c0": "\"35008e6d-0000-0800-0000-63f56f500000\"",
+ "74131d4a-83fd-4606-a5f4-71dc1d169a3d": "\"3500926d-0000-0800-0000-63f56f630000\"",
+ "91011f1e-3186-450d-9cd7-83e9c840508a": "\"3500996d-0000-0800-0000-63f56f760000\"",
+ "4b4b2f57-ace1-4d2d-9793-942442bc9668": "\"3500a06d-0000-0800-0000-63f56f8d0000\"",
+ "d4f0a426-2354-416f-9999-b8d28d3e93ed": "\"3500a36d-0000-0800-0000-63f56fa00000\"",
+ "370b2ef6-5d11-4827-a36a-eadd0cd821fe": "\"3500a66d-0000-0800-0000-63f56fb20000\"",
+ "9798584d-ebeb-4a0d-89f1-df23ee5a9edf": "\"3500aa6d-0000-0800-0000-63f56fc70000\"",
+ "51c23e70-6d7e-47c5-87b0-e798a636931d": "\"3500ad6d-0000-0800-0000-63f56fd80000\"",
+ "7e19583d-27e1-41c2-90a9-3f813155c6ce": "\"3500b26d-0000-0800-0000-63f56fea0000\"",
+ "a9e6f155-4049-4401-89e3-a9f769675eb6": "\"3500b66d-0000-0800-0000-63f56ffe0000\"",
+ "4f1de90b-7ff1-441a-af02-0a2a86ca9848": "\"3500ba6d-0000-0800-0000-63f570130000\"",
+ "9199567e-9c5d-4078-8f0f-40e9d4d5836c": "\"3500c56d-0000-0800-0000-63f570280000\"",
+ "66ee9d45-4e7e-4b0d-a361-377cd3662750": "\"3500d26d-0000-0800-0000-63f5703f0000\"",
+ "94d72012-0846-4f42-9d26-51f9cdb2fa6e": "\"3500d86d-0000-0800-0000-63f570530000\"",
+ "697575c4-83f0-4d98-9594-b6f254db566a": "\"3500db6d-0000-0800-0000-63f570680000\"",
+ "454abbc9-3d65-4dfb-9446-0af12f681192": "\"3500e06d-0000-0800-0000-63f570850000\"",
+ "7d070056-c31e-46a3-8ab6-299510132e4f": "\"3500e66d-0000-0800-0000-63f5709a0000\"",
+ "80e77d48-d0f1-4d7d-bb68-2ad8123ba8db": "\"3500ef6d-0000-0800-0000-63f570ae0000\"",
+ "bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b": "\"3500f46d-0000-0800-0000-63f570c40000\"",
+ "3c746716-20a6-46bd-98fd-d5c9d0aa1553": "\"3500f76d-0000-0800-0000-63f570d70000\"",
+ "8ed981a2-337b-4542-a371-3968ac93f923": "\"3500fd6d-0000-0800-0000-63f570ef0000\"",
+ "55f68d39-f930-44bd-acb6-4eddd9007237": "\"3500546e-0000-0800-0000-63f571060000\"",
+ "b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3": "\"35009f6e-0000-0800-0000-63f5711c0000\"",
+ "35efaa1c-ca0f-4fc8-b30b-993f1502dadc": "\"3500be6e-0000-0800-0000-63f571300000\"",
+ "4416b145-266e-461b-b5bf-c346069f404e": "\"3500ee6e-0000-0800-0000-63f571490000\"",
+ "47a5442c-c3e1-4a44-829b-a0fce5ffdb54": "\"3500196f-0000-0800-0000-63f571650000\"",
+ "7aa0650e-f8b6-4737-9894-85f684aa5d18": "\"3500506f-0000-0800-0000-63f571840000\"",
+ "5fcaa294-5c2f-495c-acf4-f6a93b6589f9": "\"35006b6f-0000-0800-0000-63f571960000\"",
+ "3838a2fe-0433-432b-8f34-fd48f0930148": "\"3500886f-0000-0800-0000-63f571ae0000\"",
+ "fddce345-91bc-4cba-82f9-af733f7cdc69": "\"3500a46f-0000-0800-0000-63f571c10000\"",
+ "b26de50a-8f22-4454-ae13-6442ac7decad": "\"3500d86f-0000-0800-0000-63f571d40000\"",
+ "b59ad89c-249e-462f-ac68-c23a93202fa3": "\"3500fb6f-0000-0800-0000-63f571e60000\"",
+ "6fbd8942-976f-4b19-94c6-785e9f05136e": "\"35002c70-0000-0800-0000-63f572350000\"",
+ "3f40377b-15d8-490f-a8d7-82c385f81829": "\"35003070-0000-0800-0000-63f5724a0000\"",
+ "e557ae74-ef8a-4bab-b807-959486942ceb": "\"35003570-0000-0800-0000-63f572630000\"",
+ "9578ea47-ee34-4289-9aa2-05630ecf2f1b": "\"35003a70-0000-0800-0000-63f572760000\"",
+ "e52bd802-3e96-4391-8b7f-c57e58539370": "\"35004e70-0000-0800-0000-63f5729e0000\"",
+ "aaa53051-1af4-42d9-a523-c08752580ade": "\"35005c70-0000-0800-0000-63f572b60000\"",
+ "cda14730-b43b-4099-a785-6145306928b9": "\"35006070-0000-0800-0000-63f572cb0000\"",
+ "af136dbc-b98a-4c3b-9842-e076768ae2a1": "\"35006470-0000-0800-0000-63f572e20000\"",
+ "1c6090a0-fa8a-4ebe-b8b2-5576114a384f": "\"35006c70-0000-0800-0000-63f572f40000\"",
+ "1e944163-f959-46f8-9760-95a54652437b": "\"35007d70-0000-0800-0000-63f5730b0000\"",
+ "fd618de1-e892-433a-9bc3-4d5d94edf017": "\"35008070-0000-0800-0000-63f5731e0000\"",
+ "8ef3b755-c57d-4103-8ad3-7536adbdd953": "\"35008770-0000-0800-0000-63f573360000\"",
+ "61cf974b-9170-4e7e-9c13-f801cce8b2c2": "\"35009370-0000-0800-0000-63f573850000\"",
+ "85e14dab-bc47-4f28-810f-47db9aa5896f": "\"35009970-0000-0800-0000-63f5739c0000\"",
+ "b4b19b2b-c30f-4f25-b5d5-762e7ceeef99": "\"35009d70-0000-0800-0000-63f573b40000\"",
+ "8d2677a1-dcf3-42b1-848b-a0a7055016d8": "\"3500a270-0000-0800-0000-63f573cb0000\"",
+ "6ee20e13-a511-42e0-beb8-020666b7071c": "\"3500a870-0000-0800-0000-63f573e20000\"",
+ "1d14a23e-7c19-4d9b-8775-eb282774958d": "\"3500ab70-0000-0800-0000-63f573f50000\"",
+ "6cef2de7-424f-4297-b732-b8985477fb7e": "\"3500af70-0000-0800-0000-63f5740b0000\"",
+ "c5141be2-18ae-4afc-a9f5-b07e5746cee1": "\"3500b770-0000-0800-0000-63f574220000\"",
+ "c110f9e8-7ac6-496f-8df7-da0c413e767e": "\"3500db70-0000-0800-0000-63f5743d0000\"",
+ "c5b4fb13-738e-4591-a704-741486688b20": "\"3500ec70-0000-0800-0000-63f574540000\"",
+ "a0ae8d0a-38d8-441f-b491-134cf3151846": "\"3500f370-0000-0800-0000-63f5746c0000\"",
+ "460cbcbe-314d-4841-8398-6926043768b8": "\"3500f670-0000-0800-0000-63f5747e0000\"",
+ "9aa5f4c8-b3ad-458f-92e4-d4cf21948c59": "\"35000471-0000-0800-0000-63f574d50000\"",
+ "f34bfe11-29ce-41f8-9a1e-167cd3302d0e": "\"35000771-0000-0800-0000-63f574ec0000\"",
+ "3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f": "\"35000d71-0000-0800-0000-63f574fe0000\"",
+ "a4d01245-f322-4861-9ffe-1c410aa9dfaa": "\"35001071-0000-0800-0000-63f575110000\"",
+ "1b94b9a2-ddd7-4d88-949e-ac13cf28b454": "\"35001571-0000-0800-0000-63f5752c0000\"",
+ "6e9a6f1b-a40e-4ffa-974d-3ab5d675c531": "\"35001871-0000-0800-0000-63f5753e0000\"",
+ "ff44fc3f-4e22-4c9c-94d9-645c7644d2ca": "\"35002071-0000-0800-0000-63f575510000\"",
+ "de4a8f18-acf0-4738-a6b2-2302216fdf48": "\"35002571-0000-0800-0000-63f575620000\"",
+ "c84de391-2133-43e6-af89-27b021feaf75": "\"35003171-0000-0800-0000-63f5757b0000\"",
+ "bbcf3e06-84cb-4bb0-813b-f4f9ce090bab": "\"35003671-0000-0800-0000-63f575920000\"",
+ "941e3a2b-8eed-4cb4-afba-1322838fcbb2": "\"35003a71-0000-0800-0000-63f575a90000\"",
+ "e0adc565-7cd3-47f0-9027-c700df43303a": "\"35003d71-0000-0800-0000-63f575be0000\"",
+ "14c4920e-9a71-4680-aa78-da32072e8dc2": "\"35004871-0000-0800-0000-63f575d60000\"",
+ "22a677eb-9971-4b78-8082-0061d9a975fd": "\"35004c71-0000-0800-0000-63f575e90000\"",
+ "fe80d1cc-65a1-400c-a5d5-5a5decf74f31": "\"35005271-0000-0800-0000-63f576020000\"",
+ "a13c922b-fe7c-476e-a586-edaab2219e57": "\"35005e71-0000-0800-0000-63f576540000\"",
+ "ceb7fe01-21a7-4ffb-b8f0-ac29b991da50": "\"35006371-0000-0800-0000-63f576660000\"",
+ "dfbb9a20-254e-4c70-a302-0ba22da59117": "\"35006971-0000-0800-0000-63f576790000\"",
+ "6dff9c6d-c191-4e5b-a308-a0906a23752d": "\"35007471-0000-0800-0000-63f576900000\"",
+ "b7e581ff-451f-4e85-97fd-f22c8be96580": "\"35007c71-0000-0800-0000-63f576a30000\"",
+ "7ee415a8-0c09-46a1-b75d-9223de562a12": "\"35008171-0000-0800-0000-63f576b40000\"",
+ "049d9663-9edb-4269-8bfa-340896d5cfe4": "\"35008771-0000-0800-0000-63f576c70000\"",
+ "26ed4120-b9df-487e-bf25-3f179ebf75f4": "\"35008a71-0000-0800-0000-63f576df0000\"",
+ "9d781e96-280e-4760-8a74-e28bcd7ef128": "\"35008e71-0000-0800-0000-63f576f20000\"",
+ "3421562d-ac3e-42dc-9d90-e751868bb424": "\"35009471-0000-0800-0000-63f577050000\"",
+ "22b9eab7-3edd-483a-8aca-5568e23dad78": "\"35009871-0000-0800-0000-63f5771d0000\"",
+ "2397d157-f3c4-485d-acd3-008ab8612c60": "\"35009e71-0000-0800-0000-63f5773e0000\"",
+ "67e76653-affb-4264-9b2a-0dd5f5fc2835": "\"3500a271-0000-0800-0000-63f577560000\"",
+ "303d53fd-b132-45bc-9dc9-8852122a64b9": "\"3500a571-0000-0800-0000-63f577690000\"",
+ "4f5a652f-bec8-4112-8f7b-531ff30dfd75": "\"3500aa71-0000-0800-0000-63f5777b0000\"",
+ "1f0221ac-cee3-4eae-801f-c725df4b9f27": "\"3500b471-0000-0800-0000-63f5778f0000\"",
+ "150bcc1a-7788-4624-a9d9-1b05b0fc7051": "\"3500eb71-0000-0800-0000-63f577a30000\"",
+ "929e1a28-c623-44b1-a8ef-7a1739b9bba1": "\"3500f171-0000-0800-0000-63f577b70000\"",
+ "3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75": "\"35000472-0000-0800-0000-63f577cc0000\"",
+ "be59c13c-c811-4444-9a72-b69c713672b1": "\"35000c72-0000-0800-0000-63f577fc0000\"",
+ "e857375b-b96a-4757-a5a6-c0ed478ee5de": "\"35001072-0000-0800-0000-63f578110000\"",
+ "80491722-4553-4683-a9a0-8f14ea6dfe08": "\"35001472-0000-0800-0000-63f578230000\"",
+ "6e16dc82-ea01-41d5-aa55-6390a418421d": "\"35001772-0000-0800-0000-63f578370000\"",
+ "e3d218b4-cb49-40bb-ac39-4892088ba6c1": "\"35001c72-0000-0800-0000-63f5784a0000\"",
+ "349c1b39-5c33-4d6f-b5a5-580083a77cd3": "\"35003772-0000-0800-0000-63f5785e0000\"",
+ "7fd08f98-0dbf-4604-853a-76a610cc9c0d": "\"35003b72-0000-0800-0000-63f578710000\"",
+ "9d680f1a-5c96-48c6-8662-3604bfe61eb2": "\"35004172-0000-0800-0000-63f5788b0000\"",
+ "c895ed04-d628-4d7d-ad3d-63afd80aa2a9": "\"35004672-0000-0800-0000-63f5789e0000\"",
+ "3c5c78d4-a787-4c7c-9da1-a1244a9878b4": "\"35004a72-0000-0800-0000-63f578b10000\"",
+ "742ae0bd-633c-4f38-804b-3ed926117077": "\"35008872-0000-0800-0000-63f578c80000\"",
+ "57d051c8-0108-455a-9a94-bfa7c7c8e565": "\"3500aa72-0000-0800-0000-63f578df0000\"",
+ "ad713bda-ef00-4837-b0ee-4c955214d0a6": "\"3500b472-0000-0800-0000-63f578f20000\"",
+ "495ef656-bd0f-4a92-a97c-17eab3d1b0b1": "\"3500ca72-0000-0800-0000-63f579030000\"",
+ "604dfab2-c845-4910-876f-76dce9eb58cb": "\"3500d872-0000-0800-0000-63f579550000\"",
+ "3700252b-2d09-4ca1-ba8d-5b070add4fbc": "\"3500de72-0000-0800-0000-63f579670000\"",
+ "bc28747a-f907-4cf8-b2e2-099b4663b67e": "\"3500e472-0000-0800-0000-63f5797b0000\"",
+ "a414027e-9d31-4716-84b5-41bc3cefbde1": "\"3500fe72-0000-0800-0000-63f5798f0000\"",
+ "2985b2db-a13a-4ec0-9606-dc6c837a6dd8": "\"35001173-0000-0800-0000-63f579a10000\"",
+ "2fd7979f-6d09-463b-828c-be33fc9ccfbb": "\"35001773-0000-0800-0000-63f579bf0000\"",
+ "ee08a1b6-de2e-4397-bb4a-9d434ad24ee3": "\"35001f73-0000-0800-0000-63f579d20000\"",
+ "dece78df-9bea-4625-9457-d4a37e01a4a8": "\"35002473-0000-0800-0000-63f579e60000\"",
+ "8a5e860b-05d8-47b1-bb76-f690d926ab12": "\"35002a73-0000-0800-0000-63f579f90000\"",
+ "6587f4a3-260a-470f-a372-fd7d879e9772": "\"35003273-0000-0800-0000-63f57a0b0000\"",
+ "63037f09-9e99-49da-909e-f384f84b9738": "\"35003c73-0000-0800-0000-63f57a230000\"",
+ "5a658bc2-1c28-40d4-be6d-fb228e071c1b": "\"3a006471-0000-0800-0000-63f81e920000\""
+}
\ No newline at end of file
From c8f35befeacaf44e303ae3d9b9f9eb27f7cb6fb1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:03 +0000
Subject: [PATCH 002/375] Exported file: (Preview) Microsoft Threat
Intelligence Analytics.json.json
---
...crosoft Threat Intelligence Analytics.json | 30 +++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
diff --git a/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
new file mode 100644
index 00000000..37b219cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) Microsoft Threat Intelligence Analytics.json
@@ -0,0 +1,30 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fcd7bae2-0354-454d-9884-18880ff95fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "ThreatIntelligence",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "alertRuleTemplateName": "0dd422ee-e6af-4204-b219-f59ac172e4c6",
+ "severity": "Medium",
+ "tactics": [
+ "Persistence",
+ "LateralMovement"
+ ],
+ "techniques": [],
+ "displayName": "(Preview) Microsoft Threat Intelligence Analytics",
+ "enabled": true,
+ "description": "This rule generates an alert when a Microsoft Threat Intelligence Indicator gets matched with your event logs. The alerts are very high fidelity and are turned ON by default. \n\nNote : It is advised to turn off any custom alert rules which match the threat intelligence indicators with the same event logs matched by this analytics to prevent duplicate alerts."
+ }
+ }
+ ]
+}
\ No newline at end of file
From 53b32a83b059d80410c4fe8ba085bce7430788b0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:04 +0000
Subject: [PATCH 003/375] Exported file: (Preview) TI map Domain entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..aa9fd169
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map Domain entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/516cc0be-cc97-486b-928e-0e222352ba46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where Active == true\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId;\nlet Domains= toscalar(DomainTIs | where isnotempty(DomainName) |summarize make_set(DomainName));\nDomainTIs\n | join (\n imDns(starttime=ago(dt_lookBack), domain_has_any=(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Dvc, IPCustomEntity = SrcIpAddr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map Domain entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any Domain IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "999e9f5d-db4a-4b07-a206-29c4e667b7e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8d1effc68e6d0ce127d541aeacc2ae1b6512efdc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:05 +0000
Subject: [PATCH 004/375] Exported file: (Preview) TI map IP entity to Dns
Events (Normalized DNS).json.json
---
...entity to Dns Events (Normalized DNS).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
new file mode 100644
index 00000000..34e28555
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Preview) TI map IP entity to Dns Events (Normalized DNS).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8fb31b17-e360-4b59-a281-19c4fe483909')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = (ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"\")\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId);\nlet TI_IP_List=IP_TI | summarize make_set( TI_ipEntity);\nimDns(starttime=ago(dt_lookBack), response_has_any_prefix=todynamic(toscalar(TI_IP_List)))\n | extend tilist = toscalar(TI_IP_List)\n | mv-expand tilist\n | extend SingleIP=tostring(tilist)\n | project-away tilist\n | where has_ipv4(DnsResponseName, SingleIP)\n | extend DNS_TimeGenerated = TimeGenerated\n| join IP_TI\n on $left.SingleIP == $right.TI_ipEntity\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated,\nTI_ipEntity, Dvc, EventId, SubType, SrcIpAddr, DnsQuery, DnsResponseName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Dvc, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "(Preview) TI map IP entity to Dns Events (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies a match in DNS events from any IP IOC from TI\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns).",
+ "alertRuleTemplateName": "67775878-7f8b-4380-ac54-115e1e828901"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 10881fcecec4d37eec3d2f9406fc39534dab14f1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:06 +0000
Subject: [PATCH 005/375] Exported file: (Private Preview) Insider Risk
Management_ Sensitive Data Access Outside Organizational
Geolocations.json.json
---
...s Outside Organizational Geolocations.json | 64 +++++++++++++++++++
1 file changed, 64 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
diff --git a/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
new file mode 100644
index 00000000..45aed148
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/(Private Preview) Insider Risk Management_ Sensitive Data Access Outside Organizational Geolocations.json
@@ -0,0 +1,64 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/118cc3d5-6ab5-493a-a0a9-793c9dd09875')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT7H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "// Rule Name - (Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations\r\n// Rule Description - Sensitive Data Access Outside Organziational Geolocations\r\n// Prerequisite 1: Onboard Azure Infomation Protection (https://docs.microsoft.com/en-us/azure/information-protection/requirements)\r\n// Prerequisite 2: Install AIP Unified Labeling Scanner (https://docs.microsoft.com/en-us/azure/information-protection/tutorial-install-scanner)\r\n// Prerequisite 3: Enable Azure Information Protection Connector (https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#azure-information-protection)\r\n// Prerequisite 4: Enable Azure Active Directory Connector (hhttps://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory)\r\nInformationProtectionLogs_CL\r\n| extend UserPrincipalName = UserId_s\r\n| where LabelName_s <> \"\"\r\n| join (SigninLogs) on UserPrincipalName\r\n| extend City = tostring(LocationDetails.city)\r\n// | where City <> \"New York\" // Configure Location Details within Organizational Requirements\r\n| extend State = tostring(LocationDetails.state)\r\n// | where State <> \"Texas\" // Configure Location Details within Organizational Requirements\r\n| extend Country_Region = tostring(LocationDetails.countryOrRegion)\r\n// | where Country_Region <> \"US\" // Configure Location Details within Organizational Requirements\r\n| summarize count() by UserPrincipalName, LabelName_s, Activity_s, City, State, Country_Region\r\n| sort by count_ desc\r\n| limit 250",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "customDetails": {
+ "Activity": "Activity_s",
+ "Where": "City"
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "AadUserId",
+ "columnName": "UserPrincipalName"
+ }
+ ]
+ }
+ ],
+ "tactics": [],
+ "techniques": null,
+ "displayName": "(Private Preview) Insider Risk Management: Sensitive Data Access Outside Organizational Geolocations",
+ "enabled": false,
+ "description": "Sensitive Data Access Outside Organziational Geolocations",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 069191f2c88575871b598caec550a1a40923a07d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:07 +0000
Subject: [PATCH 006/375] Exported file: A client made a web request to a
potentially harmful file (ASIM Web Session schema).json.json
---
...armful file (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
new file mode 100644
index 00000000..edcb1bd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A client made a web request to a potentially harmful file (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/454abbc9-3d65-4dfb-9446-0af12f681192')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes') | extend Extension=column_ifexists(\"Extension\",\"\") | where isnotempty(Extension) | summarize make_set(Extension));\nlet file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);\nimWebSession(url_has_any=file_ext_blocklist, eventresult='Success')\n| extend requestedFileName=tostring(split(tostring(parse_url(Url)[\"Path\"]),'/')[-1])\n| extend requestedFileExt=extract(@(\\.\\w+)$,1,requestedFileName, typeof(string))\n| where requestedFileExtension in (file_ext_blocklist)\n| summarize LastAttemptTime=max(TimeGenerated), NumFailedAttempts=count() by SrcIpAddr, requestedFileName, Url\n| extend IPCustomEntity = SrcIpAddr, UrlCustomEntity=Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A client made a web request to a potentially harmful file (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the Advanced SIEM information Model (ASIM).\nTo use this analytics rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM)",
+ "alertRuleTemplateName": "09c49590-4e9d-4da9-a34d-17222d0c9e7e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 937f14401f7def310dcf05d20e7a01f080a669f4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:07 +0000
Subject: [PATCH 007/375] Exported file: A host is potentially running
PowerShell to send HTTP(S) requests (ASIM Web Session schema).json.json
---
...S) requests (ASIM Web Session schema).json | 52 +++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
new file mode 100644
index 00000000..ee78f037
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema).json
@@ -0,0 +1,52 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/150bcc1a-7788-4624-a9d9-1b05b0fc7051')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Powershell\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents);\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running PowerShell to send HTTP(S) requests (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong PowerShell.
You can add custom Powershell indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "42436753-9944-4d70-801c-daaa4d19ddd2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 28a67656f6c0d977da75414b31da2681c72bb48a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:08 +0000
Subject: [PATCH 008/375] Exported file: A host is potentially running a crypto
miner (ASIM Web Session schema).json.json
---
...rypto miner (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
new file mode 100644
index 00000000..deeead3f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a crypto miner (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f5a652f-bec8-4112-8f7b-531ff30dfd75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Cryptominer\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a crypto miner (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a crypto miner. This indicates a crypto miner may have infected the client machine.
You can add custom crypto mining indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the Advanced SIEM Information Model (ASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, deploy the [Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "8cbc3215-fa58-4bd6-aaaa-f0029c351730"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0499ae582c79c26a72ce5a14d7cf40669439c42b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:09 +0000
Subject: [PATCH 009/375] Exported file: A host is potentially running a
hacking tool (ASIM Web Session schema).json.json
---
...acking tool (ASIM Web Session schema).json | 51 +++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
diff --git a/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
new file mode 100644
index 00000000..36756c66
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A host is potentially running a hacking tool (ASIM Web Session schema).json
@@ -0,0 +1,51 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1f0221ac-cee3-4eae-801f-c725df4b9f27')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "AlertPerResult"
+ },
+ "severity": "Medium",
+ "query": "let threatCategory=\"Hacking Tool\";\nlet knownUserAgentsIndicators = materialize(externaldata(UserAgent:string, Category:string)\n [ @\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/UnusualUserAgents.csv\"] \n with(format=\"csv\", ignoreFirstRecord=True));\nlet knownUserAgents=toscalar(knownUserAgentsIndicators | where Category==threatCategory | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet customUserAgents=toscalar(_GetWatchlist(\"UnusualUserAgents\") | where SearchKey==threatCategory | extend UserAgent=column_ifexists(\"UserAgent\",\"\") | where isnotempty(UserAgent) | summarize make_list(UserAgent));\nlet fullUAList = array_concat(knownUserAgents,customUserAgents)\nimWebSession(httpuseragent_has_any=fullUAList)\n| project SrcIpAddr, Url, TimeGenerated,HttpUserAgent, SrcUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "A host is potentially running a hacking tool (ASIM Web Session schema)",
+ "enabled": false,
+ "description": "This rule identifies a web request with a user agent header known to belong to a hacking tool. This indicates a hacking tool is used on the host.
You can add custom hacking tool indicating User-Agent headers using a watchlist, for more information refer to the [UnusualUserAgents Watchlist](https://aka.ms/ASimUnusualUserAgentsWatchlist).
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "3f0c20d5-6228-48ef-92f3-9ff7822c1954"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5f80cdca31c52d6e0f6cfc61ce922150713de3fb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:10 +0000
Subject: [PATCH 010/375] Exported file: A potentially malicious web request
was executed against a web server.json.json
---
...est was executed against a web server.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
diff --git a/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
new file mode 100644
index 00000000..4ba5f88b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/A potentially malicious web request was executed against a web server.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9abf000c-f4ad-413f-9cd7-405d95349988')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mode = 'Blocked'; \nlet successCode = dynamic(['200', '101','204', '400','504','304','401','500']);\nlet minTime = ago(1d);\nlet maxSessionWindow = 1h;\nlet sessionBin = maxSessionWindow/2.0;\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayFirewallLog'\n| where action_s == mode\n| sort by hostname_s asc, clientIp_s asc, TimeGenerated asc\n| extend SessionStarted = row_window_session(TimeGenerated, maxSessionWindow, 10m, ((clientIp_s != prev(clientIp_s)) or (hostname_s != prev(hostname_s))))\n| summarize minTime = min(TimeGenerated), maxTime = max(TimeGenerated), SessionBlockedCount=count() by hostname_s, clientIp_s, SessionStarted\n| extend duration = maxTime - minTime\n| extend TimeKey = bin(SessionStarted, sessionBin)\n| join kind = inner(\nAzureDiagnostics\n| where TimeGenerated > minTime\n| where Category == 'ApplicationGatewayAccessLog'\n| where httpStatus_d in (successCode) or isempty(httpStatus_d)\n| extend TimeKey = range(bin(TimeGenerated-maxSessionWindow, sessionBin), bin(TimeGenerated, sessionBin), sessionBin)\n| mv-expand TimeKey to typeof(datetime)\n) on $left.hostname_s == $right.host_s, $left.clientIp_s == $right.clientIP_s, TimeKey\n| where (TimeGenerated - SessionStarted) between (0m .. duration)\n| extend originalRequestUriWithArgs_s = column_ifexists(\"originalRequestUriWithArgs_s\", \"\")\n| extend serverStatus_s = column_ifexists(\"serverStatus_s\", \"\")\n| extend timestamp = SessionStarted, IPCustomEntity = clientIP_s\n| summarize SuccessfulAccessLogCount = count(), UserAgents = make_set(userAgent_s), RequestURIs = make_set(requestUri_s) , OriginalRequestURIs = make_set(originalRequestUriWithArgs_s), \nSuccessCodes = make_set(httpStatus_d), SuccessCodes_BackendServer = make_set(serverStatus_s) by timestamp, hostname_s, IPCustomEntity, SessionBlockedCount\n| extend BlockvsSuccessRatio = SessionBlockedCount/SuccessfulAccessLogCount\n| sort by BlockvsSuccessRatio desc, timestamp asc\n| where SessionBlockedCount > SuccessfulAccessLogCount \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "A potentially malicious web request was executed against a web server",
+ "enabled": false,
+ "description": "Detects unobstructed Web Application Firewall (WAF) activity in sessions where the WAF blocked incoming requests by computing the \nratio between blocked requests and unobstructed WAF requests in these sessions (BlockvsSuccessRatio metric). A high ratio value for \na given client IP and hostname calls for further investigation of the WAF data in that session, due to the significantly high number \nof blocked requests and a few unobstructed logs which may be malicious but have passed undetected through the WAF. The successCode \nvariable defines what the detection thinks is a successful status code, and should be altered to fit the environment.",
+ "alertRuleTemplateName": "46ac55ae-47b8-414a-8f94-89ccd1962178"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e087c373fb52522bd67011276cb80d7acbdfede0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:10 +0000
Subject: [PATCH 011/375] Exported file: AD FS Remote Auth Sync
Connection.json.json
---
.../AD FS Remote Auth Sync Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
new file mode 100644
index 00000000..d8e5a274
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote Auth Sync Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7b61a883-0219-4ac3-8058-29afe81b8e7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// SamAccountName of AD FS Service Account. Filter on the use of a specific AD FS user account\n//let adfsuser = 'adfsadmin';\n// Identify ADFS Servers\nlet ADFS_Servers = (\n SecurityEvent\n //| where TimeGenerated > ago(timeframe+lookback)\n | where EventSourceName == 'AD FS Auditing'\n | distinct Computer\n);\nSecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // A token of type 'http://schemas.microsoft.com/ws/2006/05/servicemodel/tokens/SecureConversation'\n // for relying party '-' was successfully authenticated.\n | where EventID == 412\n | extend EventData = parse_xml(EventData).EventData.Data\n | extend InstanceId = tostring(EventData[0])\n| join kind=inner\n(\n SecurityEvent\n //| where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n // Events to identify caller identity from event 412\n | where EventID == 501\n | extend EventData = parse_xml(EventData).EventData.Data\n | where tostring(EventData[1]) contains 'identity/claims/name'\n | extend InstanceId = tostring(EventData[0])\n | extend ClaimsName = tostring(EventData[2])\n // Filter on the use of a specific AD FS user account\n //| where ClaimsName contains adfsuser\n)\non $left.InstanceId == $right.InstanceId\n| join kind=inner\n(\n SecurityEvent\n | where EventID == 5156\n | where Computer in~ (ADFS_Servers)\n | extend EventData = parse_xml(EventData).EventData.Data\n | mv-expand bagexpansion=array EventData\n | evaluate bag_unpack(EventData)\n | extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n | evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n | extend DestPort = column_ifexists(\"DestPort\", \"\"),\n Direction = column_ifexists(\"Direction\", \"\"),\n Application = column_ifexists(\"Application\", \"\"),\n DestAddress = column_ifexists(\"DestAddress\", \"\"),\n SourceAddress = column_ifexists(\"SourceAddress\", \"\"),\n SourcePort = column_ifexists(\"SourcePort\", \"\")\n // Look for inbound connections from endpoints on port 80\n | where DestPort == 80 and Direction == '%%14592' and Application == 'System'\n | where DestAddress !in ('::1','0:0:0:0:0:0:0:1') \n)\non $left.Computer == $right.Computer\n| project TimeGenerated, Computer, ClaimsName, SourceAddress, SourcePort\n| extend HostCustomEntity = Computer, AccountCustomEntity = ClaimsName, IPCustomEntity = SourceAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote Auth Sync Connection",
+ "enabled": false,
+ "description": "This detection uses Security events from the \"AD FS Auditing\" provider to detect suspicious authentication events on an AD FS server. The results then get\ncorrelated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server.\nThis could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract\nsensitive information such as AD FS certificates.\nIn order to use this query you need to enable AD FS auditing on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 20ae2a07f544f0f9126609383d0ca41513b321e2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:11 +0000
Subject: [PATCH 012/375] Exported file: AD FS Remote HTTP Network
Connection.json.json
---
.../AD FS Remote HTTP Network Connection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
diff --git a/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
new file mode 100644
index 00000000..bd68ae23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD FS Remote HTTP Network Connection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5835ecfd-6b56-4f8e-9719-74d85e34c077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 0d;\n// Adjust this to adjust detection timeframe\n//let timeframe = 1d;\n// Filter out other servers in the AD FS farm\nlet ADFSServersList = dynamic([\"ADFS02.domain.com\",\"ADFS03.domain.com\"]);\n// Start by identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer !in (ADFSServersList)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer\n);\n// Look for ADFS servers receiving connections over port 80\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"), TechniqueId = column_ifexists(\"TechniqueId\", \"\"), TechniqueName = column_ifexists(\"TechniqueName\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n| where EventID == 3\n// Look for endpoints connecting to the AD FS server over port 80\n| extend DestinationPort = column_ifexists(\"DestinationPort\", \"\"), Image = column_ifexists(\"Image\", \"\"), Initiated = column_ifexists(\"Initiated\", \"\"), SourceIp = column_ifexists(\"DestinationIp\", \"\"), DestinationIp = column_ifexists(\"DestinationIp\", \"\")\n| where DestinationPort == 80\n| extend process = split(Image, '\\\\', -1)[-1]\n// Look for the System process receiving connections\n| where process == 'System' and Initiated == 'false'\n| where DestinationIp !in ('::1','0:0:0:0:0:0:0:1')\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, Operation, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName, IPCustomEntity = SourceIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "AD FS Remote HTTP Network Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon events (NetworkConnect events) to detect incoming network traffic on port 80 on AD FS servers. This could be a sign of a threat actor\ntrying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates.\nIn order to use this query you need to enable Sysmon telemetry on the AD FS Server.\nReference: https://twitter.com/OTR_Community/status/1387038995016732672\n",
+ "alertRuleTemplateName": "d57c33a9-76b9-40e0-9dfa-ff0404546410"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ebc6e233ba6701f3ef302eaf1c648fabdc1ff227 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:12 +0000
Subject: [PATCH 013/375] Exported file: AD account with Don't Expire
Password.json.json
---
...AD account with Don't Expire Password.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
diff --git a/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
new file mode 100644
index 00000000..f732ef14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD account with Don't Expire Password.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91011f1e-3186-450d-9cd7-83e9c840508a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nSecurityEvent\n| where EventID == 4738\n// 2089 value indicates the Don't Expire Password value has been set\n| where UserAccountControl has \"%%2089\" \n| extend Value_2089 = iff(UserAccountControl has \"%%2089\",\"'Don't Expire Password' - Enabled\", \"Not Changed\")\n// 2050 indicates that the Password Not Required value is NOT set, this often shows up at the same time as a 2089 and is the recommended value. This value may not be in the event. \n| extend Value_2050 = iff(UserAccountControl has \"%%2050\",\"'Password Not Required' - Disabled\", \"Not Changed\")\n// If value %%2082 is present in the 4738 event, this indicates the account has been configured to logon WITHOUT a password. Generally you should only see this value when an account is created and only in Event 4720: Account Creation Event. \n| extend Value_2082 = iff(UserAccountControl has \"%%2082\",\"'Password Not Required' - Enabled\", \"Not Changed\")\n| project StartTime = TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, AccountType, UserAccountControl, Value_2089, Value_2050, Value_2082, SubjectAccount\n| extend timestamp = StartTime, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD account with Don't Expire Password",
+ "enabled": false,
+ "description": "Identifies whenever a user account has the setting \"Password Never Expires\" in the user account properties selected.\nThis is indicated in Security event 4738 in the EventData item labeled UserAccountControl with an included value of %%2089.\n%%2089 resolves to \"Don't Expire Password - Enabled\".",
+ "alertRuleTemplateName": "6c360107-f3ee-4b91-9f43-f4cfd90441cf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 30f79a62cc64a71bb8a0580bf197d18893b49542 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:13 +0000
Subject: [PATCH 014/375] Exported file: AD user enabled and password not set
within 48 hours.json.json
---
... and password not set within 48 hours.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
diff --git a/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
new file mode 100644
index 00000000..f860a774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AD user enabled and password not set within 48 hours.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b4b2f57-ace1-4d2d-9793-942442bc9668')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 3d;\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\n| where EventID in (4722,4723) | where TargetUserName !endswith \"$\"\n| project TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\nlet userEnable = SecEvents\n| extend EventID4722Time = TimeGenerated\n// 4722: User Account Enabled\n| where EventID == 4722\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activity_4722 = Activity, Computer_4722 = Computer;\nlet userPwdSet = SecEvents\n// 4723: Attempt made by user to set password\n| where EventID == 4723\n| project Time_Event4723 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\nuserEnable | join kind=leftouter userPwdSet on TargetAccount, TargetSid\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttemptDelta_Min)\n| project-away TargetAccount1, TargetSid1\n| extend Reason = @\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\"\n| order by Time_Event4722 asc \n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\n| project-reorder Time_Event4722, Time_Event4723, PasswordSetAttemptDelta_Min, TargetAccount, TargetSid\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "AD user enabled and password not set within 48 hours",
+ "enabled": false,
+ "description": "Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\nEffectively, there is an event 4722 indicating an account was enabled and within 48 hours, no event 4723 occurs which \nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\nIt is recommended that this time period is adjusted per your internal company policy.",
+ "alertRuleTemplateName": "62085097-d113-459f-9ea7-30216f2ee6af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b935ac48ad266a43abf3cbb44f7467c8b90bb858 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:13 +0000
Subject: [PATCH 015/375] Exported file: ADFS DKM Master Key Export.json.json
---
.../ADFS DKM Master Key Export.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
diff --git a/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
new file mode 100644
index 00000000..291cf211
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS DKM Master Key Export.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2cca3599-da9a-4231-a9d2-b1f733201dbd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "(union isfuzzy=true (SecurityEvent \n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \n| where ObjectServer == 'DS'\n| where OperationType == 'Object Access'\n//| where ObjectName contains '
Date: Sun, 26 Feb 2023 02:15:14 +0000
Subject: [PATCH 016/375] Exported file: ADFS Database Named Pipe
Connection.json.json
---
.../ADFS Database Named Pipe Connection.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
diff --git a/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
new file mode 100644
index 00000000..aff745de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ADFS Database Named Pipe Connection.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee43dc07-3a2f-4c4d-b460-557389385470')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Adjust this to use a longer timeframe to identify ADFS servers\n//let lookback = 6d;\n// Adjust this to adjust the key export detection timeframe\n//let timeframe = 1d;\n// Start be identifying ADFS servers to reduce FP chance\nlet ADFS_Servers = (\nEvent\n//| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\")\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| summarize by Computer);\n// Look for ADFS servers where Named Pipes event are present\nEvent\n//| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 18\n| where Computer in~ (ADFS_Servers)\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend RuleName = column_ifexists(\"RuleName\", \"\"),\n TechniqueId = column_ifexists(\"TechniqueId\", \"\"),\n TechniqueName = column_ifexists(\"TechniqueName\", \"\"),\n Image = column_ifexists(\"Image\", \"\"),\n PipeName = column_ifexists(\"PipeName\", \"\"),\n EventType = column_ifexists(\"EventType\", \"\")\n| parse RuleName with * 'technique_id=' TechniqueId ',' * 'technique_name=' TechniqueName\n// Look for Pipe related to querying the WID\n| where PipeName == \"\\\\MICROSOFT##WID\\\\tsql\\\\query\"\n| extend process = split(Image, '\\\\', -1)[-1]\n// Exclude expected processes\n| where process !in (\"Microsoft.IdentityServer.ServiceHost.exe\", \"Microsoft.Identity.Health.Adfs.PshSurrogate.exe\", \"AzureADConnect.exe\", \"Microsoft.Tri.Sensor.exe\", \"wsmprovhost.exe\",\"mmc.exe\", \"sqlservr.exe\")\n| extend Operation = RenderedDescription\n| project-reorder TimeGenerated, EventType, Operation, process, Image, Computer, UserName\n| extend HostCustomEntity = Computer, AccountCustomEntity = UserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "ADFS Database Named Pipe Connection",
+ "enabled": false,
+ "description": "This detection uses Sysmon telemetry to detect suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nIn order to use this query you need to be collecting Sysmon EventIdD 18 (Pipe Connected).\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\nFailed to resolve scalar expression named \"[@Name]\"",
+ "alertRuleTemplateName": "dcdf9bfc-c239-4764-a9f9-3612e6dff49c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ebb5eb4fb5cd6f4080c412581f6ea981253bf13c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:15 +0000
Subject: [PATCH 017/375] Exported file: AWS Guard Duty Alert.json.json
---
.../AWS Guard Duty Alert.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
diff --git a/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
new file mode 100644
index 00000000..60586c45
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AWS Guard Duty Alert.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e137990-3aad-4695-8ea5-eac1e16a9451')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AWSGuardDuty | extend tokens = split(ActivityType,\":\") | extend ThreatPurpose = tokens[0], tokens= split(tokens[1],\"/\") | extend ResourceTypeAffected = tokens[0], ThreatFamilyName= tokens[1] | extend UniqueFindingId = Id | extend AWSAcoundId = AccountId | project-away tokens,ActivityType, Id, AccountId | project-away TimeGenerated, TenantId, SchemaVersion, Region, Partition | extend Severity= iff(Severity between (7.0..8.9),\"High\",iff(Severity between (4.0..6.9), \"Medium\", iff(Severity between (1.0..3.9),\"Low\",\"Unknown\")))",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "AWS Guard Duty Alert",
+ "enabled": false,
+ "description": "Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. This templates create an alert for each Amazon GuardDuty finding.",
+ "alertRuleTemplateName": "bf0cde21-0c41-48f6-a40c-6b5bd71fa106"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e9281fbd780fcf3942f0f7ae4ab6eeaa942b027c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:16 +0000
Subject: [PATCH 018/375] Exported file: Account Created and Deleted in Short
Timeframe.json.json
---
...reated and Deleted in Short Timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
diff --git a/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
new file mode 100644
index 00000000..a3a2cb27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account Created and Deleted in Short Timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d7cf4e3-5165-4bce-8aa8-9afdbc1959cd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName =~ \"Add user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| join kind=inner (AuditLogs\n| where OperationName =~ \"Delete user\"\n| extend UPN = tostring(TargetResources[0].userPrincipalName)\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN\n| extend timedelta = TimeGenerated1 - TimeGenerated\n| project-reorder TimeGenerated, TimeGenerated1, timedelta\n| where timedelta < timespan(24h) and timedelta > timespan(0h)\n| extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account Created and Deleted in Short Timeframe",
+ "enabled": false,
+ "description": "Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours. Attackers may create an account for their use, and then remove the account when no longer needed.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-account",
+ "alertRuleTemplateName": "bb616d82-108f-47d3-9dec-9652ea0d3bf6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d315e34d84599528957a9bca230ee5e6ccd4b3de Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:17 +0000
Subject: [PATCH 019/375] Exported file: Account added and removed from
privileged groups.json.json
---
...ed and removed from privileged groups.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
diff --git a/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
new file mode 100644
index 00000000..51ad12f9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account added and removed from privileged groups.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e3d218b4-cb49-40bb-ac39-4892088ba6c1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet AC_Add = \nSecurityEvent\n// Event ID related to member addition.\n| where EventID in (4728, 4732,4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountAdded \",OU\" *\n| where isnotempty(AccountAdded)\n| extend GroupAddedTo = TargetUserName, AddingAccount = Account \n| extend AccountAdded_GroupAddedTo_AddingAccount = strcat(AccountAdded, \"||\", GroupAddedTo, \"||\", AddingAccount )\n| project AccountAdded_GroupAddedTo_AddingAccount, AccountAddedTime = TimeGenerated;\nlet AC_Remove = \nSecurityEvent\n// Event IDs related to member removal.\n| where EventID in (4729,4733,4757)\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID \n| parse EventData with * '\"MemberName\">' * '=' AccountRemoved \",OU\" * \n| where isnotempty(AccountRemoved)\n| extend GroupRemovedFrom = TargetUserName, RemovingAccount = Account\n| extend AccountRemoved_GroupRemovedFrom_RemovingAccount = strcat(AccountRemoved, \"||\", GroupRemovedFrom, \"||\", RemovingAccount)\n| project AccountRemoved_GroupRemovedFrom_RemovingAccount, AccountRemovedTime = TimeGenerated, Computer, RemovedAccountId = tolower(AccountRemoved), \nRemovedByUser = SubjectUserName, RemovedByUserLogonId = SubjectLogonId, GroupRemovedFrom = TargetUserName, TargetDomainName; \nAC_Add \n| join kind= inner AC_Remove on $left.AccountAdded_GroupAddedTo_AddingAccount == $right.AccountRemoved_GroupRemovedFrom_RemovingAccount \n| extend DurationinSecondAfter_Removed = datetime_diff ('second', AccountRemovedTime, AccountAddedTime)\n| where DurationinSecondAfter_Removed > 0\n| project-away AccountRemoved_GroupRemovedFrom_RemovingAccount\n| extend timestamp = AccountAddedTime, AccountCustomEntity = RemovedAccountId, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Account added and removed from privileged groups",
+ "enabled": false,
+ "description": "Identifies accounts that are added to privileged group and then quickly removed, which could be a sign of compromise.",
+ "alertRuleTemplateName": "7efc75ce-e2a4-400f-a8b1-283d3b0f2c60"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6cb861361482e220a9d10ab3e63af4f2a7b22644 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:17 +0000
Subject: [PATCH 020/375] Exported file: Account created or deleted by
non-approved user.json.json
---
...eated or deleted by non-approved user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
diff --git a/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
new file mode 100644
index 00000000..71abee6a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Account created or deleted by non-approved user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3bef0ebd-28b7-465d-9f37-f2e69d390dbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add non-approved user principal names to the list below to search for their account creation/deletion activity\n// ex: dynamic([\"UPN1\", \"upn123\"])\nlet nonapproved_users = dynamic([]);\nAuditLogs\n| where OperationName == \"Add user\" or OperationName == \"Delete user\"\n| where Result == \"success\"\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| where InitiatingUser has_any (nonapproved_users)\n| project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources\n| extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Account created or deleted by non-approved user",
+ "enabled": false,
+ "description": "Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts",
+ "alertRuleTemplateName": "6d63efa6-7c25-4bd4-a486-aa6bf50fde8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 946775455903be6842948db6b07cfd9f5d655e53 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:18 +0000
Subject: [PATCH 021/375] Exported file: Admin promotion after Role Management
Application Permission Grant.json.json
---
...nagement Application Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
new file mode 100644
index 00000000..fac376d0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Admin promotion after Role Management Application Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/798fde9b-d47c-4158-99e0-326a7f4e29d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName =~ \"Add app role assignment to service principal\"\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"AppRole.Value\"\n| extend AppRole = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where AppRole has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue)))\n| project TimeGenerated, OperationName, Initiator, Target, TargetId, Result\n| join kind=innerunique (\n AuditLogs\n | where LoggedByService =~ \"Core Directory\"\n | where Category =~ \"RoleManagement\"\n | where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n | where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n | mv-expand TargetResources\n | mv-expand TargetResources.modifiedProperties\n | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n | where displayName_ =~ \"Role.DisplayName\"\n | extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n | where RoleName contains \"Admin\"\n | extend Initiator = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n | extend InitiatorId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\n | extend TargetUser = tostring(TargetResources.userPrincipalName)\n | extend Target = iif(isnotempty(TargetUser), TargetUser, tostring(TargetResources.displayName))\n | extend TargetType = tostring(TargetResources.type)\n | extend TargetId = tostring(TargetResources.id)\n | project TimeGenerated, OperationName, RoleName, Initiator, InitiatorId, Target, TargetId, TargetType, Result\n) on $left.TargetId == $right.InitiatorId\n| extend TimeRoleMgGrant = TimeGenerated, TimeAdminPromo = TimeGenerated1, ServicePrincipal = Initiator1, ServicePrincipalId = InitiatorId,\n TargetObject = Target1, TargetObjectId = TargetId1, TargetObjectType = TargetType\n| where TimeRoleMgGrant < TimeAdminPromo\n| project TimeRoleMgGrant, TimeAdminPromo, RoleName, ServicePrincipal, ServicePrincipalId, TargetObject, TargetObjectId, TargetObjectType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Admin promotion after Role Management Application Permission Grant",
+ "enabled": false,
+ "description": "This rule looks for a service principal being granted the Microsoft Graph RoleManagement.ReadWrite.Directory (application) permission before being used to add an Azure AD object or user account to an Admin directory role (i.e. Global Administrators).\nThis is a known attack path that is usually abused when a service principal already has the AppRoleAssignment.ReadWrite.All permission granted. This permission Allows an app to manage permission grants for application permissions to any API.\nA service principal can promote itself or other service principals to admin roles (i.e. Global Administrators). This would be considered a privilege escalation technique.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions, https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "f80d951a-eddc-4171-b9d0-d616bb83efdc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 93933bdfd0323e0ee16fa9f17a0031ccdcd45dc7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:19 +0000
Subject: [PATCH 022/375] Exported file: Alert for IOCs related to Windows_ELF
malware - IP, Hash IOCs - September 2021.json.json
---
...ware - IP, Hash IOCs - September 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
diff --git a/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
new file mode 100644
index 00000000..2fbc7ec6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alert for IOCs related to Windows_ELF malware - IP, Hash IOCs - September 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dece78df-9bea-4625-9457-d4a37e01a4a8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let IPList = dynamic([\"185.63.90.137\"]); \nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = \ndynamic([\"53854c6d163bfd0c56d8b297ac43bd25c21f696de6063031241e792ee65df441\",\n\"c297e545b8f150cc5ff56dbb68dc74fe30a421d9d40f38f4a53083192697c44c\",\n\"17921368901f23e0cad0d2fe4ce5694aebaf4727699ed0358117500701914d1b\",\n\"198a2d42df010d838b4207f478d885ef36e3db13b1744d673e221b828c28bf77\",\n\"71d7b48c2fdc7b57b104a7858a35165bbed21d2fa7e34828d6c1d50b2b33a1d0\",\n\"601227d52c6e367e11b80240183d07d38bc11a88e844e8401fce17eb25e92ba8\",\n\"63ff04bed4fdb120a9cb9b1ea7fd88e83f12fb01ab6a057088f8016e663b48d4\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\",\n\"e19b8be1b21c066d60725e550f8455f824065abbf1b43f7b2fe4fb338b241ffc\",\n\"a3037c3389b811bc1404f719af5c8b9034c5e24710cf3a0b457d28bf1b922cf7\"\n]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", MessageIP in (IPList), \"Message\", \"NoMatch\")\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) \n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost) \n| where SourceHost in (IPList) or DestinationHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(DeviceFileEvents\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n| where FileHash in (sha256Hashes)\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName in (IPList) \n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Alert for IOCs related to Windows/ELF malware - IP, Hash IOCs - September 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP,hashes and IOCs related to Windows/ELF malware published by Black Lotus Labs\nReference: \nhttps://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/\nhttps://github.com/ManuelBerrueta/YARA-rules/blob/master/BlackLotusLabs-WSLMalware/BLL_SneakyWSL.yar",
+ "alertRuleTemplateName": "d992b87b-eb49-4a9d-aa96-baacf9d26247"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 86022ec77fbf6e737e2fa119a13924d71aea3735 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:20 +0000
Subject: [PATCH 023/375] Exported file: Alsid Active Directory attacks
pathways.json.json
---
...sid Active Directory attacks pathways.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
new file mode 100644
index 00000000..892797cf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Active Directory attacks pathways.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b129d496-e02c-479f-a5c7-16cc71ef63ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Active Directory attacks pathways",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to Active Directory attacks pathways",
+ "alertRuleTemplateName": "9649e203-3cb7-47ff-89a9-42f2a5eefe31"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 39f48d981d993b83cfea56f6c225d567a15dac51 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:20 +0000
Subject: [PATCH 024/375] Exported file: Alsid DCShadow.json.json
---
.../Alsid DCShadow.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCShadow.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCShadow.json b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
new file mode 100644
index 00000000..177269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCShadow.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/534eed88-50e6-4584-a8f0-c245d16537e9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCShadow\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCShadow",
+ "enabled": false,
+ "description": "Searches for DCShadow attacks",
+ "alertRuleTemplateName": "25e0b2dd-3ad3-4d5b-80dd-720f4ef0f12c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e26e9bff88a410d34ebe9463a614fd3157db0bbb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:21 +0000
Subject: [PATCH 025/375] Exported file: Alsid DCSync.json.json
---
.../Alsid DCSync.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid DCSync.json
diff --git a/SentinelExported-AnalyticsRule/Alsid DCSync.json b/SentinelExported-AnalyticsRule/Alsid DCSync.json
new file mode 100644
index 00000000..9b75999f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid DCSync.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f440c27a-949f-44a8-8617-6533617ce4c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"DCSync\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid DCSync",
+ "enabled": false,
+ "description": "Searches for DCSync attacks",
+ "alertRuleTemplateName": "d3c658bd-8da9-4372-82e4-aaffa922f428"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2a8643268302703e7e369697f2dd9424f07e2d3b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:22 +0000
Subject: [PATCH 026/375] Exported file: Alsid Golden Ticket.json.json
---
.../Alsid Golden Ticket.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
new file mode 100644
index 00000000..605710d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Golden Ticket.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c6b7994e-ae58-499c-bdac-a7035e8858de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Golden Ticket\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Golden Ticket",
+ "enabled": false,
+ "description": "Searches for Golden Ticket attacks",
+ "alertRuleTemplateName": "21ab3f52-6d79-47e3-97f8-ad65f2cb29fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5649f9de364a88cd2428df4168fe2e3b62d4006f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:23 +0000
Subject: [PATCH 027/375] Exported file: Alsid Indicators of Attack.json.json
---
.../Alsid Indicators of Attack.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
new file mode 100644
index 00000000..eabbaa2e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Attack.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22cf036c-2193-4352-9fb5-869ed7dc00a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 2\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Attack",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Attack",
+ "alertRuleTemplateName": "3caa67ef-8ed3-4ab5-baf2-3850d3667f3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 50c3f0703ebb08ce84ce63a1a210c7ea4c7cda84 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:24 +0000
Subject: [PATCH 028/375] Exported file: Alsid Indicators of
Exposures.json.json
---
.../Alsid Indicators of Exposures.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
new file mode 100644
index 00000000..a3fa8625
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Indicators of Exposures.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ee0fdf-b347-449d-8cdb-b750cc062e02')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nafad_parser\n| where MessageType == 0\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Indicators of Exposures",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures",
+ "alertRuleTemplateName": "154fde9f-ae00-4422-a8da-ef00b11da3fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c5a6d9df069a52a7646d720ecc426bce459af819 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:24 +0000
Subject: [PATCH 029/375] Exported file: Alsid LSASS Memory.json.json
---
.../Alsid LSASS Memory.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
diff --git a/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
new file mode 100644
index 00000000..60c47531
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid LSASS Memory.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/52bb7be6-1fb5-424b-bb24-84d427d91626')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"OS Credential Dumping: LSASS Memory\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid LSASS Memory",
+ "enabled": false,
+ "description": "Searches for OS Credentials dumping attacks",
+ "alertRuleTemplateName": "3acf5617-7c41-4085-9a79-cc3a425ba83a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1af44eb9441c146709b351343be962ba58b25f43 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:25 +0000
Subject: [PATCH 030/375] Exported file: Alsid Password Guessing.json.json
---
.../Alsid Password Guessing.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Guessing.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Guessing.json b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
new file mode 100644
index 00000000..02fbf5c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Guessing.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d4f0a426-2354-416f-9999-b8d28d3e93ed')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Guessing\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Guessing",
+ "enabled": false,
+ "description": "Searches for bruteforce Password Guessing attacks",
+ "alertRuleTemplateName": "ba239935-42c2-472d-80ba-689186099ea1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9ee5e30fdba08c195950c6ecf287604d42ace8ec Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:26 +0000
Subject: [PATCH 031/375] Exported file: Alsid Password Spraying.json.json
---
.../Alsid Password Spraying.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password Spraying.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password Spraying.json b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
new file mode 100644
index 00000000..a72493ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password Spraying.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/51c23e70-6d7e-47c5-87b0-e798a636931d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Spraying\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password Spraying",
+ "enabled": false,
+ "description": "Searches for Password spraying attacks",
+ "alertRuleTemplateName": "9e20eb4e-cc0d-4349-a99d-cad756859dfb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 53dc3d3fd452dde76816b033aa93fb6568d97c12 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:27 +0000
Subject: [PATCH 032/375] Exported file: Alsid Password issues.json.json
---
.../Alsid Password issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid Password issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid Password issues.json b/SentinelExported-AnalyticsRule/Alsid Password issues.json
new file mode 100644
index 00000000..e0ebdc4d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid Password issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/370b2ef6-5d11-4827-a36a-eadd0cd821fe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid Password issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to password issues",
+ "alertRuleTemplateName": "472b7cf4-bf1a-4061-b9ab-9fe4894e3c17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2c43b526122a1f37480a4878ce6c66b3d82ad156 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:28 +0000
Subject: [PATCH 033/375] Exported file: Alsid privileged accounts
issues.json.json
---
.../Alsid privileged accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
new file mode 100644
index 00000000..41c05802
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid privileged accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80e77d48-d0f1-4d7d-bb68-2ad8123ba8db')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid privileged accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to privileged accounts issues",
+ "alertRuleTemplateName": "a5fe9489-cf8b-47ae-a87e-8f3a13e4203e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 449b2baf0005015e844355fd042a6ce27df08852 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:28 +0000
Subject: [PATCH 034/375] Exported file: Alsid user accounts issues.json.json
---
.../Alsid user accounts issues.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Alsid user accounts issues.json
diff --git a/SentinelExported-AnalyticsRule/Alsid user accounts issues.json b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
new file mode 100644
index 00000000..07a811e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Alsid user accounts issues.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c895ed04-d628-4d7d-ad3d-63afd80aa2a9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let SeverityTable=datatable(Severity:string,Level:int) [\n\"low\", 1,\n\"medium\", 2,\n\"high\", 3,\n\"critical\", 4\n];\nlet codeNameList = datatable(Codename:string)[\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\"];\nafad_parser\n| where MessageType == 0 and Codename in~ (codeNameList)\n| lookup kind=leftouter SeverityTable on Severity\n| order by Level\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Alsid user accounts issues",
+ "enabled": false,
+ "description": "Searches for triggered Indicators of Exposures related to user accounts issues",
+ "alertRuleTemplateName": "fb9e0b51-8867-48d7-86f4-6e76f2176bf8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 31ae04cde7d9898c068e089e66012d15bb658d5b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:29 +0000
Subject: [PATCH 035/375] Exported file: Anomalous User Agent connection
attempt.json.json
---
...omalous User Agent connection attempt.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
new file mode 100644
index 00000000..1eb976f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous User Agent connection attempt.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2397090-face-41f6-ae70-89fc66312292')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2397090-face-41f6-ae70-89fc66312292')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet short_uaLength = 5;\nlet long_uaLength = 1000;\nlet c_threshold = 100;\nW3CIISLog \n// Exclude local IPs as these create noise\n| where cIP !startswith \"192.168.\" and cIP != \"::1\"\n| where isnotempty(csUserAgent) and csUserAgent !in~ (\"-\", \"MSRPC\") and (string_size(csUserAgent) <= short_uaLength or string_size(csUserAgent) >= long_uaLength)\n| extend csUserAgent_size = string_size(csUserAgent)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ConnectionCount = count() by Computer, sSiteName, sPort, csUserAgent, csUserAgent_size, csUserName , csMethod, csUriStem, sIP, cIP, scStatus, scSubStatus, scWin32Status\n| where ConnectionCount < c_threshold\n| extend timestamp = StartTimeUtc, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous User Agent connection attempt",
+ "enabled": false,
+ "description": "Identifies connection attempts (success or fail) from clients with very short or very long User Agent strings and with less than 100 connection attempts.",
+ "alertRuleTemplateName": "f845881e-2500-44dc-8ed7-b372af3e1e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8641608c04e2285c23db07d0ea9dfed043ec78f5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:30 +0000
Subject: [PATCH 036/375] Exported file: Anomalous login followed by Teams
action.json.json
---
...malous login followed by Teams action.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
new file mode 100644
index 00000000..e49e899e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous login followed by Teams action.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aa392189-9ff4-40f3-af07-3c2e454d5b22')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//The bigger the window the better the data sample size, as we use IP prevalence, more sample data is better.\n//The minimum number of countries that the account has been accessed from [default: 2]\nlet minimumCountries = 2;\n//The delta (%) between the largest in-use IP and the smallest [default: 90]\nlet deltaThreshold = 95;\n//The maximum (%) threshold that the country appears in login data [default: 10]\nlet countryPrevalenceThreshold = 10;\n//The time to project forward after the last login activity [default: 60min]\nlet projectedEndTime = 60min; \n//Get Teams successful signins globally\nlet aadFunc = (tableName:string){\nlet signinData =\n table(tableName)\n | where AppDisplayName has \"Teams\"\n | where ConditionalAccessStatus =~ \"success\"\n | extend country = tostring(todynamic(LocationDetails)['countryOrRegion'])\n | where isnotempty(country) and isnotempty(IPAddress);\n// Collect successful signins to teams\nlet loginEvents = \n signinData\n | summarize count(), country=any(country), make_list(TimeGenerated) by IPAddress, UserPrincipalName;\n//Calcualte delta between logins\nlet loginDelta =\n loginEvents\n | summarize max(count_), min(count_) by UserPrincipalName\n | extend delta = toreal(max_count_ - min_count_) / max_count_ * 100\n | where delta >= deltaThreshold;\n//Count number of countries used to sign in\nlet countryCount =\n loginEvents\n | summarize Countries = dcount(country) by UserPrincipalName;\n//Join delta and sign in counts to successful logins\nloginDelta\n| join kind=rightouter (\n loginEvents\n) on UserPrincipalName\n| join kind=rightouter (\n countryCount\n) on UserPrincipalName\n//Check where the record meets the minimum required countries\n| where Countries >= minimumCountries\n| join kind=leftouter (\n signinData\n | summarize count() by country\n | join (\n //Now get the total number of logins from any country and join it to the previous count in a single table\n signinData\n | summarize count() by country\n | summarize sum(count_), make_list(country)\n | mv-expand list_country\n | extend country = tostring(list_country)\n ) on country\n | summarize by country, count_, sum_count_\n //Now calculate each countries prevalence within login events\n | extend prevalence = toreal(count_) / toreal(sum_count_) * 100\n | project-away sum_count_\n | order by prevalence\n) on country\n//The % that suspicious country is prevalent in data, this can be configured, less than 10% is uncommon\n| where prevalence < countryPrevalenceThreshold\n| where min_count_ == count_\n//Login start and end times from the JSON object, this is the activity window the suspicious IP was active within\n| extend EventTimes = list_TimeGenerated\n| extend SuspiciousIP = IPAddress\n| project UserPrincipalName, SuspiciousIP, UserIPDelta = delta, SuspiciousLoginCountry = country, SuspiciousCountryPrevalence = prevalence, EventTimes\n//Teams join to collect operations the user account has performed within the given time range\n| join kind=inner( \n OfficeActivity\n | where Operation in~ (\"TeamsAdminAction\", \"MemberAdded\", \"MemberRemoved\", \"MemberRoleChanged\", \"AppInstalled\", \"BotAddedToTeam\")\n | project Operation, UserId=tolower(UserId), OperationTime=TimeGenerated\n) on $left.UserPrincipalName == $right.UserId\n| mv-expand StartTime = EventTimes\n| extend StartTime = make_datetime(StartTime)\n//The end time is projected 60 minutes forward, in case actions took place within the last hour of the final login for the suspicious IP\n| extend ProjectedEndTime = make_datetime(StartTime + projectedEndTime)\n//Limit to operations carried out by the user account in the timeframe the IP was active\n| where OperationTime between (StartTime .. ProjectedEndTime)\n| project UserPrincipalName, SuspiciousIP, StartTime, ProjectedEndTime, OperationTime, Operation, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n//Filter on suspicious actions\n| extend activitySummary = pack(tostring(StartTime), pack(\"Operation\",tostring(Operation), \"OperationTime\", OperationTime))\n| summarize make_bag(activitySummary) by UserPrincipalName, SuspiciousIP, SuspiciousLoginCountry, SuspiciousCountryPrevalence\n| extend IPCustomEntity = SuspiciousIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous login followed by Teams action",
+ "enabled": false,
+ "description": "Detects anomalous IP address usage by user accounts and then checks to see if a suspicious Teams action is performed.\nQuery calculates IP usage Delta for each user account and selects accounts where a delta >= 90% is observed between the most and least used IP.\nTo further reduce results the query performs a prevalence check on the lowest used IP's country, only keeping IP's where the country is unusual for the tenant (dynamic ranges)\nFinally the user accounts activity within Teams logs is checked for suspicious commands (modifying user privileges or admin actions) during the period the suspicious IP was active.",
+ "alertRuleTemplateName": "2b701288-b428-4fb8-805e-e4372c574786"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5c1e66e5451be818bca962e7bb193b3ad6946737 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:31 +0000
Subject: [PATCH 037/375] Exported file: Anomalous sign-in location by user
account and authenticating application.json.json
---
...ccount and authenticating application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
diff --git a/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
new file mode 100644
index 00000000..53c03dd6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Anomalous sign-in location by user account and authenticating application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/78389019-b3c8-476c-9867-dee37f00f6ea')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet lookBack_long = 7d;\nlet lookBack_med = 3d;\nlet lookBack = 1d;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_long))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n// Create time series \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_long)),now(), 1d) \nby UserPrincipalName, AppDisplayName \n// Compute best fit line for each entry \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) \n// Chart the 3 most interesting lines \n// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application\n| where Slope > 0.3\n| top 50 by Slope desc\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack_med))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack_med)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 0.3\n| top 50 by Slope desc\n) on UserPrincipalName, AppDisplayName\n| join kind = leftsemi (\ntable(tableName)\n| where TimeGenerated >= startofday(ago(lookBack))\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend locationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city), \";\") \n| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString \n| make-series dLocationCount = dcount(locationString) on TimeGenerated in range(startofday(ago(lookBack)) ,now(), 1d) \nby UserPrincipalName, AppDisplayName \n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount)\n| where Slope > 5\n| top 50 by Slope desc\n// Higher threshold requirement on last day anomaly\n) on UserPrincipalName, AppDisplayName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Anomalous sign-in location by user account and authenticating application",
+ "enabled": false,
+ "description": "This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active \nDirectory application and picks out the most anomalous change in location profile for a user within an \nindividual application. An alert is generated for recent sign-ins that have location counts that are anomalous\nover last day but also over the last 3-day and 7-day periods.\nPlease note that on workspaces with larger volume of Signin data (~10M+ events a day) may timeout when using this default query time period.\nIt is recommended that you test and tune this appropriately for the workspace.",
+ "alertRuleTemplateName": "7cb8f77d-c52f-4e46-b82f-3cf2e106224a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d92eca91484dddfa4e56a302adcb22163d4286dd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:32 +0000
Subject: [PATCH 038/375] Exported file: AppServices AV Scan Failure.json.json
---
.../AppServices AV Scan Failure.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
new file mode 100644
index 00000000..9b8ca0c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan Failure.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a14a7a3-8278-47a8-b17a-2f9f1571362c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where ScanStatus == \"Failed\"\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan Failure",
+ "enabled": false,
+ "description": "Identifies if an AV scan fails in Azure App Services.",
+ "alertRuleTemplateName": "c2da1106-bfe4-4a63-bf14-5ab73130ccd5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ccc713e4da43c1854e19c0ed1f48c50a88470a10 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:32 +0000
Subject: [PATCH 039/375] Exported file: AppServices AV Scan with Infected
Files.json.json
---
...pServices AV Scan with Infected Files.json | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
diff --git a/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
new file mode 100644
index 00000000..798f4b14
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/AppServices AV Scan with Infected Files.json
@@ -0,0 +1,57 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/09171b34-9e5d-4554-8675-f564c77f739d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Informational",
+ "query": "\nlet timeframe = ago(1d);\nAppServiceAntivirusScanAuditLogs\n| where NumberOfInfectedFiles > 0\n| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "AppServices AV Scan with Infected Files",
+ "enabled": false,
+ "description": "Identifies if an AV scan finds infected files in Azure App Services.",
+ "alertRuleTemplateName": "9d0295ee-cb75-4f2c-9952-e5acfbb67036"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 906ac38c896a43b6154eb836202e76e26087682c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:33 +0000
Subject: [PATCH 040/375] Exported file: Attempt to bypass conditional access
rule in Azure AD.json.json
---
...s conditional access rule in Azure AD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
new file mode 100644
index 00000000..a5d22d05
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempt to bypass conditional access rule in Azure AD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2888ae98-ce2c-44e9-a841-001e775b0b7a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ConditionalAccessStatus == 1 or ConditionalAccessStatus =~ \"failure\"\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion) \n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend ConditionalAccessPolicies = todynamic(ConditionalAccessPolicies)\n| extend ConditionalAccessPol0Name = tostring(ConditionalAccessPolicies[0].displayName)\n| extend ConditionalAccessPol1Name = tostring(ConditionalAccessPolicies[1].displayName)\n| extend ConditionalAccessPol2Name = tostring(ConditionalAccessPolicies[2].displayName)\n| extend Status = strcat(StatusCode, \": \", ResultDescription) \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Status = make_list(Status), StatusDetails = make_list(StatusDetails), IPAddresses = make_list(IPAddress), IPAddressCount = dcount(IPAddress), CorrelationIds = make_list(CorrelationId) \nby UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, Type\n| where IPAddressCount > threshold and StatusDetails !has \"MFA successfully completed\"\n| mvexpand IPAddresses, Status, StatusDetails, CorrelationIds\n| extend Status = strcat(Status, \" \", StatusDetails)\n| summarize IPAddresses = make_set(IPAddresses), Status = make_set(Status), CorrelationIds = make_set(CorrelationIds) \nby StartTime, EndTime, UserPrincipalName, AppDisplayName, tostring(Browser), tostring(OS), City, State, Region, ConditionalAccessPol0Name, ConditionalAccessPol1Name, ConditionalAccessPol2Name, IPAddressCount, Type\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = tostring(IPAddresses)\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Attempt to bypass conditional access rule in Azure AD",
+ "enabled": false,
+ "description": "Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.\nThe ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access\nor if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).\nReferences: \nhttps://docs.microsoft.com/azure/active-directory/conditional-access/overview\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins\nhttps://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\nConditionalAccessStatus == 0 // Success\nConditionalAccessStatus == 1 // Failure\nConditionalAccessStatus == 2 // Not Applied\nConditionalAccessStatus == 3 // unknown",
+ "alertRuleTemplateName": "3af9285d-bb98-4a35-ad29-5ea39ba0c628"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3b46518447fa6294113802e091063eb7b502d3f9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:34 +0000
Subject: [PATCH 041/375] Exported file: Attempts to sign in to disabled
accounts.json.json
---
...empts to sign in to disabled accounts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
new file mode 100644
index 00000000..38093f5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Attempts to sign in to disabled accounts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b0a0ec4e-ca45-42df-aaca-8487d921115d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName), \napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Attempts to sign in to disabled accounts",
+ "enabled": false,
+ "description": "Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cd9c79bfcdaa989e6ea5104ff7a9dee7f072b0d0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:35 +0000
Subject: [PATCH 042/375] Exported file: Audit policy manipulation using
auditpol utility.json.json
---
...y manipulation using auditpol utility.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
diff --git a/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
new file mode 100644
index 00000000..9a038cca
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Audit policy manipulation using auditpol utility.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edb16bf3-eeca-4545-901f-6b4d79a41be9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet AccountAllowList = dynamic(['SYSTEM']);\nlet SubCategoryList = dynamic([\"Logoff\", \"Account Lockout\", \"User Account Management\", \"Authorization Policy Change\"]); // Add any Category in the list to be allowed or disallowed\nlet tokens = dynamic([\"clear\", \"remove\", \"success:disable\",\"failure:disable\"]); \n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n//| where Process =~ \"auditpol.exe\" \n| where CommandLine has_any (tokens)\n| where AccountType !~ \"Machine\" and Account !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n// | where InitiatingProcessFileName =~ \"auditpol.exe\" \n| where InitiatingProcessCommandLine has_any (tokens)\n| where AccountName !in~ (AccountAllowList)\n| parse InitiatingProcessCommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n// | where OriginalFileName =~ \"auditpol.exe\"\n| where CommandLine has_any (tokens)\n| where User !in~ (AccountAllowList)\n| parse CommandLine with * \"/subcategory:\" subcategorytoken\n| extend SubCategory = tostring(split(subcategorytoken, \"\\\"\")[1]) , Toggle = tostring(split(subcategorytoken, \"\\\"\")[2])\n| where SubCategory in~ (SubCategoryList) //use in~ for inclusion or !in~ for exclusion\n| where Toggle !in~ (\"/failure:disable\", \" /success:enable /failure:disable\") // use this filter if required to exclude certain toggles\n| project TimeGenerated, Computer, User, Process, ParentImage, CommandLine, SubCategory, Toggle\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Audit policy manipulation using auditpol utility",
+ "enabled": false,
+ "description": "This detects attempt to manipulate audit policies using auditpol command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\nThe process name in each data source is commented out as an adversary could rename it. It is advisable to keep process name commented but \nif the results show unrelated false positives, users may want to uncomment it.\nRefer to auditpol syntax: https://docs.microsoft.com/windows-server/administration/windows-commands/auditpol \nRefer to our M365 blog for details on use during the Solorigate attack:\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/",
+ "alertRuleTemplateName": "66276b14-32c5-4226-88e3-080dacc31ce1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ec3c352e2475d7f6e65b18b1ccd14a45575194f9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:35 +0000
Subject: [PATCH 043/375] Exported file: Authentication Methods Changed for
Privileged Account.json.json
---
...ethods Changed for Privileged Account.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
diff --git a/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
new file mode 100644
index 00000000..2a146d8f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Authentication Methods Changed for Privileged Account.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6d3d9221-367e-4954-836b-a53bfb08d042')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let queryperiod = 14d;\nlet queryfrequency = 2h;\nlet VIPUsers = (\n IdentityInfo\n | where TimeGenerated > ago(queryperiod)\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | mv-expand AssignedRoles\n | where AssignedRoles matches regex 'Admin'\n | summarize by tolower(AccountUPN));\nAuditLogs\n| where TimeGenerated > ago(queryfrequency)\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName =~ \"User registered security info\"\n| where LoggedByService =~ \"Authentication Methods\"\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(InitiatedBy.user.ipAddress)\n| where AccountCustomEntity in (VIPUsers)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Authentication Methods Changed for Privileged Account",
+ "enabled": false,
+ "description": "Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "694c91ee-d606-4ba9-928e-405a2dd0ff0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0a977c433929f706d2c87881988bf0e91599051a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:36 +0000
Subject: [PATCH 044/375] Exported file: Azure AD Health Monitoring Agent
Registry Keys Access.json.json
---
...Monitoring Agent Registry Keys Access.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
new file mode 100644
index 00000000..dbd3607b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Monitoring Agent Registry Keys Access.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbe16dbb-c5b1-4796-a640-23be2e6e1e6f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealth Monitoring Agent Registry Key\nlet aadHealthMonAgentRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName == aadHealthMonAgentRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n| summarize count() by ProcessName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Monitoring Agent Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\nYou can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml\n",
+ "alertRuleTemplateName": "f819c592-c5f9-4d5c-a79f-1e6819863533"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d71e4dfc165cf21b59e4522b8de3c7e0d2d7a282 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:37 +0000
Subject: [PATCH 045/375] Exported file: Azure AD Health Service Agents
Registry Keys Access.json.json
---
...h Service Agents Registry Keys Access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
new file mode 100644
index 00000000..2e4c50df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Health Service Agents Registry Keys Access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9f7a0194-705a-45f9-a54d-a1a1d29354e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// ADHealthAgent Registry Key\nlet aadConnectHealthRegKey = \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent\";\n// Filter out known processes\nlet aadConnectHealthProcs = dynamic ([\n 'Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe',\n 'Microsoft.Identity.Health.Adfs.InsightsService.exe',\n 'Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe',\n 'Microsoft.Identity.Health.Adfs.PshSurrogate.exe',\n 'Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe'\n]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where EventID == '4656'\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Computer, EventID)\n| extend SubjectUserName = column_ifexists(\"SubjectUserName\", \"\"),\n SubjectDomainName = column_ifexists(\"SubjectDomainName\", \"\"),\n ObjectName = column_ifexists(\"ObjectName\", \"\"),\n ObjectType = column_ifexists(\"ObjectType\", \"\"),\n ProcessName = column_ifexists(\"ProcessName\", \"\")\n| extend Process = split(ProcessName, '\\\\', -1)[-1],\n Account = strcat(SubjectDomainName, \"\\\\\", SubjectUserName)\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n),\n(\nSecurityEvent\n| where EventID == '4663'\n| extend Process = split(ProcessName, '\\\\', -1)[-1]\n| where ObjectType == 'Key'\n| where ObjectName startswith aadConnectHealthRegKey\n| where Process !in (aadConnectHealthProcs)\n)\n)\n// You can filter out potential machine accounts\n//| where AccountType != 'Machine'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Health Service Agents Registry Keys Access",
+ "enabled": false,
+ "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml\n",
+ "alertRuleTemplateName": "06bbf969-fcbe-43fa-bac2-b2fa131d113a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a8cc06d4a61e78f3788846cf655c553f833c59a8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:38 +0000
Subject: [PATCH 046/375] Exported file: Azure AD Role Management Permission
Grant.json.json
---
...e AD Role Management Permission Grant.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
diff --git a/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
new file mode 100644
index 00000000..0754cfd5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure AD Role Management Permission Grant.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e3406d-b57c-411b-8604-4b77ff01e36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where AADOperationType =~ \"Assign\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ has_any (\"AppRole.Value\",\"DelegatedPermissionGrant.Scope\")\n| extend Permission = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where Permission has \"RoleManagement.ReadWrite.Directory\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(parse_json(tostring(TargetResources.modifiedProperties[4].newValue)))\n| extend TargetId = iif(displayName_ =~ 'DelegatedPermissionGrant.Scope',\n tostring(parse_json(tostring(TargetResources.modifiedProperties[2].newValue))),\n tostring(parse_json(tostring(TargetResources.modifiedProperties[3].newValue))))\n| summarize by bin(TimeGenerated, 1h), OperationName, Initiator, Target, TargetId, Result\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "PrivilegeEscalation",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure AD Role Management Permission Grant",
+ "enabled": false,
+ "description": "Identifies when the Microsoft Graph RoleManagement.ReadWrite.Directory (Delegated or Application) permission is granted to a service principal.\nThis permission allows an application to read and manage the role-based access control (RBAC) settings for your company's directory.\nAn adversary could use this permission to add an Azure AD object to an Admin directory role and escalate privileges.\nRef : https://docs.microsoft.com/graph/permissions-reference#role-management-permissions\nRef : https://docs.microsoft.com/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http",
+ "alertRuleTemplateName": "1ff56009-db01-4615-8211-d4fda21da02d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9c494d7dcb4f43da25accd085e9a7665b69d5e2c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:38 +0000
Subject: [PATCH 047/375] Exported file: Azure Active Directory Hybrid Health
AD FS New Server.json.json
---
...ectory Hybrid Health AD FS New Server.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
new file mode 100644
index 00000000..29761afb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS New Server.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d197e7a-078d-4401-9359-9c84a2335885')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS New Server",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure. More information in this blog: https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "88f453ff-7b9e-45bb-8c12-4058ca5e44ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6f3eddb0b11cbcdb1ebc0b67187796aa68f0544f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:39 +0000
Subject: [PATCH 048/375] Exported file: Azure Active Directory Hybrid Health
AD FS Service Delete.json.json
---
...ry Hybrid Health AD FS Service Delete.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
new file mode 100644
index 00000000..7426686e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Service Delete.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84af311a-0ca0-4e6e-9626-65cbcd255ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Service Delete",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\nMore information in this blog https://o365blog.com/post/hybridhealthagent/",
+ "alertRuleTemplateName": "86a036b2-3686-42eb-b417-909fc0867771"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ae54cd859457d7f1bce2f1f755b46d657f86205e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:40 +0000
Subject: [PATCH 049/375] Exported file: Azure Active Directory Hybrid Health
AD FS Suspicious Application.json.json
---
...d Health AD FS Suspicious Application.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
new file mode 100644
index 00000000..1fad03c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory Hybrid Health AD FS Suspicious Application.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa3714b9-e6fa-4839-92cf-c7a3329e0edb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Azure AD Connect Health Agent - cf6d7e68-f018-4e0a-a7b3-126e053fb88d\n// Azure Active Directory Connect - cb1056e2-e479-49de-ae31-7812af012ed8\nlet appList = dynamic(['cf6d7e68-f018-4e0a-a7b3-126e053fb88d','cb1056e2-e479-49de-ae31-7812af012ed8']);\nlet operationNamesList = dynamic(['Microsoft.ADHybridHealthService/services/servicemembers/action','Microsoft.ADHybridHealthService/services/delete']);\nAzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue in~ (operationNamesList)\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| where AppId !in (appList)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory Hybrid Health AD FS Suspicious Application",
+ "enabled": false,
+ "description": "This detection uses AzureActivity logs (Administrative category) to a suspicious application adding a server instance to an Azure AD Hybrid health AD FS service or deleting the AD FS service instance.\nUsually the Azure AD Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d is used to perform those operations.",
+ "alertRuleTemplateName": "d9938c3b-16f9-444d-bc22-ea9a9110e0fd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ef28886b27c69ba2df203b898596bb2e2f4699ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:40 +0000
Subject: [PATCH 050/375] Exported file: Azure Active Directory PowerShell
accessing non-AAD resources.json.json
---
...owerShell accessing non-AAD resources.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
diff --git a/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
new file mode 100644
index 00000000..482dc022
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Active Directory PowerShell accessing non-AAD resources.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece1918c-59f2-43ec-841a-7ef0e99c3b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppId =~ \"1b730954-1685-4b74-9bfd-dac224a7b894\" // AppDisplayName IS Azure Active Directory PowerShell\n| where TokenIssuerType =~ \"AzureAD\"\n| where ResourceIdentity !in (\"00000002-0000-0000-c000-000000000000\", \"00000003-0000-0000-c000-000000000000\") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph\n| extend Status = todynamic(Status)\n| where Status.errorCode == 0 // Success\n| project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type\n| order by TimeGenerated desc\n// New entity mapping\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Active Directory PowerShell accessing non-AAD resources",
+ "enabled": false,
+ "description": "This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.\nFor capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0.\nFor further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.",
+ "alertRuleTemplateName": "50574fac-f8d1-4395-81c7-78a463ff0c52"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 64a216b6bb8e3a40a8612cf4344c729096153f5f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:41 +0000
Subject: [PATCH 051/375] Exported file: Azure DevOps Administrator Group
Monitoring.json.json
---
...DevOps Administrator Group Monitoring.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
new file mode 100644
index 00000000..381cb64c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Administrator Group Monitoring.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05c4ea76-9c7f-4865-824b-178cbb899a82')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT4H",
+ "queryPeriod": "PT4H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// Change to true to monitor for Project Administrator adds to *any* project\nlet MonitorAllProjects = false;\n// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects\nlet ProjectsToMonitor = dynamic(['','']);\nAzureDevOpsAuditing\n| where Area == \"Group\" and OperationName == \"Group.UpdateGroupMembership.Add\"\n| where Details has 'Administrators'\n| where Details has \"was added as a member of group\" and (Details endswith '\\\\Project Administrators' or Details endswith '\\\\Project Collection Administrators')\n| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\\\' GroupName\n| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId\n| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)\n| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'\n| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism, \n ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details\n| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Administrator Group Monitoring",
+ "enabled": false,
+ "description": "This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.",
+ "alertRuleTemplateName": "89e6adbd-612c-4fbe-bc3d-32f81baf3b6c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2a79d1ac5826425a1cde3be727f890faba025b38 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:42 +0000
Subject: [PATCH 052/375] Exported file: Azure DevOps Agent Pool Created Then
Deleted.json.json
---
...evOps Agent Pool Created Then Deleted.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
new file mode 100644
index 00000000..7daf66d8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Agent Pool Created Then Deleted.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4490aac-93b0-4262-b08d-fb4bc4e74dd6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let lookback = 14d;\nlet timewindow = 7d;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolCreated\"\n| extend AgentCloudId = tostring(Data.AgentCloudId)\n| extend PoolType = iif(isnotempty(AgentCloudId), \"Azure VMs\", \"Self Hosted\")\n// Comment this line out to include cloud pools as well\n| where PoolType == \"Self Hosted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend IsHosted = tostring(Data.IsHosted)\n| extend IsLegacy = tostring(Data.IsLegacy)\n| extend timekey = bin(TimeGenerated, timewindow)\n// Join only with pools deleted in the same window\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback)\n| where OperationName =~ \"Library.AgentPoolDeleted\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend AgentPoolId = tostring(Data.AgentPoolId)\n| extend timekey = bin(TimeGenerated, timewindow)) on AgentPoolId, timekey\n| project-reorder TimeGenerated, ActorUPN, UserAgent, IpAddress, AuthenticationMechanism, OperationName, AgentPoolName, IsHosted, IsLegacy, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Agent Pool Created Then Deleted",
+ "enabled": false,
+ "description": "As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.\nAzure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this \ndetection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), \nas an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.",
+ "alertRuleTemplateName": "acfdee3f-b794-404a-aeba-ef6a1fa08ad1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 17ea12acc622cede094dabfa8bb490f59126abe8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:43 +0000
Subject: [PATCH 053/375] Exported file: Azure DevOps Audit Stream
Disabled.json.json
---
.../Azure DevOps Audit Stream Disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
new file mode 100644
index 00000000..cb3e0d9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Audit Stream Disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc89aa08-aa6d-4e5b-ad5f-3efc8f7c4246')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"AuditLog.StreamDisabledByUser\"\n| extend StreamType = tostring(Data.ConsumerType)\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, StreamType\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Audit Stream Disabled",
+ "enabled": false,
+ "description": "Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams \nbefore conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action \nits unlikely to have a high false positive rate.",
+ "alertRuleTemplateName": "4e8238bd-ff4f-4126-a9f6-09b3b6801b3d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 82d9b123fbf43873e66f5019a235cfd51f2b16ba Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:43 +0000
Subject: [PATCH 054/375] Exported file: Azure DevOps Build Variable Modified
by New User_.json.json
---
... Build Variable Modified by New User_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
new file mode 100644
index 00000000..75675e69
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Build Variable Modified by New User_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/10254512-df08-4fea-8619-c505e87d377b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/10254512-df08-4fea-8619-c505e87d377b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nlet historical_data =\nAzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend variables = Data.Variables\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| project UserKey;\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend UserKey = strcat(VariableGroupId, \"-\", ActorUserId)\n| where UserKey !in (historical_data)\n| project-away UserKey\n| project-reorder TimeGenerated, VariableGroupName, ActorUPN, IpAddress, UserAgent\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Build Variable Modified by New User.",
+ "enabled": false,
+ "description": "Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify \nor add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, \njust detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed \nmodifying them before.",
+ "alertRuleTemplateName": "3b9a44d7-c651-45ed-816c-eae583a6f2f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 86ce22f6d1e833bd8158aac114fc015dfe2f96fb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:44 +0000
Subject: [PATCH 055/375] Exported file: Azure DevOps New Extension
Added.json.json
---
.../Azure DevOps New Extension Added.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
new file mode 100644
index 00000000..3b224b1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps New Extension Added.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5892dbb0-9d3b-485a-b4cf-147e30b22cbe')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let allowed_publishers = dynamic([]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Extension.Installed\"\n| extend ExtensionName = tostring(Data.ExtensionName)\n| extend PublisherName = tostring(Data.PublisherName)\n| where PublisherName !in (allowed_publishers)\n| project-reorder TimeGenerated, OperationName, ExtensionName, PublisherName, ActorUPN, IpAddress, UserAgent, ScopeDisplayName, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps New Extension Added",
+ "enabled": false,
+ "description": "Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. \nThis query looks for new extensions that are not from a configurable list of approved publishers.",
+ "alertRuleTemplateName": "bf07ca9c-e408-443a-8939-6860a45a929e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From df03d05747bee8fac901d09ad70b8ce371ab8d8a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:45 +0000
Subject: [PATCH 056/375] Exported file: Azure DevOps PAT used with
Browser_.json.json
---
.../Azure DevOps PAT used with Browser_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
new file mode 100644
index 00000000..f3e7ef1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps PAT used with Browser_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75e2a7e7-535e-47ca-9fea-d30a0f0f104d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\"\n// Look for useragents that include a redenring engine\n| where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps PAT used with Browser.",
+ "enabled": false,
+ "description": "Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. \nThis can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. \nThis should not be normal activity and could be an indicator of an attacker using a stolen PAT.",
+ "alertRuleTemplateName": "5f0d80db-3415-4265-9d52-8466b7372e3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a2b348484775ba4a7c5d4b2a5fbf6b68d62a435 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:46 +0000
Subject: [PATCH 057/375] Exported file: Azure DevOps Personal Access Token
(PAT) misuse.json.json
---
...ps Personal Access Token (PAT) misuse.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
new file mode 100644
index 00000000..e5f4bec3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Personal Access Token (PAT) misuse.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41f05d3b-cc19-40f4-942e-d6748668eb18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n// Allowlisted UPNs should likely stay empty\nlet AllowlistedUpns = datatable(UPN:string)['foo@bar.com', 'test@foo.com'];\n// Operation Name parts that will alert\nlet HasAnyBlocklist = datatable(OperationNamePart:string)['Security.','Project.','AuditLog.','Extension.'];\n// Distinct Operation Names that will flag\nlet HasExactBlocklist = datatable(OperationName:string)['Group.UpdateGroupMembership.Add','Library.ServiceConnectionExecuted','Pipelines.PipelineModified',\n'Release.ReleasePipelineModified', 'Git.RefUpdatePoliciesBypassed'];\nAzureDevOpsAuditing\n| where AuthenticationMechanism startswith \"PAT\" and (OperationName has_any (HasAnyBlocklist) or OperationName in (HasExactBlocklist))\n and ActorUPN !in (AllowlistedUpns)\n| project TimeGenerated, AuthenticationMechanism, ProjectName, ActorUPN, ActorDisplayName, IpAddress, UserAgent, OperationName, Details, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Personal Access Token (PAT) misuse",
+ "enabled": false,
+ "description": "This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require an allow list and baselining.\nReference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page\nUse this query for baselining:\nAzureDevOpsAuditing\n| distinct OperationName",
+ "alertRuleTemplateName": "ac891683-53c3-4f86-86b4-c361708e2b2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 571ce2021ba1069beca61de2890d66d829e1bd06 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:46 +0000
Subject: [PATCH 058/375] Exported file: Azure DevOps Pipeline Created and
Deleted on the Same Day.json.json
---
...e Created and Deleted on the Same Day.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
new file mode 100644
index 00000000..751b6ae4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline Created and Deleted on the Same Day.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f53eb74-71dc-4775-a62c-ff48580a8bb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P3D",
+ "queryPeriod": "P3D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 3d;\n// Get Release Pipeline Creation Events and group by day\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineCreated\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some columns to make output clearer\n| project-rename TimeCreated = TimeGenerated, CreatingUser = ActorUPN, CreatingUserAgent = UserAgent, CreatingIP = IpAddress\n// Join with Release Pipeline Deletions where Pipeline ID is the same and deletion occurred on same day as creation\n| join (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineDeleted\"\n// Group by day\n| extend timekey = bin(TimeGenerated, 1d)\n| extend PipelineId = tostring(Data.PipelineId)\n| extend PipelineName = tostring(Data.PipelineName)\n// Rename some things to make the output clearer\n| project-rename TimeDeleted = TimeGenerated, DeletingUser = ActorUPN, DeletingUserAgent = UserAgent, DeletingIP = IpAddress) on PipelineId, timekey\n| project TimeCreated, TimeDeleted, PipelineName, PipelineId, CreatingUser, CreatingIP, CreatingUserAgent, DeletingUser, DeletingIP, DeletingUserAgent, ScopeDisplayName, ProjectName, Data, OperationName, OperationName1\n| extend timestamp = TimeCreated, AccountCustomEntity = CreatingUser, IPCustomEntity = CreatingIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline Created and Deleted on the Same Day",
+ "enabled": false,
+ "description": "An attacker with access to Azure DevOps could create a pipeline to inject artifacts used by other pipelines, \nor to create a malicious software build that looks legitimate by using a pipeline that incorporates legitimate elements. \nAn attacker would also likely want to cover their tracks once conducting such activity. This query looks for Pipelines \ncreated and deleted within the same day, this is unlikely to be legitimate user activity in the majority of cases.",
+ "alertRuleTemplateName": "17f23fbe-bb73-4324-8ecf-a18545a5dc26"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e02fa5acb660bea77da27076b010358e976616bc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:47 +0000
Subject: [PATCH 059/375] Exported file: Azure DevOps Pipeline modified by a
new user_.json.json
---
...vOps Pipeline modified by a new user_.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
new file mode 100644
index 00000000..9b968c7a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pipeline modified by a new user_.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/288cca7e-3f39-42fc-ada2-eca124936ec2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Set the lookback to determine if user has created pipelines before\nlet timeback = 14d;\n// Set the period for detections\nlet timeframe = 1d;\n// Get a list of previous Release Pipeline creators to exclude\nlet releaseusers = AzureDevOpsAuditing\n| where TimeGenerated > ago(timeback) and TimeGenerated < ago(timeframe)\n| where OperationName in (\"Release.ReleasePipelineCreated\", \"Release.ReleasePipelineModified\")\n// We want to look for users performing actions in specific projects so we create this userscope object to match on\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| summarize by UserScope;\n// Get Release Pipeline creations by new users\nAzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName =~ \"Release.ReleasePipelineModified\"\n| extend UserScope = strcat(ActorUserId, \"-\", ProjectName)\n| where UserScope !in (releaseusers)\n| extend ActorUPN = tolower(ActorUPN)\n| project-away Id, ActivityId, ActorCUID, ScopeId, ProjectId, TenantId, SourceSystem, UserScope\n// See if any of these users have Azure AD alerts associated with them in the same timeframe\n| join kind = leftouter (\nSecurityAlert\n| where TimeGenerated > ago(timeframe)\n| where ProviderName == \"IPC\"\n| extend AadUserId = tostring(parse_json(Entities)[0].AadUserId)\n| summarize Alerts=count() by AadUserId) on $left.ActorUserId == $right.AadUserId\n| extend Alerts = iif(isnotempty(Alerts), Alerts, 0)\n// Uncomment the line below to only show results where the user as AADIdP alerts\n//| where Alerts > 0\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pipeline modified by a new user.",
+ "enabled": false,
+ "description": "There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. \nThis detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) \nin order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.",
+ "alertRuleTemplateName": "155e9134-d5ad-4a6f-88f3-99c220040b66"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 56d29e31f4a4df289b514bf29b1b0ada69cad96e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:48 +0000
Subject: [PATCH 060/375] Exported file: Azure DevOps Pull Request Policy
Bypassing - Historic allow list.json.json
---
...olicy Bypassing - Historic allow list.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
new file mode 100644
index 00000000..fa73bd4c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Pull Request Policy Bypassing - Historic allow list.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7bf49942-c5ad-448a-bf6b-893f39186ea2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 3h;\n// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users\nlet AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);\nlet historicBypassers = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| distinct ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == 'Git.RefUpdatePoliciesBypassed'\n| where ActorUPN !in (historicBypassers) and ActorUPN !in (AuthorizedBypassers)\n| parse ScopeDisplayName with OrganizationName '(Organization)'\n| project TimeGenerated, ActorUPN, IpAddress, UserAgent, OrganizationName, ProjectName, RepoName = Data.RepoName, AlertDetails = Details, Branch = Data.Name, \n BypassReason = Data.BypassReason, PRLink = strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_git/', Data.RepoName, '/pullrequest/', Data.PullRequestId)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Pull Request Policy Bypassing - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.",
+ "alertRuleTemplateName": "4d8de9e6-263e-4845-8618-cd23a4f58b70"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff0a5b7bbafa85aa7acd0e86e4c6a194e32f7ac0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:48 +0000
Subject: [PATCH 061/375] Exported file: Azure DevOps Retention
Reduced.json.json
---
.../Azure DevOps Retention Reduced.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
new file mode 100644
index 00000000..1567aab0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Retention Reduced.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/769308db-305a-47ed-9837-bfb6bec71ea7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Pipelines.PipelineRetentionSettingChanged\"\n| where Data.SettingName in (\"PurgeArtifacts\", \"PurgeRuns\")\n| where Data.NewValue == 1 or Data.NewValue < Data.OldValue/2\n| project-reorder TimeGenerated, OperationName, ActorUPN, IpAddress, UserAgent, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Retention Reduced",
+ "enabled": false,
+ "description": "AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs.\nThis query will look for where retention has been reduced to the minimum level - 1, or reduced by more than half.",
+ "alertRuleTemplateName": "71d374e0-1cf8-4e50-aecd-ab6c519795c2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0f4b17b1f3db668da503531f161d565fecd49eab Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:49 +0000
Subject: [PATCH 062/375] Exported file: Azure DevOps Service Connection
Abuse.json.json
---
...Azure DevOps Service Connection Abuse.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
new file mode 100644
index 00000000..40ce7976
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Abuse.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4413d174-435c-48a7-8a3c-437db7ff3939')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n// How many greater than Service Connections you want to view per build/release\nlet ServiceConnectionThreshold = 4;\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nAzureDevOpsAuditing\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, tostring(DefId), tostring(Type), ProjectId, ProjectName\n| where CurrentCount > ServiceConnectionThreshold\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iif(\n Type == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\n strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Abuse",
+ "enabled": false,
+ "description": "Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.\nThis is to determine if someone is hijacking a build/release and adding many service connections in order to abuse \nor dump credentials from service connections.",
+ "alertRuleTemplateName": "d564ff12-8f53-41b8-8649-44f76b37b99f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b6b1aaa5722d688cbe79fd080ed0e898516b5638 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:50 +0000
Subject: [PATCH 063/375] Exported file: Azure DevOps Service Connection
Addition_Abuse - Historic allow list.json.json
---
... Addition_Abuse - Historic allow list.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
new file mode 100644
index 00000000..9bd1181b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Service Connection Addition_Abuse - Historic allow list.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5410fda8-a757-41b6-97f1-79a08f07dd0f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 6h;\n// Ignore Build/Releases with less/equal this number\nlet ServiceConnectionThreshold = 3;\n// New Connections need to exhibit execution of more \"new\" connections than this number.\nlet NewConnectionThreshold = 1;\n// List of Builds/Releases to ignore in your space\nlet BypassDefIds = datatable(DefId:string, Type:string, ProjectName:string)\n[\n//\"103\", \"Release\", \"ProjectA\",\n//\"42\", \"Release\", \"ProjectB\",\n//\"122\", \"Build\", \"ProjectB\"\n];\nlet HistoricDefs = AzureDevOpsAuditing\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| summarize HistoricCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)) \n by DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN;\nAzureDevOpsAuditing\n| where TimeGenerated >= ago(endtime)\n| where OperationName == \"Library.ServiceConnectionExecuted\" \n| extend DefId = tostring(Data.DefinitionId), Type = tostring(Data.PlanType), ConnectionId = tostring(Data.ConnectionId)\n| parse ScopeDisplayName with OrganizationName ' (Organization)'\n| summarize CurrentCount = dcount(tostring(ConnectionId)), ConnectionNames = make_set(tostring(Data.ConnectionName)), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \n by OrganizationName, DefId = tostring(DefId), Type = tostring(Type), ProjectId, ProjectName, ActorUPN\n| where CurrentCount > ServiceConnectionThreshold\n| join (HistoricDefs) on ProjectId, DefId, Type, ActorUPN\n| join kind=anti BypassDefIds on $left.DefId==$right.DefId and $left.Type == $right.Type and $left.ProjectName == $right.ProjectName\n| extend link = iff(\nType == \"Build\", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),\nstrcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))\n| where CurrentCount >= HistoricCount + NewConnectionThreshold\n| project StartTime, OrganizationName, ProjectName, DefId, link, RecentDistinctServiceConnections = CurrentCount, HistoricDistinctServiceConnections = HistoricCount, \n RecentConnections = ConnectionNames, HistoricConnections = ConnectionNames1, ActorUPN\n| extend timestamp = StartTime, AccountCustomEntity = ActorUPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Service Connection Addition/Abuse - Historic allow list",
+ "enabled": false,
+ "description": "This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and \nnot historically included in the allow list Build/Release runs. This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.",
+ "alertRuleTemplateName": "5efb0cfd-063d-417a-803b-562eae5b0301"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 33fcc6f48a0e39e2a9b1af7b2030283ecdb72a0c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:51 +0000
Subject: [PATCH 064/375] Exported file: Azure DevOps Variable Secret Not
Secured.json.json
---
...re DevOps Variable Secret Not Secured.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
diff --git a/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
new file mode 100644
index 00000000..dd7a369c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure DevOps Variable Secret Not Secured.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/24b268fb-0acf-4315-808e-f1e941506be3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let keywords = dynamic([\"secret\", \"secrets\", \"password\", \"PAT\", \"passwd\", \"pswd\", \"pwd\", \"cred\", \"creds\", \"credentials\", \"credential\", \"key\"]);\nAzureDevOpsAuditing\n| where OperationName =~ \"Library.VariableGroupModified\"\n| extend Type = tostring(Data.Type)\n| extend VariableGroupId = tostring(Data.VariableGroupId)\n| extend VariableGroupName = tostring(Data.VariableGroupName)\n| mv-expand Data.Variables\n| where VariableGroupName has_any (keywords) or Data_Variables has_any (keywords)\n| where Type != \"AzureKeyVault\"\n| where Data_Variables !has \"IsSecret\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure DevOps Variable Secret Not Secured",
+ "enabled": false,
+ "description": "Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. \nThis detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.",
+ "alertRuleTemplateName": "4ca74dc0-8352-4ac5-893c-73571cc78331"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 98c00bb20254f1a80bc81974929854f6ee06e0f6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:52 +0000
Subject: [PATCH 065/375] Exported file: Azure Key Vault access TimeSeries
anomaly.json.json
---
...e Key Vault access TimeSeries anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
new file mode 100644
index 00000000..e77da8f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Key Vault access TimeSeries anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22b9eab7-3edd-483a-8aca-5568e23dad78')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by Resource;\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Resource, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\nAzureDiagnostics\n| where TimeGenerated > ago(timeframe)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, requestUri_s, clientInfo_s\n) on Resource, TimeGenerated\n| summarize EventCount=count(), OperationNameList = make_set(OperationName), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, 100), AccountMax = arg_max(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = CallerIPAddress, AccountCustomEntity = AccountMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Key Vault access TimeSeries anomaly",
+ "enabled": false,
+ "description": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052",
+ "alertRuleTemplateName": "0914adab-90b5-47a3-a79f-7cdcac843aa7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fee35d62c1666ecace0c29efd51739761c5d9232 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:52 +0000
Subject: [PATCH 066/375] Exported file: Azure Portal Signin from another Azure
Tenant.json.json
---
...rtal Signin from another Azure Tenant.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
diff --git a/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
new file mode 100644
index 00000000..7904a727
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure Portal Signin from another Azure Tenant.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d06f4dc9-2343-4bd9-85a1-86436bcf45fb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Get details of current Azure Ranges (note this URL updates regularly so will need to be manually updated over time)\n// You may find the name of the new JSON here: https://www.microsoft.com/download/details.aspx?id=56519\nlet azure_ranges = externaldata(changeNumber: string, cloud: string, values: dynamic)\n[\"https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20211129.json\"]\nwith(format='multijson')\n| mv-expand values\n| mv-expand values.properties.addressPrefixes\n| mv-expand values_properties_addressPrefixes\n| summarize by tostring(values_properties_addressPrefixes);\nSigninLogs\n// Limiting to Azure Portal really reduces false positives and helps focus on potential admin activity\n| where AppDisplayName =~ \"Azure Portal\"\n// Only get logons where the IP address is in an Azure range\n| evaluate ipv4_lookup(azure_ranges, IPAddress, values_properties_addressPrefixes)\n// Limit to where the user is external to the tenant\n| where HomeTenantId != ResourceTenantId\n// Further limit it to just access to the current tenant (you can drop this if you wanted to look elsewhere as well but it helps reduce FPs)\n| where ResourceTenantId == TenantId\n| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), make_set(ResourceDisplayName) by UserPrincipalName, IPAddress, UserAgent, Location, HomeTenantId, ResourceTenantId\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure Portal Signin from another Azure Tenant",
+ "enabled": false,
+ "description": "This query looks for sign in attempts to the Azure Portal where the user who is signing in from another Azure tenant,\n and the IP address the login attempt is from is an Azure IP. A threat actor who compromises an Azure tenant may look\n to pivot to other tenants leveraging cross-tenant delegated access in this manner.",
+ "alertRuleTemplateName": "87210ca1-49a4-4a7d-bb4a-4988752f978c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3ea5a076d6f8824a3c91f8c38bb009ddd8859322 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:53 +0000
Subject: [PATCH 067/375] Exported file: Azure VM Run Command operation
executed during suspicious login window.json.json
---
...ecuted during suspicious login window.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
new file mode 100644
index 00000000..49ff5bff
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operation executed during suspicious login window.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1c6090a0-fa8a-4ebe-b8b2-5576114a384f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, Started, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n// Create a join key using the Caller (UPN)\n| extend joinkey = tolower(Caller)\n// Join the Run Command actions to UEBA data\n| join kind = inner (\n BehaviorAnalytics\n // We are specifically interested in unusual logins\n | where EventSource == \"Azure AD\" and ActivityInsights.ActionUncommonlyPerformedByUser == \"True\"\n | project UEBAEventTime=TimeGenerated, UEBAActionType=ActionType, UserPrincipalName, UEBASourceIPLocation=SourceIPLocation, UEBAActivityInsights=ActivityInsights, UEBAUsersInsights=UsersInsights\n | where isnotempty(UserPrincipalName) and isnotempty(UEBASourceIPLocation)\n | extend joinkey = tolower(UserPrincipalName)\n) on joinkey\n// Create a window around the UEBA event times, check to see if the Run Command action was performed within them\n| extend UEBAWindowStart = UEBAEventTime - 1h, UEBAWindowEnd = UEBAEventTime + 6h\n| where StartTime between (UEBAWindowStart .. UEBAWindowEnd)\n| project StartTime, EndTime, Subscription, VirtualMachineName, Caller, CallerIpAddress, UEBAEventTime, UEBAActionType, UEBASourceIPLocation, UEBAActivityInsights, UEBAUsersInsights\n| extend timestamp = StartTime, AccountCustomEntity=Caller, IPCustomEntity=CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operation executed during suspicious login window",
+ "enabled": false,
+ "description": "Identifies when the Azure Run Command operation is executed by a UserPrincipalName and IP Address \nthat has resulted in a recent user entity behaviour alert.",
+ "alertRuleTemplateName": "11bda520-a965-4654-9a45-d09f372f71aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9494258888b6ad33cf00867a410cf033d48075fd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:54 +0000
Subject: [PATCH 068/375] Exported file: Azure VM Run Command operations
executing a unique powershell script.json.json
---
... executing a unique powershell script.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
diff --git a/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
new file mode 100644
index 00000000..62fc74a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure VM Run Command operations executing a unique powershell script.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e52bd802-3e96-4391-8b7f-c57e58539370')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let RunCommandData = materialize ( AzureActivity\n// Isolate run command actions\n| where OperationNameValue == \"Microsoft.Compute/virtualMachines/runCommand/action\"\n// Confirm that the operation impacted a virtual machine\n| where Authorization has \"virtualMachines\"\n// Each runcommand operation consists of three events when successful, StartTimeed, Accepted (or Rejected), Successful (or Failed).\n| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), max(CallerIpAddress), make_list(ActivityStatusValue) by CorrelationId, Authorization, Caller\n// Limit to Run Command executions that Succeeded\n| where list_ActivityStatusValue has \"Succeeded\"\n// Extract data from the Authorization field, allowing us to later extract the Caller (UPN) and CallerIpAddress\n| extend Authorization_d = parse_json(Authorization)\n| extend Scope = Authorization_d.scope\n| extend Scope_s = split(Scope, \"/\")\n| extend Subscription = tostring(Scope_s[2])\n| extend VirtualMachineName = tostring(Scope_s[-1])\n| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress\n| join kind=leftouter (\n DeviceFileEvents\n | where InitiatingProcessFileName == \"RunCommandExtension.exe\"\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | project VirtualMachineName, PowershellFileCreatedTimestamp=TimeGenerated, FileName, FileSize, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, InitiatingProcessId\n) on VirtualMachineName\n// We need to filter by time sadly, this is the only way to link events\n| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath\n| join kind=inner(\n DeviceEvents\n | extend VirtualMachineName = tostring(split(DeviceName, \".\")[0])\n | where InitiatingProcessCommandLine has \"-File\"\n // Extract the script name based on the structure used by the RunCommand extension\n | extend PowershellFileName = extract(@\"\\-File\\s(script[0-9]{1,9}\\.ps1)\", 1, InitiatingProcessCommandLine)\n // Discard results that didn't successfully extract, these are not run command related\n | where isnotempty(PowershellFileName)\n | extend PSCommand = tostring(parse_json(AdditionalFields).Command)\n // The first execution of PowerShell will be the RunCommand script itself, we can discard this as it will break our hash later\n | where PSCommand != PowershellFileName \n // Now we normalise the cmdlets, we're aiming to hash them to find scripts using rare combinations\n | extend PSCommand = toupper(PSCommand)\n | order by PSCommand asc\n | summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine\n) on $left.FileName == $right.PowershellFileName\n| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName\n| order by StartTime asc \n// We generate the hash based on the cmdlets called and the size of the powershell script\n| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)\n| extend ScriptFingerprintHash = hash_sha256(tostring(PowershellScriptCommands)));\nlet totals = toscalar (RunCommandData\n| summarize count());\nlet hashTotals = RunCommandData\n| summarize HashCount=count() by ScriptFingerprintHash;\nRunCommandData\n| join kind=leftouter (\nhashTotals\n) on ScriptFingerprintHash\n// Calculate prevelance, while we don't need this, it may be useful for responders to know how rare this script is in relation to normal activity\n| extend Prevelance = toreal(HashCount) / toreal(totals) * 100\n// Where the hash was only ever seen once.\n| where HashCount == 1\n| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName\n| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, IPCustomEntity, AccountCustomEntity, HostCustomEntity\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure VM Run Command operations executing a unique powershell script",
+ "enabled": false,
+ "description": "Identifies when Azure Run command is used to execute a powershell script on a VM that is unique.\nThe uniqueness of the powershell script is determined by taking a combined hash of the cmdlets it imports\nand the filesize of the PowerShell script. Alerts from this detection indicate a unique PowerShell was executed\nin your environment.",
+ "alertRuleTemplateName": "5239248b-abfb-4c6a-8177-b104ade5db56"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4331ead54ce9518cac11146c722d1ceb821237ae Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:55 +0000
Subject: [PATCH 069/375] Exported file: Azure WAF matching for Log4j
vuln(CVE-2021-44228).json.json
---
...tching for Log4j vuln(CVE-2021-44228).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
diff --git a/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
new file mode 100644
index 00000000..4e56f2fd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Azure WAF matching for Log4j vuln(CVE-2021-44228).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/094a8752-7d9e-4873-84ee-ff561e73b3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AzureDiagnostics\n| where details_data_s has \"jndi:\"\n| parse details_data_s with * '${' MaliciousCommand '}' *\n| extend EncodeCmd = iff(MaliciousCommand has 'Base64/', split(split(MaliciousCommand, \"Base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend EncodeCmd1 = iff(MaliciousCommand has 'base64/', split(split(MaliciousCommand, \"base64/\",1)[0], \"}\", 0)[0], \"\")\n| extend CmdLine = iff( isnotempty(EncodeCmd), EncodeCmd, EncodeCmd1)\n| extend DecodedCmdLine = base64_decode_tostring(tostring(CmdLine))\n| extend DecodedCmdLine = iff( isnotempty(DecodedCmdLine), DecodedCmdLine, \"Unable to decode\")\n| project TimeGenerated, Target=hostname_s, MaliciousHost = clientIp_s, MaliciousCommand, details_data_s, DecodedCmdLine, Message, ruleSetType_s, OperationName, SubscriptionId, details_message_s, details_file_s \n| extend IPCustomEntity = MaliciousHost, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Azure WAF matching for Log4j vuln(CVE-2021-44228)",
+ "enabled": false,
+ "description": "This query will alert on a positive pattern match by Azure WAF for CVE-2021-44228 log4j vulnerability exploitation attempt. If possible, it then decodes the malicious command for further analysis.\n Refrence: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/",
+ "alertRuleTemplateName": "2de8abd6-a613-450e-95ed-08e503369fb3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a7b624474d2d197d4a3ceb5a80fd1319f583239d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:56 +0000
Subject: [PATCH 070/375] Exported file: Base64 encoded Windows process
command-lines (Normalized Process Events).json.json
---
...and-lines (Normalized Process Events).json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
new file mode 100644
index 00000000..7ceaecf7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines (Normalized Process Events).json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d356cdc-fd63-4071-bc5b-f06d5effc36f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n | where CommandLine contains \"TVqQAAMAAAAEAAA\"\n | where isnotempty(Process)\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Dvc, ActorUsername, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n | extend timestamp = StartTimeUtc, AccountCustomEntity = ActorUsername, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "f8b3c49c-4087-499b-920f-0dcfaff0cbca"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2fddb2486c88529cc560618838b984fc94f34c3e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:56 +0000
Subject: [PATCH 071/375] Exported file: Base64 encoded Windows process
command-lines.json.json
---
...encoded Windows process command-lines.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
diff --git a/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
new file mode 100644
index 00000000..e07eee3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Base64 encoded Windows process command-lines.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6be5f005-18ec-4034-8f0d-13b8ce42b11a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents\n| where CommandLine contains \"TVqQAAMAAAAEAAA\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Base64 encoded Windows process command-lines",
+ "enabled": false,
+ "description": "Identifies instances of a base64 encoded PE file header seen in the process command line parameter.",
+ "alertRuleTemplateName": "ca67c83e-7fff-4127-a3e3-1af66d6d4cad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bef0f9db4f9a091be1419d394fef465a8a6f560f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:57 +0000
Subject: [PATCH 072/375] Exported file: Brute Force Attack against GitHub
Account.json.json
---
...e Force Attack against GitHub Account.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
diff --git a/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
new file mode 100644
index 00000000..eebc9526
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute Force Attack against GitHub Account.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d5851b1-5d59-44da-9b51-5a0482707723')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d; \nlet BinTime = 1h; \nlet RunTime = 1h; \nlet StartTime = 1h; \nlet NumberOfStds = 3; \nlet MinThreshold = 10.0; \nlet EndRunTime = StartTime - RunTime; \nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\nlet GitHubFailedSSOLogins = (table(tableName) \n| where AppDisplayName == \"GitHub.com\" \n| where ResultType != 0); \nGitHubFailedSSOLogins \n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \n| summarize FailedLoginsCountInBinTime = count() by UserPrincipalName, bin(TimeGenerated, BinTime), Type\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold) \n| join kind=innerunique ( \n GitHubFailedSSOLogins \n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \n | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\n) on UserPrincipalName \n| where FailedLoginsCountInRunTime > LearningThreshold\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute Force Attack against GitHub Account",
+ "enabled": false,
+ "description": "Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.",
+ "alertRuleTemplateName": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f191f55ee1b837824f70fe116f0511443c8183d9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:58 +0000
Subject: [PATCH 073/375] Exported file: Brute force attack against Azure
Portal.json.json
---
...ute force attack against Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
new file mode 100644
index 00000000..7c751939
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1d14a23e-7c19-4d9b-8775-eb282774958d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| where AppDisplayName has \"Azure Portal\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against Azure Portal",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "28b42356-45af-40a6-a0b4-a554cdfd5d8a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 20085a94443c711640c2c05d71e36b69fcbd20ea Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:59 +0000
Subject: [PATCH 074/375] Exported file: Brute force attack against a Cloud
PC.json.json
---
...Brute force attack against a Cloud PC.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
new file mode 100644
index 00000000..0535916e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against a Cloud PC.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d0f2d4e0-35b8-44b5-a314-bd3858a4ee6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nSigninLogs\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)\n| where AppDisplayName =~ \"Windows Sign In\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = makeset(IPAddress), makeset(OS), makeset(Browser), makeset(City), \nmakeset(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAddress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against a Cloud PC",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.",
+ "alertRuleTemplateName": "3fbc20a4-04c4-464e-8fcb-6667f53e4987"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3eeae28de8bc7c67621e337405cde475e4368aac Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:15:59 +0000
Subject: [PATCH 075/375] Exported file: Brute force attack against user
credentials (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
new file mode 100644
index 00000000..981a8c70
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Brute force attack against user credentials (Uses Authentication Normalization).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e001fc5b-00f7-47eb-ad14-4f68ac4b56fa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nimAuthentication\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr)\n , FailureCount = countif(EventResult=='Failure')\n , SuccessCount = countif(EventResult=='Success') \n // might be improved by counting FailReason:Outdated as Success.\nby bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType \n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Brute force attack against user credentials (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies evidence of brute force activity against a user highlighting multiple authentication failures \nand by a successful authentication within a given time window. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "a6c435a2-b1a0-466d-b730-9f8af69262e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e62e2dc26c04d7632edfb873b9efdf3e7ffa292d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:00 +0000
Subject: [PATCH 076/375] Exported file: Bulk Changes to Privileged Account
Permissions.json.json
---
...ges to Privileged Account Permissions.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
diff --git a/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
new file mode 100644
index 00000000..18bc8b11
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Bulk Changes to Privileged Account Permissions.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/814a077a-8846-4195-af81-d17d1bbfd54d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize dcount(Target) by bin(TimeGenerated, 1h)\n| where dcount_Target > 9\n| join kind=rightsemi (AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend Target = tostring(TargetResources.userPrincipalName)\n| extend TimeWindow = bin(TimeGenerated, 1h)) on $left.TimeGenerated == $right.TimeWindow\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Bulk Changes to Privileged Account Permissions",
+ "enabled": false,
+ "description": "Identifies when changes to multiple users permissions are changed at once. Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "218f60de-c269-457a-b882-9966632b9dc6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 022ebeca7cfbfb675d67445d55e1971d6b385da3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:01 +0000
Subject: [PATCH 077/375] Exported file: CAC Bugbash_ Valid Analytics Rule
2.json.json
---
.../CAC Bugbash_ Valid Analytics Rule 2.json | 28 +++++++++++++++++++
1 file changed, 28 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
diff --git a/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
new file mode 100644
index 00000000..9a34a1d6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CAC Bugbash_ Valid Analytics Rule 2.json
@@ -0,0 +1,28 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7c192267-ac8a-4182-9336-f5e7647fe9e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "MicrosoftSecurityIncidentCreation",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "productFilter": "Microsoft 365 Insider Risk Management",
+ "severitiesFilter": null,
+ "displayNamesFilter": null,
+ "displayNamesExcludeFilter": null,
+ "displayName": "CAC Bugbash: Valid Analytics Rule 2",
+ "enabled": true,
+ "description": "Create incidents based on all alerts generated in Microsoft 365 Insider Risk Management",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From 48671b8c0c8fe056c54729f4c250e6439ea9af7f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:02 +0000
Subject: [PATCH 078/375] Exported file: Changes made to AWS CloudTrail
logs.json.json
---
.../Changes made to AWS CloudTrail logs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
diff --git a/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
new file mode 100644
index 00000000..9119d665
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes made to AWS CloudTrail logs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/defe98a5-5be4-4a6c-9808-eef4c1946f37')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"UpdateTrail\",\"DeleteTrail\",\"StopLogging\",\"DeleteFlowLogs\",\"DeleteEventBus\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Changes made to AWS CloudTrail logs",
+ "enabled": false,
+ "description": "Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. \nThis alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.\nMore Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html\nAWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html\nAWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html ",
+ "alertRuleTemplateName": "610d3850-c26f-4f20-8d86-f10fdf2425f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 497f60bc6c4674c106b18f2b2153fa66c4918a05 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:02 +0000
Subject: [PATCH 079/375] Exported file: Changes to AWS Elastic Load Balancer
security groups.json.json
---
...Elastic Load Balancer security groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
new file mode 100644
index 00000000..2e040b09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Elastic Load Balancer security groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0bffacb7-52da-463c-8ae4-62c09da8c510')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"ApplySecurityGroupsToLoadBalancer\", \"SetSecurityGroups\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion,\nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Elastic Load Balancer security groups",
+ "enabled": false,
+ "description": "Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications. \n Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and hence needs monitoring.\n More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \n and https://aws.amazon.com/elasticloadbalancing/.",
+ "alertRuleTemplateName": "c7bfadd4-34a6-4fa5-82f8-3691a32261e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1aa37a9daa1c23e8b2880fb5f136ed2403edb158 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:03 +0000
Subject: [PATCH 080/375] Exported file: Changes to AWS Security Group ingress
and egress settings.json.json
---
...ity Group ingress and egress settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
new file mode 100644
index 00000000..71c08bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to AWS Security Group ingress and egress settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dea3bd60-9ee8-49fd-a859-3bab903451e5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([ \"AuthorizeSecurityGroupEgress\", \"AuthorizeSecurityGroupIngress\", \"RevokeSecurityGroupEgress\", \"RevokeSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend User = iif(isnotempty(UserIdentityUserName), UserIdentityUserName, SessionIssuerUserName)\n| summarize EventCount=count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) \nby EventSource, EventName, UserIdentityType, User, SourceIpAddress, UserAgent, SessionMfaAuthenticated, AWSRegion, \nAdditionalEventData, UserIdentityAccountId, UserIdentityPrincipalid, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User , IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to AWS Security Group ingress and egress settings",
+ "enabled": false,
+ "description": "A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic. \n Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.",
+ "alertRuleTemplateName": "4f19d4e3-ec5f-4abc-9e61-819eb131758c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d100178772a440f8e3dd825c4946bf87f042b33c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:04 +0000
Subject: [PATCH 081/375] Exported file: Changes to Amazon VPC
settings.json.json
---
.../Changes to Amazon VPC settings.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
diff --git a/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
new file mode 100644
index 00000000..087b4a2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to Amazon VPC settings.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15ce6bf5-76f6-4160-a6ab-cae48ccd14c7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation",
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Changes to Amazon VPC settings",
+ "enabled": false,
+ "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\nin a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
+ "alertRuleTemplateName": "65360bb0-8986-4ade-a89d-af3cf44d28aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9dadb75117bd6a05dbae50044398d114b6f3d282 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:05 +0000
Subject: [PATCH 082/375] Exported file: Changes to internet facing AWS RDS
Database instances.json.json
---
...net facing AWS RDS Database instances.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
diff --git a/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
new file mode 100644
index 00000000..7abccb3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Changes to internet facing AWS RDS Database instances.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0993b38b-fb86-4dc8-8b3d-8531f0b2e12b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventNameList = dynamic([\"AuthorizeDBSecurityGroupIngress\",\"CreateDBSecurityGroup\",\"DeleteDBSecurityGroup\",\"RevokeDBSecurityGroupIngress\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Changes to internet facing AWS RDS Database instances",
+ "enabled": false,
+ "description": "Amazon Relational Database Service (RDS) is scalable relational database in the cloud. \nIf your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service) \nOnce alerts triggered, validate if changes observed are authorized and adhere to change control policy. \nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255\nand RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "8c2ef238-67a0-497d-b1dd-5c8a0f533e25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bd4cb686900a29c1ec661f803ed61382fb5d7bad Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:06 +0000
Subject: [PATCH 083/375] Exported file: Chia_Crypto_Mining - Domain, Process,
Hash and IP IOCs - June 2021.json.json
---
...Process, Hash and IP IOCs - June 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
diff --git a/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
new file mode 100644
index 00000000..6fd88e78
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda5807c-80cb-4159-adcb-884589deef20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/ChiaCryptoIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n//This query uses sysmon data, sections that have - | where Source == \"Microsoft-Windows-Sysmon\" - may need to be updated with latest\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, DNSName, Type\n| extend MessageIP = extract(IPRegex, 0, Message), RequestIP = extract(IPRegex, 0, RequestURL)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL has_any (domains), \"RequestUrl\", \"NoMatch\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), Account = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name in~ (domains) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Computer , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = DestinationIPAddress\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, IPEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), File = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = tostring(EventDetail.[9].[\"#text\"]), DestinationIP = tostring(EventDetail.[14].[\"#text\"]), Image = tostring(EventDetail.[4].[\"#text\"])\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Image has_any (process)\n| project TimeGenerated, SourceIP, DestinationIP, Image, Account = UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, File = tostring(split(Image, '\\\\', -1)[-1]), IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n| extend FilePath = replace_string(Image, File, '')\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Chia crypto IOC detected', Type\n| extend timestamp = TimeGenerated, IPEntity = ClientIP, Account = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or InitiatingProcessSHA256 in (sha256Hashes) or InitiatingProcessFileName has_any (process)\n| project TimeGenerated, ActionType, DeviceId, Computer = DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPEntity = RemoteIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, IPEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) or ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPEntity = ClientIP, AlertDetail = 'Chia crypto IOC detected'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPEntity = SourceHost, AlertDetail = 'Chia crypto IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) \n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = tostring(EventDetail.[4].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(Image, File, '')\n),\n(DeviceFileEvents\n| where InitiatingProcessFolderPath has_any (process)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlertDetail = 'Chia crypto IOC detected', FileHashAlgo = 'SHA256', Account = SourceUserID\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| project TimeGenerated, EventDetail, UserName, Computer, Type\n| extend Image = tostring(EventDetail.[4].[\"#text\"]), CommandLine = tostring(EventDetail.[10].[\"#text\"]), Account = UserName, FileHash = tostring(EventDetail.[17].[\"#text\"]), AlertDetail = 'Chia crypto IOC detected'\n| where Image has_any (process)\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(Image, '\\\\', -1)[-1]), FileHashAlgo = 'SHA256'\n| extend FilePath= replace_string(Image, File, '')\n),\n(DeviceEvents\n| where InitiatingProcessFileName has_any (process) or InitiatingProcessSHA256 in~ (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Chia crypto IOC detected'\n| extend timestamp = TimeGenerated, Computer, Account, File = InitiatingProcessFileName, FileHashAlgo = 'SHA256'\n| extend FilePath = replace_string(InitiatingProcessFolderPath, File, '')\n),\n(SecurityEvent\n| where EventID == '4688'\n| where NewProcessName has_any (process)\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, Computer, Account, File = tostring(split(NewProcessName, '\\\\', -1)[-1]), AlertDetail = 'Chia crypto IOC detected'\n| extend FilePath = replace_string(NewProcessName, File, '')\n)\n)\n| extend AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPEntity, FileCustomEntity = File, FilePathCustomEntity = FilePath, FileHashCustomEntity = FileHash\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Chia_Crypto_Mining - Domain, Process, Hash and IP IOCs - June 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, process, hashes and IP IOC related to Chia cryptocurrency farming/plotting activity.",
+ "alertRuleTemplateName": "595a10c9-91be-4abb-bbc7-ae9c57848bef"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 061444a81709e368f7ce1147250338a34420477d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:06 +0000
Subject: [PATCH 084/375] Exported file: Cisco - firewall block but success
logon to Azure AD.json.json
---
...l block but success logon to Azure AD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
diff --git a/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
new file mode 100644
index 00000000..49e0d333
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco - firewall block but success logon to Azure AD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cef2de7-424f-4297-b732-b8985477fb7e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet aadFunc = (tableName:string){\nCommonSecurityLog\n| where DeviceVendor =~ \"Cisco\"\n| where DeviceAction =~ \"denied\"\n| extend SourceIPType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where SourceIPType == \"public\"\n| summarize count() by SourceIP\n| join (\n // Successful signins from IPs blocked by the firewall solution are suspect\n // Include fully successful sign-ins, but also ones that failed only at MFA stage\n // as that supposes the password was sucessfully guessed.\n table(tableName)\n | where ResultType in (\"0\", \"50074\", \"50076\") \n) on $left.SourceIP == $right.IPAddress\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco - firewall block but success logon to Azure AD",
+ "enabled": false,
+ "description": "Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins. \nBecause the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect\nand could indicate credential compromise for the user account.",
+ "alertRuleTemplateName": "157c0cfc-d76d-463b-8755-c781608cdc1a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8f289a5897d0c45959cb2adf4d748b87af302e41 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:07 +0000
Subject: [PATCH 085/375] Exported file: Cisco ASA - average attack detection
rate increase.json.json
---
...verage attack detection rate increase.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
new file mode 100644
index 00000000..1a3d96bd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - average attack detection rate increase.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4a9a7b49-4e79-4f64-b778-209a63227af1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeframe = 1h;\nlet last1h = CommonSecurityLog \n| where TimeGenerated >= ago(timeframe)\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend CurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend MaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend CurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend MaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend CumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize last1hCumTotal = sum(CumulativeTotal), last1hAvgRatePerSec = avg(CurrentAvgRatePerSec), last1hAvgBurstRatePerSec = avg(CurrentBurstRatePerSec) by DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlet prev6h = CommonSecurityLog \n| where TimeGenerated between (ago(6h) .. ago(1h))\n| where isempty(CommunicationDirection) \n| where DeviceEventClassID == \"733100\"\n| extend SourceOfDropRateCount = tostring(split(tostring(split(Message, \"]\")[0]),\"[ \")[1])\n| extend splitMessage = split(Message, \".\")\n| extend DropRate = tostring(split(tostring(splitMessage[0]),\"] \")[1])\n| extend CurrentBurstRate = split(tostring(split(tostring(splitMessage[1]),\" \")[0]),\"is \")\n| extend prevCurrentBurstRatePerSec = toint(split(tostring(CurrentBurstRate[1]),\" \")[0])\n| extend prevMaxConfiguredBurstRate = toint(CurrentBurstRate[2])\n| extend CurrentAvgRate = split(tostring(split(tostring(splitMessage[1]),\" \")[1]),\"is \")\n| extend prevCurrentAvgRatePerSec = toint(split(tostring(CurrentAvgRate[1]),\" \")[0])\n| extend prevMaxConfiguredAvgRate = toint(CurrentAvgRate[2])\n| extend prevCumulativeTotal = toint(split(tostring(split(tostring(splitMessage[1]),\" \")[2]),\"is \")[1])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), prev6hCumTotal = sum(prevCumulativeTotal), prev6hAvgRatePerSec = avg(prevCurrentAvgRatePerSec), prev6hAvgBurstRatePerSec = avg(prevCurrentBurstRatePerSec) \nby DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate;\nlast1h | join (\n prev6h \n) on DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate\n| project StartTimeUtc, EndTimeUtc, DeviceName, DeviceEventClassID, SourceIP, SourceOfDropRateCount, DropRate, last1hCumTotal, prev6hCumTotal, prev6hAvgCumTotal = prev6hCumTotal/6, last1hAvgRatePerSec, prev6hAvgRatePerSec, last1hAvgBurstRatePerSec, prev6hAvgBurstRatePerSec\n// Select only events that indicate a doubling of the expected rate in the last hour over the previous 6 hours\n| where last1hCumTotal > 2*prev6hAvgCumTotal or last1hAvgRatePerSec > 2*prev6hAvgRatePerSec or last1hAvgBurstRatePerSec > 2*prev6hAvgBurstRatePerSec\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - average attack detection rate increase",
+ "enabled": false,
+ "description": "This will help you determine if Cisco ASA devices are under heavier attack than normal over the last hour versus the previous 6 hours based on DeviceEventClassID 733100\nReferences: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "79f29feb-6a9d-4cdf-baaa-2daf480a5da1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 682355ae968714692f3d9178af14e929678d7db5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:08 +0000
Subject: [PATCH 086/375] Exported file: Cisco ASA - threat detection message
fired.json.json
---
... ASA - threat detection message fired.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
diff --git a/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
new file mode 100644
index 00000000..be3f7747
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco ASA - threat detection message fired.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/56bd3d9c-25ae-42f7-80b5-b3be274f9971')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCommonSecurityLog \n| where isempty(CommunicationDirection) \n| where DeviceEventClassID in (\"733101\",\"733102\",\"733103\",\"733104\",\"733105\")\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Cisco ASA - threat detection message fired",
+ "enabled": false,
+ "description": "Identifies when the Cisco ASA Threat Detection engine fired an alert based on malicious activity occurring on the network inicated by DeviceEventClassID 733101-733105\nResources: https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html\nDetails on how to further troubleshoot/investigate: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html",
+ "alertRuleTemplateName": "795edf2d-cf3e-45b5-8452-fe6c9e6a582e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 54f006123de431de1427df7f7118ce921b1fc3dc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:09 +0000
Subject: [PATCH 087/375] Exported file: Cisco Umbrella - Connection to
Unpopular Website Detected.json.json
---
...nection to Unpopular Website Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
new file mode 100644
index 00000000..ada78069
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to Unpopular Website Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ffcf2eb-7b20-4385-add1-d47244784479')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let domain_lookBack= 14d;\nlet timeframe = 1d;\nlet top_million_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(domain_lookBack) and TimeGenerated < ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| summarize count() by tostring(Hostname)\n| top 1000000 by count_\n| summarize make_list(Hostname);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| extend Hostname = parse_url(UrlOriginal)[\"Host\"]\n| where Hostname !in (top_million_list)\n| extend Message = \"Connect to unpopular website (possible malicious payload delivery)\"\n| project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to Unpopular Website Detected",
+ "enabled": false,
+ "description": "Detects first connection to an unpopular website (possible malicious payload delivery).",
+ "alertRuleTemplateName": "75297f62-10a8-4fc1-9b2a-12f25c6f05a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ea8b665ab5fd69c712f3502128ded88f7bae5598 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:09 +0000
Subject: [PATCH 088/375] Exported file: Cisco Umbrella - Connection to
non-corporate private network.json.json
---
...tion to non-corporate private network.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
new file mode 100644
index 00000000..a1810d0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Connection to non-corporate private network.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fc32fc57-e12b-4823-b40a-86ede70b5af7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN')\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Connection to non-corporate private network",
+ "enabled": false,
+ "description": "IP addresses of broadband links that usually indicates users attempting to access their home network, for example for a remote session to a home computer.",
+ "alertRuleTemplateName": "c9b6d281-b96b-4763-b728-9a04b9fe1246"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e3b2c63b70c257fd64cfac995d27f9fc612b9840 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:10 +0000
Subject: [PATCH 089/375] Exported file: Cisco Umbrella - Crypto Miner
User-Agent Detected.json.json
---
...la - Crypto Miner User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
new file mode 100644
index 00000000..b77d766f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Crypto Miner User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a095755b-fc1c-4311-a607-118eb9170048')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"XMRig\" or HttpUserAgentOriginal contains \"ccminer\"\n| extend Message = \"Crypto Miner User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Crypto Miner User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by crypto miners in proxy logs.",
+ "alertRuleTemplateName": "b619d1f1-7f39-4c7e-bf9e-afbb46457997"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 29d2c08cb484272c8e542cca16e8da1e1c4babbd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:11 +0000
Subject: [PATCH 090/375] Exported file: Cisco Umbrella - Empty User Agent
Detected.json.json
---
... Umbrella - Empty User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
new file mode 100644
index 00000000..970fe218
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Empty User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9bcc4a9b-d85e-4927-a32e-b8284cfa5422')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal == ''\n| extend Message = \"Empty User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Empty User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect empty and unusual user agent indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "2b328487-162d-4034-b472-59f1d53684a1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8b86ae808b6ea8b74b0067e318905681fa797c45 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:12 +0000
Subject: [PATCH 091/375] Exported file: Cisco Umbrella - Hack Tool User-Agent
Detected.json.json
---
...rella - Hack Tool User-Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
new file mode 100644
index 00000000..84affc5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Hack Tool User-Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aadbd1d6-c647-49e7-a7f0-3f1ee07dc1d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nlet user_agents=dynamic([\n '(hydra)',\n ' arachni/',\n ' BFAC ',\n ' brutus ',\n ' cgichk ',\n 'core-project/1.0',\n ' crimscanner/',\n 'datacha0s',\n 'dirbuster',\n 'domino hunter',\n 'dotdotpwn',\n 'FHScan Core',\n 'floodgate',\n 'get-minimal',\n 'gootkit auto-rooter scanner',\n 'grendel-scan',\n ' inspath ',\n 'internet ninja',\n 'jaascois',\n ' zmeu ',\n 'masscan',\n ' metis ',\n 'morfeus fucking scanner',\n 'n-stealth',\n 'nsauditor',\n 'pmafind',\n 'security scan',\n 'springenwerk',\n 'teh forest lobster',\n 'toata dragostea',\n ' vega/',\n 'voideye',\n 'webshag',\n 'webvulnscan',\n ' whcc/',\n ' Havij',\n 'absinthe',\n 'bsqlbf',\n 'mysqloit',\n 'pangolin',\n 'sql power injector',\n 'sqlmap',\n 'sqlninja',\n 'uil2pn',\n 'ruler',\n 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)'\n ]);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal has_any (user_agents)\n| extend Message = \"Hack Tool User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Hack Tool User-Agent Detected",
+ "enabled": false,
+ "description": "Detects suspicious user agent strings used by known hack tools",
+ "alertRuleTemplateName": "8d537f3c-094f-430c-a588-8a87da36ee3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e68ed2121768334b58329a305e09380f440f4284 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:12 +0000
Subject: [PATCH 092/375] Exported file: Cisco Umbrella - Rare User Agent
Detected.json.json
---
...o Umbrella - Rare User Agent Detected.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
new file mode 100644
index 00000000..d366425b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Rare User Agent Detected.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e494d49-35d6-4cea-b30d-29f22c179aab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookBack = 14d;\nlet timeframe = 1d;\nlet user_agents_list = Cisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(lookBack) and TimeGenerated < ago(timeframe)\n| summarize count() by HttpUserAgentOriginal\n| summarize make_list(HttpUserAgentOriginal);\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal !in (user_agents_list)\n| extend Message = \"Rare User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Rare User Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect a rare user-agents indicating web browsing activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "8c8de3fa-6425-4623-9cd9-45de1dd0569a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 550f2fc1067d38a2385296088ca2fb31f6d943cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:13 +0000
Subject: [PATCH 093/375] Exported file: Cisco Umbrella - Request Allowed to
harmful_malicious URI category.json.json
---
...wed to harmful_malicious URI category.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
new file mode 100644
index 00000000..e6d0a858
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request Allowed to harmful_malicious URI category.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f6dda353-e32a-41e2-b892-87012ab48a79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlCategory contains 'Adult Themes' or\n UrlCategory contains 'Adware' or\n UrlCategory contains 'Alcohol' or\n UrlCategory contains 'Illegal Downloads' or\n UrlCategory contains 'Drugs' or\n UrlCategory contains 'Child Abuse Content' or\n UrlCategory contains 'Hate/Discrimination' or\n UrlCategory contains 'Nudity' or\n UrlCategory contains 'Pornography' or\n UrlCategory contains 'Proxy/Anonymizer' or\n UrlCategory contains 'Sexuality' or\n UrlCategory contains 'Tasteless' or\n UrlCategory contains 'Terrorism' or\n UrlCategory contains 'Web Spam' or\n UrlCategory contains 'German Youth Protection' or\n UrlCategory contains 'Illegal Activities' or\n UrlCategory contains 'Lingerie/Bikini' or\n UrlCategory contains 'Weapons'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request Allowed to harmful/malicious URI category",
+ "enabled": false,
+ "description": "It is reccomended that these Categories shoud be blocked by policies because they provide harmful/malicious content..",
+ "alertRuleTemplateName": "d6bf1931-b1eb-448d-90b2-de118559c7ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6811f846205502f4599f4307f23f659dc8e119e9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:14 +0000
Subject: [PATCH 094/375] Exported file: Cisco Umbrella - Request to
blocklisted file type.json.json
---
...la - Request to blocklisted file type.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
new file mode 100644
index 00000000..fd09a950
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Request to blocklisted file type.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ece332c1-3f76-49d9-92fb-c94bc4af948d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']);\nlet lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| extend file_ext = extract(@'.*(\\.\\w+)$', 1, UrlOriginal)\n| extend Filename = extract(@'.*\\/*\\/(.*\\.\\w+)$', 1, UrlOriginal)\n| where file_ext in (file_ext_blocklist)\n| project TimeGenerated, SrcIpAddr, Identities, Filename\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Request to blocklisted file type",
+ "enabled": false,
+ "description": "Detects request to potentially harmful file types (.ps1, .bat, .vbs, etc.).",
+ "alertRuleTemplateName": "de58ee9e-b229-4252-8537-41a4c2f4045e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6d8a8e506876f4beb1f4cd4e1bec6819b5a3ec23 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:15 +0000
Subject: [PATCH 095/375] Exported file: Cisco Umbrella - URI contains IP
address.json.json
---
...co Umbrella - URI contains IP address.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
new file mode 100644
index 00000000..6dbbecf9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - URI contains IP address.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b40835ac-6aa1-44c8-94ee-9634550cbf43')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nCisco_Umbrella\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'proxylogs'\n| where DvcAction =~ 'Allowed'\n| where UrlOriginal matches regex @'\\Ahttp:\\/\\/\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}.*'\n| project TimeGenerated, SrcIpAddr, Identities\n| extend IPCustomEntity = SrcIpAddr\n| extend AccountCustomEntity = Identities\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - URI contains IP address",
+ "enabled": false,
+ "description": "Malware can use IP address to communicate with C2.",
+ "alertRuleTemplateName": "ee1818ec-5f65-4991-b711-bcf2ab7e36c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 862a9612fc029d28d7bd9eca9d737ddeb6979471 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:15 +0000
Subject: [PATCH 096/375] Exported file: Cisco Umbrella - Windows PowerShell
User-Agent Detected.json.json
---
...indows PowerShell User-Agent Detected.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
diff --git a/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
new file mode 100644
index 00000000..81fa4a71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cisco Umbrella - Windows PowerShell User-Agent Detected.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df7345e-b037-4478-a753-dd23d194b187')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT15M",
+ "queryPeriod": "PT15M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 15m;\nCisco_Umbrella\n| where EventType == \"proxylogs\"\n| where TimeGenerated > ago(timeframe)\n| where HttpUserAgentOriginal contains \"WindowsPowerShell\"\n| extend Message = \"Windows PowerShell User Agent\"\n| project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal\n| extend IpCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CommandAndControl",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Cisco Umbrella - Windows PowerShell User-Agent Detected",
+ "enabled": false,
+ "description": "Rule helps to detect Powershell user-agent activity by an unusual process other than a web browser.",
+ "alertRuleTemplateName": "b12b3dab-d973-45af-b07e-e29bb34d8db9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 461a359b42e7e66ab2099a905e3b64e2455fba98 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:16 +0000
Subject: [PATCH 097/375] Exported file: ClientDeniedAccess.json.json
---
.../ClientDeniedAccess.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ClientDeniedAccess.json
diff --git a/SentinelExported-AnalyticsRule/ClientDeniedAccess.json b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
new file mode 100644
index 00000000..2f672e37
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ClientDeniedAccess.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af215a8a-6d4d-4018-9e57-232303ee41d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nlet rejectedAccess = SymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)\n| where Total > threshold\n| project ClientIP;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| join kind=inner rejectedAccess on ClientIP\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User\n| extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ClientDeniedAccess",
+ "enabled": false,
+ "description": "Creates an incident in the event a Client has an excessive amounts of denied access requests.",
+ "alertRuleTemplateName": "a9956d3a-07a9-44a6-a279-081a85020cae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3acd9d0b551c99c00ecb9c8f49f8ea464c556516 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:17 +0000
Subject: [PATCH 098/375] Exported file: Cognni Incidents for Highly Sensitive
Business Information.json.json
---
...Highly Sensitive Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
new file mode 100644
index 00000000..517e9271
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee60a8a3-18ba-4481-92c5-5a5aeb1bb76e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Business Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "44e80f00-b4f5-486b-a57d-4073746276df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f14ce32341ffb6069ee974a89278e74897f64b43 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:17 +0000
Subject: [PATCH 099/375] Exported file: Cognni Incidents for Highly Sensitive
Financial Information.json.json
---
...ighly Sensitive Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
new file mode 100644
index 00000000..7fe66651
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eef3a7d9-3be0-461b-9136-dfd2485f0fe5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "7ebb7386-6c99-4331-aab1-a185a603eb47"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eec04c6c52f095152f4b18a3da18a918b60f1f2c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:18 +0000
Subject: [PATCH 100/375] Exported file: Cognni Incidents for Highly Sensitive
Governance Information.json.json
---
...ghly Sensitive Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
new file mode 100644
index 00000000..aa613d21
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4715c9ad-d4c0-4eed-b1a7-fa0a808deff4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2926ce29-08d2-4654-b2e8-7d8df70095d9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7656793c0132dbe13b1f4e44bfa5b2cedc2e1317 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:19 +0000
Subject: [PATCH 101/375] Exported file: Cognni Incidents for Highly Sensitive
HR Information.json.json
---
...s for Highly Sensitive HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
new file mode 100644
index 00000000..d1fe6ab3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6769d928-39db-442b-8af3-4477e02f38fc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive HR Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "f68846cf-ec99-497d-9ce1-80a9441564fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 69fd056486a60916a13cca47dd75616b4a29709d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:20 +0000
Subject: [PATCH 102/375] Exported file: Cognni Incidents for Highly Sensitive
Legal Information.json.json
---
...or Highly Sensitive Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
new file mode 100644
index 00000000..a5f7c589
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Highly Sensitive Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd78be72-fc73-4cb5-aef3-b9f61b35c1be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let highRisk = 3;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == highRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Highly Sensitive Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which highly sensitive legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "4f45f43b-3a4b-491b-9cbe-d649603384aa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ee57075212db791773ac7b5950767646f43ae716 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:20 +0000
Subject: [PATCH 103/375] Exported file: Cognni Incidents for Low Sensitivity
Business Information.json.json
---
... Low Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
new file mode 100644
index 00000000..88334c0e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/08df1b8f-e53a-4f2e-9bd3-b3908f512f46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity business information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "a0647a60-16f9-4175-b344-5cdd2934413f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ab8e6498cb7121754e31c6cb867f01203bfc0191 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:21 +0000
Subject: [PATCH 104/375] Exported file: Cognni Incidents for Low Sensitivity
Financial Information.json.json
---
...Low Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
new file mode 100644
index 00000000..fdb269e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa0f3fe-1c85-48de-b37f-63b61b97b3d6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "77171efa-4502-4ab7-9d23-d12305ff5a5e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d5b11fb33ced40468ba562781c93890bc74d371b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:22 +0000
Subject: [PATCH 105/375] Exported file: Cognni Incidents for Low Sensitivity
Governance Information.json.json
---
...ow Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
new file mode 100644
index 00000000..d73c7c4e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6cc7e5f0-0be6-4b1c-8a9e-1a49fefbd974')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet governance = 'Governance Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == governance\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity governance information] was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d2e40c79-fe8c-428e-8cb9-0e2282d4558c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5dd4a1fb6fa09bcfdc4a1a3fbb3fa613611c49c7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:23 +0000
Subject: [PATCH 106/375] Exported file: Cognni Incidents for Low Sensitivity
HR Information.json.json
---
...ts for Low Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
new file mode 100644
index 00000000..0eb51774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/33e7e266-a87e-454d-8e09-6d3e131d75ee')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitive HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "ef8654b1-b2cf-4f6c-ae5c-eca635a764e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c5b748f770ffb0a292fc6e65a26002e040c54d60 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:24 +0000
Subject: [PATCH 107/375] Exported file: Cognni Incidents for Low Sensitivity
Legal Information.json.json
---
...for Low Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
new file mode 100644
index 00000000..afb2cb58
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Low Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/881f8a7b-1178-4f35-9b02-7fc5414ba7f8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lowRisk = 1;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == lowRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Low Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which low sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "8374ec0f-d857-4c17-b1e7-93d11800f8fb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3280c43e0fcd050b9a8f0217bc6aee45c1d1fa98 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:24 +0000
Subject: [PATCH 108/375] Exported file: Cognni Incidents for Medium
Sensitivity Business Information.json.json
---
...dium Sensitivity Business Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
new file mode 100644
index 00000000..6f89ae17
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Business Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/79061028-980a-4760-881b-52e79c1015c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/79061028-980a-4760-881b-52e79c1015c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet business = 'Business Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == business\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Business Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity business information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "2c286288-3756-4824-b599-d3c499836c11"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eb2ab556ea5ae367d290eb3273cf589b1af3b316 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:25 +0000
Subject: [PATCH 109/375] Exported file: Cognni Incidents for Medium
Sensitivity Financial Information.json.json
---
...ium Sensitivity Financial Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
new file mode 100644
index 00000000..d4dd28c1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Financial Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b674088a-825a-4b49-ad10-7ffa5d483059')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet financial = 'Financial Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == financial\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Financial Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitive financial information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "d29b1d66-d4d9-4be2-b607-63278fc4fe6b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 73dc193fc64a0793f33d3f8e0c9aa34bdb719ac9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:26 +0000
Subject: [PATCH 110/375] Exported file: Cognni Incidents for Medium
Sensitivity Governance Information.json.json
---
...um Sensitivity Governance Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
new file mode 100644
index 00000000..2d01b1d4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Governance Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f740a0e2-386b-4470-8b13-284d2ee5dce5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet goverence = 'Goverence Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == goverence\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Governance Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity governance information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "c1d4a005-e220-4d06-9e53-7326a22b8fe4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c443bddcf0d73fab8bde029ec5835c485d7b85a1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:27 +0000
Subject: [PATCH 111/375] Exported file: Cognni Incidents for Medium
Sensitivity HR Information.json.json
---
...for Medium Sensitivity HR Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
new file mode 100644
index 00000000..d70dd2e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity HR Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd536808-fae9-4fc6-b046-9cd28b7e9e19')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet hr = 'HR Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == hr\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity HR Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity HR information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "75ff4f7d-0564-4a55-8b25-a75be951cde3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 040b3d114a955a25b6373d3a221164f5b5ec07a4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:27 +0000
Subject: [PATCH 112/375] Exported file: Cognni Incidents for Medium
Sensitivity Legal Information.json.json
---
... Medium Sensitivity Legal Information.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
diff --git a/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
new file mode 100644
index 00000000..18f5dc60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Cognni Incidents for Medium Sensitivity Legal Information.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e4f6960-6e74-4b97-960b-6eca2383de68')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let mediumRisk = 2;\nlet legal = 'Legal Information';\nCognniIncidents_CL \n| where Severity == mediumRisk\n| where informationType_s == legal\n| where TimeGenerated >= ago(5h)\n| extend AccountCustomEntity = userId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Cognni Incidents for Medium Sensitivity Legal Information",
+ "enabled": false,
+ "description": "Display incidents in which medium sensitivity legal information was placed at risk by user sharing.",
+ "alertRuleTemplateName": "db750607-d48f-4aef-b238-085f4a9882f1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 110c71631dc9a2617111c0e2eb1bf0c3a4bcce57 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:28 +0000
Subject: [PATCH 113/375] Exported file: CoreBackUp Deletion in correlation
with other related security alerts.json.json
---
...on with other related security alerts.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
diff --git a/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
new file mode 100644
index 00000000..5c93e8a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/CoreBackUp Deletion in correlation with other related security alerts.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/41da3e01-b685-4352-bded-ae2646b20c5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityAlert\n| extend Extprop = parse_json(ExtendedProperties)\n| extend Computer = iff(isnotempty(toupper(tostring(Extprop[\"Compromised Host\"]))), toupper(tostring(Extprop[\"Compromised Host\"])), tostring(parse_json(Entities)[0].HostName))\n| extend Account = iff(isnotempty(tolower(tostring(Extprop[\"User Name\"]))), tolower(tostring(Extprop[\"User Name\"])), tolower(tostring(Extprop[\"user name\"])))\n| extend IpAddress = tostring(parse_json(ExtendedProperties).[\"IpAddress\"]) \n| project TimeGenerated, AlertName, Computer, Account, IpAddress, ExtendedProperties\n| extend timestamp = TimeGenerated, Account, MachineName = Computer, IpAddress\n| join kind=inner\n(\nCoreAzureBackup\n| where State =~ \"Deleted\"\n| where OperationName =~ \"BackupItem\"\n| extend data = split(BackupItemUniqueId, \";\")\n| extend AzureLocation = data[0], VaultId=data[1], MachineName=data[2], DrivesBackedUp=data[3]\n| project timestamp = TimeGenerated, AzureLocation, VaultId, tostring(MachineName), DrivesBackedUp, State, BackupItemUniqueId, _ResourceId, OperationName, BackupItemFriendlyName\n)\non MachineName\n| project timestamp, AlertName, HostCustomEntity = MachineName, AccountCustomEntity = Account, ResourceCustomEntity = _ResourceId, IPCustomEntity = IpAddress, VaultId, AzureLocation, DrivesBackedUp, State, BackupItemUniqueId, OperationName, BackupItemFriendlyName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "CoreBackUp Deletion in correlation with other related security alerts",
+ "enabled": false,
+ "description": "This query will help detect attackers attempt to delete backup containers in correlation with other alerts that could have triggered to help possibly reveal more details of attacker activity. \nThough such an activity could be legitimate as part of business operation, some ransomware actors may perform such operation to cause interruption to regular business services.",
+ "alertRuleTemplateName": "011c84d8-85f0-4370-b864-24c13455aa94"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 324a37cba81b71787c0cd2824d392706c7f2bfee Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:29 +0000
Subject: [PATCH 114/375] Exported file: Correlate Unfamiliar sign-in
properties and atypical travel alerts.json.json
---
...properties and atypical travel alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
diff --git a/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
new file mode 100644
index 00000000..bf47e8ba
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Correlate Unfamiliar sign-in properties and atypical travel alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e545f53-bfa1-47e0-997d-d7f67d02eda4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let Alert1 = \nSecurityAlert\n| where AlertName == \"Unfamiliar sign-in properties\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert1Time = TimeGenerated\n| extend Alert1 = AlertName\n| extend Alert1Severity = AlertSeverity\n;\nlet Alert2 = \nSecurityAlert\n| where AlertName == \"Atypical travel\"\n| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend Alert2Time = TimeGenerated\n| extend Alert2 = AlertName\n| extend Alert2Severity = AlertSeverity\n| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))\n| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), \"|\", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))\n| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)\n| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)\n;\nAlert1\n| join kind=inner Alert2 on UserPrincipalName\n| where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10\n| extend TimeDelta = Alert1Time - Alert2Time\n| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress\n| extend AccountCustomEntity = UserPrincipalName\n| extend IPCustomEntity = CurrentIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Correlate Unfamiliar sign-in properties and atypical travel alerts",
+ "enabled": false,
+ "description": "The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.",
+ "alertRuleTemplateName": "a3df4a32-4805-4c6d-8699-f3c888af2f67"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b7d374fa82c40fbcf981da91d0b6d55babd24eb1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:30 +0000
Subject: [PATCH 115/375] Exported file: Create Incident for XDR Alerts
(Critical & High).json.json
---
...dent for XDR Alerts (Critical & High).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
new file mode 100644
index 00000000..6e26ee7c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Critical & High).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bde332b1-a602-44eb-b834-99dc1e0b42d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'high' or modelSeverity_s == 'critical'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Critical & High)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Critical & High Serverity Alerts)",
+ "alertRuleTemplateName": "0febd8cc-1b8d-45ed-87b3-e1e8a57d14cd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 70f5a67259c0391d00d485e1098d5c953efe5a58 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:30 +0000
Subject: [PATCH 116/375] Exported file: Create Incident for XDR Alerts (Medium
& Low).json.json
---
...ncident for XDR Alerts (Medium & Low).json | 75 +++++++++++++++++++
1 file changed, 75 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
diff --git a/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
new file mode 100644
index 00000000..912fc84b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Create Incident for XDR Alerts (Medium & Low).json
@@ -0,0 +1,75 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc94a765-bab8-4692-9cec-86978582f1b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet threshold = 100;\nTrendMicro_XDR_CL \n| where modelSeverity_s == 'medium' or modelSeverity_s == 'low'\n| extend AccountCustomEntity = impactScope_account_s, HostCustomEntity = impactScope_hostname_s, IPCustomEntity = impactScope_host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": null,
+ "techniques": null,
+ "displayName": "Create Incident for XDR Alerts (Medium & Low)",
+ "enabled": false,
+ "description": "This Query creates an incident based on Trend Micro XDR Workbench Alerts and maps the impacted entities for Microsoft Sentinel usage. (Medium & Low Serverity Alerts)",
+ "alertRuleTemplateName": "00282588-11e7-436d-90e8-011256c3c691"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 34973a3997fc98c390edbc8bd0f83aa410b3f7f4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:31 +0000
Subject: [PATCH 117/375] Exported file: Creation of expensive computes in
Azure.json.json
---
...eation of expensive computes in Azure.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
new file mode 100644
index 00000000..f4c5db53
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Creation of expensive computes in Azure.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/99d7dd4b-3f78-4f82-b514-82a22fe2eb3a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Low",
+ "query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationList = dynamic([\"microsoft.compute/virtualmachines/write\", \"microsoft.resources/deployments/write\"]);\nAzureActivity\n| where tolower(OperationNameValue) in (operationList)\n| where ActivityStatusValue == \"Accepted\" \n| where isnotempty(Properties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotempty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfile)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, CallerIpAddress, ComputerName, vmSize\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Creation of expensive computes in Azure",
+ "enabled": false,
+ "description": "Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to evade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions",
+ "alertRuleTemplateName": "9736e5f1-7b6e-4bfb-a708-e53ff1d182c3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 74c6e20d2ed55b02b78ac2283e651da3dc0d44ed Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:32 +0000
Subject: [PATCH 118/375] Exported file: Credential added after admin consented
to Application.json.json
---
... after admin consented to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
diff --git a/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
new file mode 100644
index 00000000..c2f0b7c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Credential added after admin consented to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c22319a-c4d1-411e-8764-72a96333f21e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P2D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let auditLookbackStart = 2d;\nlet auditLookbackEnd = 1d;\nAuditLogs\n| where TimeGenerated >= ago(auditLookbackStart)\n| where OperationName =~ \"Consent to application\" \n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetResourceType = tostring(target.type)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend isAdminConsent = targetModifiedProp[0].newValue\n| extend Consent_ServicePrincipalNames = targetModifiedProp[5].newValue\n| extend Consent_Permissions = targetModifiedProp[4].newValue\n| extend Consent_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Consent_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| join ( \nAuditLogs\n| where TimeGenerated >= ago(auditLookbackEnd)\n| where OperationName =~ \"Add service principal credentials\"\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| extend targetResourceName = tostring(target.displayName)\n| extend targetResourceID = tostring(target.id)\n| extend targetModifiedProp = TargetResources[0].modifiedProperties\n| extend Credential_KeyDescription = targetModifiedProp[0].newValue\n| extend UpdatedProperties = targetModifiedProp[1].newValue\n| extend Credential_ServicePrincipalNames = targetModifiedProp[2].newValue\n| extend Credential_InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend Credential_InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n) on targetResourceName, targetResourceID\n| extend TimeConsent = TimeGenerated, TimeCred = TimeGenerated1\n| where TimeConsent > TimeCred \n| project TimeConsent, TimeCred, Consent_InitiatingUserOrApp, Credential_InitiatingUserOrApp, targetResourceName, targetResourceType, isAdminConsent, Consent_ServicePrincipalNames, Credential_ServicePrincipalNames, Consent_Permissions, Credential_KeyDescription, Consent_InitiatingIpAddress, Credential_InitiatingIpAddress\n| extend timestamp = TimeConsent, AccountCustomEntity = Consent_InitiatingUserOrApp, IPCustomEntity = Consent_InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Credential added after admin consented to Application",
+ "enabled": false,
+ "description": "This query will identify instances where Service Principal credentials were added to an application by one user after the application was granted admin consent rights by another user.\n If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\n Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow.\n For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities",
+ "alertRuleTemplateName": "707494a5-8e44-486b-90f8-155d1797a8eb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d3f5524b630d51c316055f29ad7970cb389bfbe3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:32 +0000
Subject: [PATCH 119/375] Exported file: Critical Threat Detected.json.json
---
.../Critical Threat Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Critical Threat Detected.json
diff --git a/SentinelExported-AnalyticsRule/Critical Threat Detected.json b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
new file mode 100644
index 00000000..4a9bdb5e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Critical Threat Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0ae05016-a937-41c9-92ab-9c347b0ea127')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 8;\nCarbonBlackNotifications_CL\n| where threatHunterInfo_score_d >= threshold\n| extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d\n| project-away count_\n| extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Critical Threat Detected",
+ "enabled": false,
+ "description": "This creates an incident in the event a critical threat was identified on a Carbon Black managed endpoint.",
+ "alertRuleTemplateName": "2ca4e7fc-c61a-49e5-9736-5da8035c47e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 89756c76a71c0eb2341994ff996525064f0206a4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:33 +0000
Subject: [PATCH 120/375] Exported file: DEV-0322 Serv-U related IOCs - July
2021.json.json
---
...-0322 Serv-U related IOCs - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
new file mode 100644
index 00000000..ba92a046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DEV-0322 Serv-U related IOCs - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a21f9398-0e6d-4d8a-a9cf-4becee5853b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/DEV-0322_SolarWinds_Serv-U_IoC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet process = (iocs | where Type =~ \"process\" | project IoC);\nlet parentprocess = (iocs | where Type =~ \"parentprocess\" | project IoC);\nlet IPList = (iocs | where Type =~ \"ip\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or RequestURL has_any (IPList) or Message has_any (IPList)\n| project TimeGenerated, SourceIP, DestinationIP, Message, SourceUserID, RequestURL, Type\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (IPList), \"RequestUrl\",\"NoMatch\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, IPMatch == \"RequestUrl\", RequestURL, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) \n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, ProcessName, SourceIp, DestinationIp, DestinationPort, RemoteDnsQuestions, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer, ProcessCustomEntity = ProcessName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") , AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) \n| project TimeGenerated, UserAgent, Operation, RecordType, UserId, ClientIP, AlertDetail = 'Dev-0322 IOC match', Type\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, AlertDetail = 'Dev-0322 IOC match', UrlCustomEntity =RemoteUrl, ProcessCustomEntity = InitiatingProcessFileName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| project TimeGenerated, Computer, CommunicationDirection, SourceIP, DestinationIP, SourcePort, DestinationPort, Type\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\"), AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, AlertDetail = 'Dev-0322 IOC match'\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where SourceHost in (IPList)\n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, AlertDetail = 'Dev-0322 IOC match'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ParentImage = EventDetail.[20].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where ( ParentImage has_any (parentprocess) and Image has_any (process))\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256,Image, ParentImage \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = CommandLineIP\n),\n(DeviceProcessEvents\n| extend CommandLineIP = extract(IPRegex, 0,InitiatingProcessCommandLine)\n| where (InitiatingProcessFileName in (process) and InitiatingProcessParentFileName in (parentprocess)) or CommandLineIP in (IPList)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type, CommandLineIP, AccountName\n| extend Account = AccountName, Computer = DeviceName, IPAddress = CommandLineIP, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, AlertDetail = 'Dev-0322 IOC match'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash, IPCustomEntity = IPAddress\n),\n( SecurityEvent\n| where EventID == 4688\n| extend CommandLineIP = extract(IPRegex, 0, CommandLine)\n| where CommandLineIP in (IPList) or (NewProcessName has_any (process) and ParentProcessName has_any (parentprocess))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type, CommandLine, CommandLineIP\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, AlertDetail = 'Dev-0322 IOC match', IPCustomEntity = CommandLineIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "DEV-0322 Serv-U related IOCs - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to DEV-0322 targeting SolarWinds Serv-U software.",
+ "alertRuleTemplateName": "4759ddb4-2daf-43cb-b34e-d85b85b4e4a5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd0f56870fccdb3181cb08f3df6223f74fee251d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:34 +0000
Subject: [PATCH 121/375] Exported file: DNS events related to ToR proxies
(Normalized DNS).json.json
---
...lated to ToR proxies (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
new file mode 100644
index 00000000..c67b1c6b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e52f7d5-cb46-4880-9b3a-279444078bcf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let torProxies=dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nimDns(domain_has_any=torProxies)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "3fe3c520-04f1-44b8-8398-782ed21435f8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 25848d0cf05bbf4bc366b081ffdf25afffb2adda Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:35 +0000
Subject: [PATCH 122/375] Exported file: DNS events related to ToR
proxies.json.json
---
.../DNS events related to ToR proxies.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
new file mode 100644
index 00000000..dce92719
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to ToR proxies.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3e0c16d9-b987-4982-8917-261b9b619c83')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to ToR proxies",
+ "enabled": false,
+ "description": "Identifies IP addresses performing DNS lookups associated with common ToR proxies.",
+ "alertRuleTemplateName": "a83ef0f4-dace-4767-bce3-ebd32599d2a0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 729281c60e4396e4c0b7f45aa8b48245cba8c7da Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:36 +0000
Subject: [PATCH 123/375] Exported file: DNS events related to mining pools
(Normalized DNS).json.json
---
...ated to mining pools (Normalized DNS).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
new file mode 100644
index 00000000..e374d5a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools (Normalized DNS).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/edec3f95-3e38-4140-a078-96c6bf105d1a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let minersDomains=dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\"]);\nimDns(domain_has_any=minersDomains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools (Normalized DNS)",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c094384d-7ea7-4091-83be-18706ecca981"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8e10fc81818cd5a0b4d7fc0854657f8e8dec7624 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:36 +0000
Subject: [PATCH 124/375] Exported file: DNS events related to mining
pools.json.json
---
.../DNS events related to mining pools.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/DNS events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/DNS events related to mining pools.json b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
new file mode 100644
index 00000000..09a469a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/DNS events related to mining pools.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a37d6c4a-630f-40f1-8ed7-85033c97b226')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nDnsEvents\n| where Name contains \".\"\n| where Name has_any (\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \n\"xmrget.com\", \"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \n\"supportxmr.com\", \"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \n\"gntl.co.uk\", \"semipool.com\", \"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \n\"coinpoolit.webhop.me\", \"nanopool.org\", \"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \n\"extrmepool.org\", \"webcoin.me\", \"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \n\"dwarfpool.com\", \"hash-to-coins.com\", \"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \n\"moneropool.ru\", \"cryptonotepool.org.uk\", \"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \n\"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\", \"shscrypto.net\")\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "DNS events related to mining pools",
+ "enabled": false,
+ "description": "Identifies IP addresses that may be performing DNS lookups associated with common currency mining pools.",
+ "alertRuleTemplateName": "0d76e9cf-788d-4a69-ac7d-f234826b5bed"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8f3a6ff5c472619f6e46b3846f76531f4ec72ff8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:37 +0000
Subject: [PATCH 125/375] Exported file: Detect PIM Alert Disabling
activity.json.json
---
.../Detect PIM Alert Disabling activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
diff --git a/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
new file mode 100644
index 00000000..9628cbd3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Detect PIM Alert Disabling activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f41c2cf0-14ea-42fb-a07e-c7514a198d17')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where LoggedByService =~ \"PIM\"\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has \"Disable PIM Alert\"\n| extend IpAddress = case(\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Detect PIM Alert Disabling activity",
+ "enabled": false,
+ "description": "Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access",
+ "alertRuleTemplateName": "1f3b4dfd-21ff-4ed3-8e27-afc219e05c50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bd3382f3c268de95b9573fd3f82ab6ff37731d9e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:38 +0000
Subject: [PATCH 126/375] Exported file: Dev-0228 File Path Hashes November
2021 - ASIM.json.json
---
...File Path Hashes November 2021 - ASIM.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
new file mode 100644
index 00000000..46c7c8c6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021 - ASIM.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74893bd0-8ffa-4e9f-83a5-58ed055824bc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nimFileEvent\n| where ((FilePath has_any (files1)) and (ActingProcessSHA256 has_any (FileHash1))) or ((FilePath has_any (files2)) and (ActingProcessSHA256 has_any (FileHash2)))\n// Increase risk score if recent alerts for the host\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = ActorUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021 - ASIM",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.\n This query uses the Microsoft Sentinel Information Model - https://docs.microsoft.com/azure/sentinel/normalization",
+ "alertRuleTemplateName": "29a29e5d-354e-4f5e-8321-8b39d25047bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ccf347d86babebbe8600c8a53698d955ac3f3d76 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:38 +0000
Subject: [PATCH 127/375] Exported file: Dev-0228 File Path Hashes November
2021.json.json
---
...v-0228 File Path Hashes November 2021.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
diff --git a/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
new file mode 100644
index 00000000..55d5f3f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Dev-0228 File Path Hashes November 2021.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8931ab6f-b308-4242-9876-014014c6b8ff')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let files1 = dynamic([\"C:\\\\Windows\\\\TAPI\\\\lsa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pa.exe\", \"C:\\\\Windows\\\\TAPI\\\\pc.exe\", \"C:\\\\Windows\\\\TAPI\\\\Rar.exe\"]);\nlet files2 = dynamic([\"svchost.exe\",\"wdmsvc.exe\"]);\nlet FileHash1 = dynamic([\"43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\", \"ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\", \"010e32be0f86545e116a8bc3381a8428933eb8789f32c261c81fd5e7857d4a77\", \"56cd102b9fc7f3523dad01d632525ff673259dbc9a091be0feff333c931574f7\"]);\nlet FileHash2 = dynamic([\"2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\", \"9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\", \"18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\"]);\nDeviceProcessEvents\n| where ( FolderPath has_any (files1) and SHA256 has_any (FileHash1)) or (FolderPath has_any (files2) and SHA256 has_any (FileHash2))\n| extend DvcId = DeviceId\n| join kind=leftouter (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| mv-expand todynamic(Entities)\n| extend DvcId = tostring(parse_json(Entities).MdatpDeviceId)\n| where isnotempty(DvcId)\n// Higher risk score are for Defender alerts related to threat actor\n| extend AlertRiskScore = iif(ThreatName has_any (\"Backdoor:MSIL/ShellClient.A\", \"Backdoor:MSIL/ShellClient.A!dll\", \"Trojan:MSIL/Mimikatz.BA!MTB\"), 1.0, 0.5)\n| project DvcId, AlertRiskScore) on DvcId\n| extend AlertRiskScore = iif(isempty(AlertRiskScore), 0.0, AlertRiskScore)\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = AccountName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Dev-0228 File Path Hashes November 2021",
+ "enabled": false,
+ "description": "This hunting query looks for file paths/hashes related to observed activity by Dev-0228. The actor is known to use custom version of popular tool like PsExec, Procdump etc. to carry its activity.\n The risk score associated with each result is based on a number of factors, hosts with higher risk events should be investigated first.",
+ "alertRuleTemplateName": "3b443f22-9be9-4c35-ac70-a94757748439"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 36c5172d45ae78cc56ae568d0b1870539c474948 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:39 +0000
Subject: [PATCH 128/375] Exported file: Distributed Password cracking attempts
in AzureAD.json.json
---
...Password cracking attempts in AzureAD.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
new file mode 100644
index 00000000..ce24093f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Distributed Password cracking attempts in AzureAD.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4e451694-0fbc-4df8-83ca-1cbc82d3e019')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet s_threshold = 30;\nlet l_threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where OperationName =~ \"Sign-in activity\"\n// Error codes that we want to look at as they are related to the use of incorrect password.\n| where ResultType in (\"50126\", \"50053\" , \"50055\", \"50056\")\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend LocationString = strcat(tostring(LocationDetails.countryOrRegion), \"/\", tostring(LocationDetails.state), \"/\", tostring(LocationDetails.city))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), LocationCount=dcount(LocationString), Location = make_set(LocationString), \nIPAddress = make_set(IPAddress), IPAddressCount = dcount(IPAddress), AppDisplayName = make_set(AppDisplayName), ResultDescription = make_set(ResultDescription), \nBrowser = make_set(Browser), OS = make_set(OS), SigninCount = count() by UserPrincipalName, Type \n// Setting a generic threshold - Can be different for different environment\n| where SigninCount > s_threshold and LocationCount >= l_threshold\n| extend tostring(Location), tostring(IPAddress), tostring(AppDisplayName), tostring(ResultDescription), tostring(Browser), tostring(OS)\n| distinct *\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Distributed Password cracking attempts in AzureAD",
+ "enabled": false,
+ "description": "Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.\nThe query looks for unusually high number of failed password attempts coming from multiple locations for a user account.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.\n50055 Invalid password, entered expired password.\n50056 Invalid or null password - Password does not exist in store for this user.\n50126 Invalid username or password, or invalid on-premises username or password.",
+ "alertRuleTemplateName": "bfb1c90f-8006-4325-98be-c7fffbc254d6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c0546be54d3b7293522f2cbc4ecb0c6a8c81b304 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:40 +0000
Subject: [PATCH 129/375] Exported file: Duplicate Rule DisplayName 1
(1).json.json
---
.../Duplicate Rule DisplayName 1 (1).json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
new file mode 100644
index 00000000..ff5257a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1 (1).json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/927ca451-fe12-4de3-983d-bd50cc359b7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CampaignInfo",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From db57f703efbf8c8d14cf5581d47a8c080bdad54f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:41 +0000
Subject: [PATCH 130/375] Exported file: Duplicate Rule DisplayName 1.json.json
---
.../Duplicate Rule DisplayName 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
diff --git a/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
new file mode 100644
index 00000000..75316020
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Duplicate Rule DisplayName 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63d1052b-e396-4366-a76f-4665b4b8f319')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "Duplicate Rule DisplayName 1",
+ "enabled": true,
+ "description": "Duplicate Rule DisplayName 1",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From d306b7c564f4a1cc39ebaeea8dd42d6d754d5f49 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:41 +0000
Subject: [PATCH 131/375] Exported file: Email access via active sync.json.json
---
.../Email access via active sync.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Email access via active sync.json
diff --git a/SentinelExported-AnalyticsRule/Email access via active sync.json b/SentinelExported-AnalyticsRule/Email access via active sync.json
new file mode 100644
index 00000000..2f367c0d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Email access via active sync.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/215089a8-4173-47cc-801b-56f449b9e978')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet cmdList = dynamic([\"Set-CASMailbox\",\"ActiveSyncAllowedDeviceIDs\",\"add\"]);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| project Type, TimeGenerated, Computer, Account, SubjectDomainName, SubjectUserName, Process, ParentProcessName, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessCommandLine has_all (cmdList)\n| project Type, TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = AccountName, HostCustomEntity = DeviceName\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| where TimeGenerated >= ago(timeframe)\n| where CommandLine has_all (cmdList)\n| extend Type = strcat(Type, \": \", Source)\n| project Type, TimeGenerated, Computer, User, Process, ParentImage, CommandLine\n| extend timestamp = TimeGenerated, AccountCustomEntity = User, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Email access via active sync",
+ "enabled": false,
+ "description": "This query detects attempts to add attacker devices as allowed IDs for active sync using the Set-CASMailbox command.\nThis technique was seen in relation to Solorigate attack but the results can indicate potential malicious activity used in different attacks.\n- Note that this query can be changed to use the KQL \"has_all\" operator, which hasn't yet been documented officially, but will be soon.\n In short, \"has_all\" will only match when the referenced field has all strings in the list.\n- Refer to Set-CASMailbox syntax: https://docs.microsoft.com/powershell/module/exchange/set-casmailbox?view=exchange-ps",
+ "alertRuleTemplateName": "2f561e20-d97b-4b13-b02d-18b34af6e87c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 91002d108c164a5e35f305c6e146aa9694a7ddf5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:42 +0000
Subject: [PATCH 132/375] Exported file: Excessive Amount of Denied Connections
from a Single Source.json.json
---
...nied Connections from a Single Source.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
new file mode 100644
index 00000000..5a4748f5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Amount of Denied Connections from a Single Source.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b42fd648-56d8-405b-8303-ecbf32e7f3be')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5000;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\" and Status =~ \"Deny\"\n| summarize count() by Src_IP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Amount of Denied Connections from a Single Source",
+ "enabled": false,
+ "description": "This creates an incident in the event that a single source IP address generates a excessive amount of denied connections.",
+ "alertRuleTemplateName": "3d645a88-2724-41a7-adea-db74c439cf79"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 545ef5f94a9942b812269ca5fad7f898b2f618d2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:43 +0000
Subject: [PATCH 133/375] Exported file: Excessive Denied Proxy
Traffic.json.json
---
.../Excessive Denied Proxy Traffic.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
new file mode 100644
index 00000000..7ff20617
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Denied Proxy Traffic.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f25caf39-8a25-48d1-b564-3098bfb1a4b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 100;\nSymantecProxySG \n| where sc_filter_result =~ \"DENIED\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host\n| where count_ > threshold\n| extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Denied Proxy Traffic",
+ "enabled": false,
+ "description": "This alert creates an incident when a client generates an excessive amounts of denied proxy traffic.",
+ "alertRuleTemplateName": "7a58b253-0ef2-4248-b4e5-c350f15a8346"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 29fae426733b48470e714a66da74f210e55c930a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:44 +0000
Subject: [PATCH 134/375] Exported file: Excessive Failed Authentication from
Invalid Inputs.json.json
---
...ed Authentication from Invalid Inputs.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
new file mode 100644
index 00000000..d8b18864
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Failed Authentication from Invalid Inputs.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6926bd2-1c73-494e-b193-b5853be6b838')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\nSymantecVIP\n| where isnotempty(RADIUSAuth)\n| where RADIUSAuth =~ \"Reject\"\n| summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP\n| where Total > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Failed Authentication from Invalid Inputs",
+ "enabled": false,
+ "description": "Creates an incident in the event that a user generates an excessive amount of failed authentications due to invalid inputs, indications of a potential brute force.",
+ "alertRuleTemplateName": "c775a46b-21b1-46d7-afa6-37e3e577a27b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 85a7483b7edd6ecfbda075fd6a7099d08010b91f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:44 +0000
Subject: [PATCH 135/375] Exported file: Excessive NXDOMAIN DNS Queries
(Normalized DNS).json.json
---
...NXDOMAIN DNS Queries (Normalized DNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
new file mode 100644
index 00000000..642acc92
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries (Normalized DNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4515ed4c-edac-40b7-9ba0-1e96b7db4572')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 200;\nimDns(responsecodename='NXDOMAIN')\n| where isnotempty(DnsResponseCodeName)\n//| where DnsResponseCodeName =~ \"NXDOMAIN\"\n| summarize count() by SrcIpAddr, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (imDns(responsecodename='NXDOMAIN')\n ) on SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries (Normalized DNS)",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains. \nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)",
+ "alertRuleTemplateName": "c3b11fb2-9201-4844-b7b9-6b7bf6d9b851"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 36a3bbcbc899974a8204630be87f2d811a6a78e6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:45 +0000
Subject: [PATCH 136/375] Exported file: Excessive NXDOMAIN DNS
Queries.json.json
---
.../Excessive NXDOMAIN DNS Queries.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
diff --git a/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
new file mode 100644
index 00000000..8a17da24
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive NXDOMAIN DNS Queries.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/25bd255a-bf5e-4c83-b39f-fb8570442411')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 200;\nInfobloxNIOS\n| where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n| where isnotempty(ResponseCode)\n| where ResponseCode =~ \"NXDOMAIN\"\n| summarize count() by Client_IP, bin(TimeGenerated,15m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"named\" and Log_Type =~ \"client\"\n | where isnotempty(ResponseCode)\n | where ResponseCode =~ \"NXDOMAIN\"\n ) on Client_IP\n| extend timestamp = TimeGenerated, IPCustomEntity = Client_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Excessive NXDOMAIN DNS Queries",
+ "enabled": false,
+ "description": "This creates an incident in the event a client generates excessive amounts of DNS queries for non-existent domains.",
+ "alertRuleTemplateName": "b8266f81-2715-41a6-9062-42486cbc9c73"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bc0287dc73e43bb4ef9fc13291f485384d23a46f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:46 +0000
Subject: [PATCH 137/375] Exported file: Excessive Windows logon
failures.json.json
---
.../Excessive Windows logon failures.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
diff --git a/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
new file mode 100644
index 00000000..9d2bb8c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive Windows logon failures.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5178c35e-cf89-4442-b41b-ff963659f9a5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 0.333;\nlet countlimit = 50;\nSecurityEvent\n| where TimeGenerated >= ago(endtime)\n| where EventID == 4625 and AccountType =~ \"User\"\n| where IpAddress !in (\"127.0.0.1\", \"::1\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, Process\n| join kind=leftouter (\n SecurityEvent \n | where TimeGenerated between (ago(starttime) .. ago(endtime))\n | where EventID == 4625 and AccountType =~ \"User\"\n | where IpAddress !in (\"127.0.0.1\", \"::1\")\n | summarize CountPrev7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress\n| where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit\n//SubStatus Codes are detailed here - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4625\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| extend WorkstationName = iff(WorkstationName == \"-\" or isempty(WorkstationName), Computer , WorkstationName) \n| project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2), Process\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) \nby EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName, Process\n| order by sum_CountToday desc nulls last \n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Excessive Windows logon failures",
+ "enabled": false,
+ "description": "User has over 50 Windows logon failures today and at least 33% of the count of logon failures over the previous 7 days.",
+ "alertRuleTemplateName": "2391ce61-8c8d-41ac-9723-d945b2e90720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fe9adceaa3d9e2e8633693e271877eb83a005eaf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:46 +0000
Subject: [PATCH 138/375] Exported file: Excessive number of failed connections
from a single source (ASIM Network Session schema).json.json
---
... source (ASIM Network Session schema).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
diff --git a/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
new file mode 100644
index 00000000..1471296f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Excessive number of failed connections from a single source (ASIM Network Session schema).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7b90ebc-9243-4837-bc04-15808d6fffdf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let threshold = 5000;\nimNetworkSession(eventresult='Failure')\n| summarize Count=count() by SrcIpAddr, bin(TimeGenerated,5m)\n| where Count > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Excessive number of failed connections from a single source (ASIM Network Session schema)",
+ "enabled": false,
+ "description": "This rule identifies that a single source generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.
This rule uses the [Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any network session source that complies with ASIM. To use this Analytics Rule, [deploy the Advanced SIEM information Model (ASIM)](https://aka.ms/DeployASIM).",
+ "alertRuleTemplateName": "4902eddb-34f7-44a8-ac94-8486366e9494"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 921df5e6383f641867848f5b370201e7948f6484 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:47 +0000
Subject: [PATCH 139/375] Exported file: Exchange AuditLog disabled.json.json
---
.../Exchange AuditLog disabled.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
diff --git a/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
new file mode 100644
index 00000000..cfee7baa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange AuditLog disabled.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7d192e4-4786-463b-acef-ae7ea5569a06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where UserType in~ (\"Admin\",\"DcAdmin\") \n// Only admin or global-admin can disable audit logging\n| where Operation =~ \"Set-AdminAuditLogConfig\" \n| extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value)\n| where AdminAuditLogEnabledValue =~ \"False\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Exchange AuditLog disabled",
+ "enabled": false,
+ "description": "Identifies when the exchange audit logging has been disabled which may be an adversary attempt\nto evade detection or avoid other defenses.",
+ "alertRuleTemplateName": "194dd92e-d6e7-4249-85a5-273350a7f5ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f9a3fca8f746a22c357e51a09373e6eb573b8667 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:48 +0000
Subject: [PATCH 140/375] Exported file: Exchange OAB Virtual Directory
Attribute Containing Potential Webshell.json.json
---
...tribute Containing Potential Webshell.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
diff --git a/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
new file mode 100644
index 00000000..0cb51c74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange OAB Virtual Directory Attribute Containing Potential Webshell.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a6e2aa27-43bc-45b2-b96d-48b735364839')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityEvent\n// Look for specific Directory Service Changes and parse data\n| where EventID == 5136\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion = array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\n// Where changes relate to Exchange OAB\n| extend ObjectClass = column_ifexists(\"ObjectClass\", \"\")\n| where ObjectClass =~ \"msExchOABVirtualDirectory\"\n// Look for InternalHostName or ExternalHostName properties being changed\n| extend AttributeLDAPDisplayName = column_ifexists(\"AttributeLDAPDisplayName\", \"\")\n| where AttributeLDAPDisplayName in (\"msExchExternalHostName\", \"msExchInternalHostName\")\n// Look for suspected webshell activity\n| extend AttributeValue = column_ifexists(\"AttributeValue\", \"\")\n| where AttributeValue has \"script\"\n| project-rename LastSeen = TimeGenerated\n| extend ObjectDN = column_ifexists(\"ObjectDN\", \"\")\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange OAB Virtual Directory Attribute Containing Potential Webshell",
+ "enabled": false,
+ "description": "This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\nwhere the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns",
+ "alertRuleTemplateName": "faf1a6ff-53b5-4f92-8c55-4b20e9957594"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 939d1f34f93804448b1fc330cdb9a901b1df90e2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:49 +0000
Subject: [PATCH 141/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection (1).json.json
---
...todiscover ProxyShell - Detection (1).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
new file mode 100644
index 00000000..f884c9ec
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection (1).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b26de50a-8f22-4454-ae13-6442ac7decad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5569a0caa24ca6cf9adae48a7a3a3fe5a01a6c77 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:49 +0000
Subject: [PATCH 142/375] Exported file: Exchange SSRF Autodiscover ProxyShell
- Detection.json.json
---
...F Autodiscover ProxyShell - Detection.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
diff --git a/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
new file mode 100644
index 00000000..54b461bc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange SSRF Autodiscover ProxyShell - Detection.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64ce2f23-eab3-4e96-899a-bd2403d21a86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT12H",
+ "queryPeriod": "PT12H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "let successCodes = dynamic([200, 302, 401]);\nW3CIISLog\n| where scStatus has_any (successCodes)\n| where ipv4_is_private(cIP) == False\n| where csUriStem hasprefix \"/autodiscover/autodiscover.json\"\n| project TimeGenerated, cIP, sIP, sSiteName, csUriStem, csUriQuery, Computer, csUserName, _ResourceId, FileUri\n| where (csUriQuery !has \"Protocol\" and isnotempty(csUriQuery))\nor (csUriQuery has_any(\"/mapi/\", \"powershell\"))\nor (csUriQuery contains \"@\" and csUriQuery matches regex @\"\\.[a-zA-Z]{2,4}?(?:[a-zA-Z]{2,4}\\/)\")\nor (csUriQuery contains \":\" and csUriQuery matches regex @\"\\:[0-9]{2,4}\\/\")\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP, AccountCustomEntity = csUserName, ResourceCustomEntity = _ResourceId, FileCustomEntity = FileUri",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "AzureResource",
+ "fieldMappings": [
+ {
+ "identifier": "ResourceId",
+ "columnName": "ResourceCustomEntity"
+ }
+ ]
+ }
+ ],
+ "templateVersion": "1.0.1",
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190"
+ ],
+ "displayName": "Exchange SSRF Autodiscover ProxyShell - Detection",
+ "enabled": true,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit patterns recently\nblogged about by PeterJson. This exploitation chain utilises an SSRF vulnerability in Exchange\nwhich eventually allows the attacker to execute arbitrary Powershell on the server. In the example\npowershell can be used to write an email to disk with an encoded attachment containing a shell.\nReference: https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1",
+ "alertRuleTemplateName": "968358d6-6af8-49bb-aaa4-187b3067fb95"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1b7f215f4c28abfc08c5f12fdd4cddc46048e2d6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:50 +0000
Subject: [PATCH 143/375] Exported file: Exchange Server Vulnerabilities
Disclosed March 2021 IoC Match.json.json
---
...lities Disclosed March 2021 IoC Match.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
diff --git a/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
new file mode 100644
index 00000000..d1e23e0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange Server Vulnerabilities Disclosed March 2021 IoC Match.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb2153ae-e569-42cf-8467-40f05affa51f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet file_paths = (iocs | where Type =~ \"filepath\" | project IoC);\nlet sha256s = (iocs | where Type =~ \"sha256\" | project IoC);\nlet ips = (iocs | where Type =~ \"ip\" | project IoC);\nlet domains = (iocs | where Type =~ \"domainname\" | project IoC);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(imFileEvent\n| where TargetFileName in (file_paths)\n or\n TargetFileSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where FolderPath in (file_paths)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(DeviceEvents\n| where InitiatingProcessSHA256 in (sha256s)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountName, HostCustomEntity = DeviceName\n),\n(CommonSecurityLog\n| where FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' *\n| where SHA256 in~ (sha256s)\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where (SourceIP in (ips) or DestinationIP in (ips) or Message has_any (ips)) or (RequestURL has_any (domains))\n| extend IPMatch = case(SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"Message\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\")\n),\n(VMConnection\n| where isnotempty(SourceIp) or isnotempty(DestinationIp)\n| where SourceIp in (ips) or DestinationIp in (ips)\n| extend IPMatch = case( SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(WireData\n| where isnotempty(RemoteIP)\n| where RemoteIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(\nDeviceNetworkEvents\n| where (RemoteIPType =~ \"Public\" and RemoteUrl has_any (domains)) or (isnotempty(RemoteIP) and RemoteIP in (ips))\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(\nWindowsFirewall\n| where SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(\nDnsEvents\n| where SubType =~ \"LookupQuery\"\n| where Name has_any (domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer\n),\n(\nimDns(domain_has_any=domains)\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Dvc\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Exchange Server Vulnerabilities Disclosed March 2021 IoC Match",
+ "enabled": false,
+ "description": "This detection look for IoCs shared by Microsoft relating to attacks exploiting the Exchange Server vulnerabilities disclosed in March 2021. It looks for SHA256 file hashes, IP addresses and file paths in a number of data sources. This query can also be customized with additional data sources that may include these elements.\nRef: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/",
+ "alertRuleTemplateName": "d804b39c-03a4-417c-a949-bdbf21fa3305"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 42b57b6122e34881f32d611ad4237fc839a585c0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:51 +0000
Subject: [PATCH 144/375] Exported file: Exchange workflow MailItemsAccessed
operation anomaly.json.json
---
...w MailItemsAccessed operation anomaly.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
new file mode 100644
index 00000000..1611fad8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Exchange workflow MailItemsAccessed operation anomaly.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0021314-e49e-45d9-801f-e7bca20e9046')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 1.5;\nlet percentthreshold = 50;\n// Preparing the time series data aggregated hourly count of MailItemsAccessd Operation in the form of multi-value array to use with time series anomaly function.\nlet TimeSeriesData =\nOfficeActivity\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n| project TimeGenerated, Operation, MailboxOwnerUPN\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project TimeGenerated, Total, baseline, anomalies, score;\n// Joining the flagged outlier from the previous step with the original dataset to present contextual information\n// during the anomalyhour to analysts to conduct investigation or informed decisions.\nTimeSeriesAlerts | where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join (\n OfficeActivity\n | where TimeGenerated > ago(2d)\n | extend DateHour = bin(TimeGenerated, 1h)\n | where OfficeWorkload=~ \"Exchange\" and Operation =~ \"MailItemsAccessed\" and ResultStatus =~ \"Succeeded\"\n | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) \n | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies\n | order by HourlyCount desc \n) on TimeGenerated\n| extend PercentofTotal = round(HourlyCount/Total, 2) * 100 \n| where PercentofTotal > percentthreshold // Filter Users with count of less than 5 percent of TotalEvents per Hour to remove FPs/ users with very low count of MailItemsAccessed events\n| order by PercentofTotal desc \n| project-reorder TimeGeneratedMax, Type, OfficeWorkload, Operation, UserId,SourceIPMax ,IPAdressList, ClientInfoStringList, HourlyCount, PercentofTotal, Total, baseline, score, anomalies\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Exchange workflow MailItemsAccessed operation anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous increases in Exchange mail items accessed operations.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive actions should be further investigated for malicious activity.\nManually change scorethreshold from 1.5 to 3 or higher to reduce the noise based on outliers flagged from the query criteria.\nRead more about MailItemsAccessed- https://docs.microsoft.com/microsoft-365/compliance/advanced-audit?view=o365-worldwide#mailitemsaccessed",
+ "alertRuleTemplateName": "b4ceb583-4c44-4555-8ecf-39f572e827ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From dfb8af1f6697ea71f53ee4df888161270e94c44b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:52 +0000
Subject: [PATCH 145/375] Exported file: Explicit MFA Deny.json.json
---
.../Explicit MFA Deny.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Explicit MFA Deny.json
diff --git a/SentinelExported-AnalyticsRule/Explicit MFA Deny.json b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
new file mode 100644
index 00000000..441d5de3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Explicit MFA Deny.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c655ec79-ccbb-4940-b53f-a1f0a6583a53')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == 500121\n| where Status has \"MFA Denied; user declined the authentication\"\n| extend Type = Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = ClientAppUsed\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Explicit MFA Deny",
+ "enabled": false,
+ "description": "User explicitly denies MFA push, indicating that login was not expected and the account's password may be compromised.",
+ "alertRuleTemplateName": "a22740ec-fc1e-4c91-8de6-c29c6450ad00"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ac04c4543c8cb9cd500db895ed35abb92cceeb02 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:53 +0000
Subject: [PATCH 146/375] Exported file: External Upstream Source Added to
Azure DevOps Feed.json.json
---
...eam Source Added to Azure DevOps Feed.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
diff --git a/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
new file mode 100644
index 00000000..7091dc03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External Upstream Source Added to Azure DevOps Feed.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba38e02e-2c7c-4744-9292-8df5f3fc28ac')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Add any known allowed sources and source locations to the filter below (the NuGet Gallery has been added here as an example).\nlet allowed_sources = dynamic([\"NuGet Gallery\"]);\nlet allowed_locations = dynamic([\"https://api.nuget.org/v3/index.json\"]);\nAzureDevOpsAuditing\n// Look for feeds created or modified at either the organization or project level\n| where OperationName matches regex \"Artifacts.Feed.(Org|Project).Modify\"\n| where Details has \"UpstreamSources, added\"\n| extend FeedName = tostring(Data.FeedName)\n| extend FeedId = tostring(Data.FeedId)\n| extend UpstreamsAdded = Data.UpstreamsAdded\n// As multiple feeds may be added expand these out\n| mv-expand UpstreamsAdded\n// Only focus on external feeds\n| where UpstreamsAdded.UpstreamSourceType !~ \"internal\"\n| extend SourceLocation = tostring(UpstreamsAdded.Location)\n| extend SourceName = tostring(UpstreamsAdded.Name)\n// Exclude sources and locations in the allow list\n| where SourceLocation !in (allowed_locations) and SourceName !in (allowed_sources)\n| extend SourceProtocol = tostring(UpstreamsAdded.Protocol)\n| extend SourceStatus = tostring(UpstreamsAdded.Status)\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, ProjectName, FeedName, SourceName, SourceLocation, SourceProtocol, ActorUPN, UserAgent, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "External Upstream Source Added to Azure DevOps Feed",
+ "enabled": false,
+ "description": "The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. \nAn attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.",
+ "alertRuleTemplateName": "adc32a33-1cd6-46f5-8801-e3ed8337885f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 792516a27a32eb92e016a95de0de6d251e44db42 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:53 +0000
Subject: [PATCH 147/375] Exported file: External User Access Enabled.json.json
---
.../External User Access Enabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External User Access Enabled.json
diff --git a/SentinelExported-AnalyticsRule/External User Access Enabled.json b/SentinelExported-AnalyticsRule/External User Access Enabled.json
new file mode 100644
index 00000000..1d8faa74
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External User Access Enabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a649754e-0850-48be-af9d-9ae66e282259')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nZoomLogs \n| where Event =~ \"account.settings_updated\" \n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend EnforceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\") \n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false' \n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"All settings changed\", \n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\", \n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\", \n EnforceLoginDomain == 'false', \"Enfored Domains Changed\", \n GuestAlerts == 'false', \"Guest Join Alerts Changed\", \n EnforceLogin == 'false', \"Enforced Logins Changed\", \n \"No Changes\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External User Access Enabled",
+ "enabled": false,
+ "description": "This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.",
+ "alertRuleTemplateName": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From af4d8d3f41909a036f736b80d77fd88e964b2579 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:54 +0000
Subject: [PATCH 148/375] Exported file: External guest invitations by default
guest followed by Azure AD powershell signin.json.json
---
...ollowed by Azure AD powershell signin.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
diff --git a/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
new file mode 100644
index 00000000..35faf84e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External guest invitations by default guest followed by Azure AD powershell signin.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/303d53fd-b132-45bc-9dc9-8852122a64b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs \n| where OperationName in (\"Invite external user\", \"Bulk invite users - started (bulk)\",\"Invite external user with reset invitation status\")\n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| where InitiatedByUser has_any (\"live.com#\", \"#EXT#\")\n| extend parsedUser = iff(InitiatedByUser has \"live.com#\", tostring(split(InitiatedByUser, \"#\")[1]),tostring(split(InitiatedByUser, \"#EXT#\")[1])) , InvitationTime = TimeGenerated\n| join ( \nSigninLogs \n| where UserType == \"Guest\" and AppDisplayName == \"Microsoft Azure PowerShell\"\n| extend SigninTime = TimeGenerated\n) on $left.parsedUser == $right.UserPrincipalName\n| project InvitationTime, SigninTime, InitiatedByUser, OperationName, AppDisplayName , IPAddress, UserType\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess",
+ "Persistence",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "External guest invitations by default guest followed by Azure AD powershell signin",
+ "enabled": false,
+ "description": "By default guests have capability to invite more external guest user, who can do suspicious Azure AD enumeration. This detection will first look at guests \ninviting external guests users who are then logging via Azure AD powershell after accpeting invitation.\nRef : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/",
+ "alertRuleTemplateName": "acc4c247-aaf7-494b-b5da-17f18863878a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 227e8144020afaeb1633a3009058d438a0fead3e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:55 +0000
Subject: [PATCH 149/375] Exported file: External user added and removed in
short timeframe.json.json
---
... added and removed in short timeframe.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
diff --git a/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
new file mode 100644
index 00000000..faba53c0
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/External user added and removed in short timeframe.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/048acbb1-a65f-405e-b6bd-da47b59dffa7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberAdded\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName\n| join (\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation =~ \"MemberRemoved\"\n| extend UPN = tostring(parse_json(Members)[0].UPN)\n| where UPN contains (\"#EXT#\")\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName\n) on UPN\n| where TimeDeleted > TimeAdded\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\n| extend timestamp = TimeAdded, AccountCustomEntity = UPN\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "External user added and removed in short timeframe",
+ "enabled": false,
+ "description": "This detection flags the occurances of external user accounts that are added to a Team and then removed within\none hour.",
+ "alertRuleTemplateName": "bff093b2-500e-4ae5-bb49-a5b1423cbd5b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d9545e98c239f84986401aa49154003c4b553a5f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:56 +0000
Subject: [PATCH 150/375] Exported file: Failed AWS Console logons but success
logon to AzureAD.json.json
---
...e logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
new file mode 100644
index 00000000..9181a3df
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AWS Console logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d6f670a3-6443-47c0-8c9e-387a1d0e58c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed AWS console logins\nlet aws_fails = AWSCloudTrail\n| where EventName == \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult != \"Success\"\n| where SourceIpAddress != \"127.0.0.1\"\n| summarize count() by SourceIpAddress\n| where count_ > signin_threshold\n| summarize make_list(SourceIpAddress);\n//See if any of those IPs have sucessfully logged into Azure AD.\nSigninLogs\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (aws_fails) \n| extend Reason = \"Multiple failed AWS Console logins from IP address\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AWS Console logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum numbe(default of 5) of failed logon attempts to AWS Console.\nUses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "910124df-913c-47e3-a7cd-29e1643fa55e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 763c496b73a2fb544d1ad2f88198b2b03d748747 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:56 +0000
Subject: [PATCH 151/375] Exported file: Failed AzureAD logons but success
logon to AWS Console, test-6_30_2022.json.json
---
... logon to AWS Console, test-6_30_2022.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
new file mode 100644
index 00000000..a21c7140
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to AWS Console, test-6_30_2022.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/835a2032-8b67-4e89-a5c6-2d3c04526a70')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit your environment\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold\nlet aadFunc = (tableName:string){\nlet Suspicious_signins = \ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in (\"127.0.0.1\", \"::1\")\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\nSuspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet Suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into the AWS console\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin) \n| where LoginResult =~ \"Success\"\n| where SourceIpAddress in (Suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed)\n| extend User = iif(isempty(UserIdentityUserName), UserIdentityType, UserIdentityUserName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Reason, LoginResult, EventTypeName, UserIdentityType, User, AWSRegion, SourceIpAddress, UserAgent, MFAUsed\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to AWS Console, test-6/30/2022",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(defualt of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful AWS Console logons from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "643c2025-9604-47c5-833f-7b4b9378a1f5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eed43357230b209d20d7e565ab34b1e4628b660b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:57 +0000
Subject: [PATCH 152/375] Exported file: Failed AzureAD logons but success
logon to host.json.json
---
...reAD logons but success logon to host.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
diff --git a/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
new file mode 100644
index 00000000..ea33b6f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed AzureAD logons but success logon to host.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1dbb9018-2cb3-4818-87e0-8a4a5a1980dc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit the environment\nlet signin_threshold = 5;\n//Make a list of all IPs with failed signins to AAD above our threshold\nlet aadFunc = (tableName:string){\nlet suspicious_signins =\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress !in ('127.0.0.1', '::1')\n| summarize count() by IPAddress\n| where count_ > signin_threshold\n| summarize make_set(IPAddress);\n//See if any of these IPs have sucessfully logged into *nix hosts\nlet linux_logons =\nSyslog\n| where Facility contains \"auth\" and ProcessName != \"sudo\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Computer, HostIP, IpAddress = SourceIP, SyslogMessage, Facility, ProcessName, Reason;\n//See if any of these IPs have sucessfully logged into Windows hosts\nlet win_logons =\nSecurityEvent\n| where EventID == 4624\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| where IpAddress in (suspicious_signins)\n| extend Reason = \"Multiple failed AAD logins from IP address\"\n| project TimeGenerated, Account, AccountType, Computer, Activity, EventID, LogonProcessName, IpAddress, LogonTypeName, TargetUserSid, Reason;\nunion isfuzzy=true linux_logons,win_logons\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, IPCustomEntity = IpAddress, HostCustomEntity = Computer\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed AzureAD logons but success logon to host",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.\nUses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "8ee967a2-a645-4832-85f4-72b635bcb3a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eee75f4539f1446370096501953f44e3a08208ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:58 +0000
Subject: [PATCH 153/375] Exported file: Failed Logins from Unknown or Invalid
User.json.json
---
...d Logins from Unknown or Invalid User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
diff --git a/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
new file mode 100644
index 00000000..bb0c0a75
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed Logins from Unknown or Invalid User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/432364d6-323c-41fb-a646-12ae79e3d321')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed Logins from Unknown or Invalid User",
+ "enabled": false,
+ "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name",
+ "alertRuleTemplateName": "884be6e7-e568-418e-9c12-89229865ffde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b26ca6f261540c22cf79b1fe742978a840c67469 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:59 +0000
Subject: [PATCH 154/375] Exported file: Failed host logons but success logon
to AzureAD.json.json
---
...t logons but success logon to AzureAD.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
diff --git a/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
new file mode 100644
index 00000000..d6444aad
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed host logons but success logon to AzureAD.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ef59b89-0b97-4fca-99d0-6b3f861142cf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Adjust this threshold to fit environment\nlet signin_threshold = 5; \n//Make a list of IPs with failed Windows host logins above threshold\nlet win_fails = \nSecurityEvent\n| where EventID == 4625\n| where LogonType in (10, 7, 3)\n| where IpAddress != \"-\"\n| summarize count() by IpAddress\n| where count_ > signin_threshold\n| summarize make_list(IpAddress);\n//Make a list of IPs with failed *nix host logins above threshold\nlet nix_fails = \nSyslog\n| where Facility contains 'auth' and ProcessName != 'sudo'\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage)\n| where SourceIP != \"\" and SourceIP != \"127.0.0.1\"\n| summarize count() by SourceIP\n| where count_ > signin_threshold\n| summarize make_list(SourceIP);\n//See if any of the IPs with failed host logins hve had a sucessful Azure AD login\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (win_fails) or IPAddress in (nix_fails)\n| extend Reason= \"Multiple failed host logins from IP address with successful Azure AD login\"\n| extend timstamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed host logons but success logon to AzureAD",
+ "enabled": false,
+ "description": "Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.\nUses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.",
+ "alertRuleTemplateName": "1ce5e766-26ab-4616-b7c8-3b33ae321e80"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c3a14a57c5d89a9e5cf11676bb2d3dd9b0065a81 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:16:59 +0000
Subject: [PATCH 155/375] Exported file: Failed login attempts to Azure
Portal.json.json
---
...Failed login attempts to Azure Portal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
diff --git a/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
new file mode 100644
index 00000000..8746e489
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed login attempts to Azure Portal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a203a1c1-5360-4d2b-a61e-7e02066ef891')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 1d;\nlet lookBack = 7d;\nlet threshold_Failed = 5;\nlet threshold_FailedwithSingleIP = 20;\nlet threshold_IPAddressCount = 2;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet aadFunc = (tableName:string){\nlet azPortalSignins = materialize(table(tableName)\n| where TimeGenerated >= ago(lookBack)\n// Azure Portal only\n| where AppDisplayName =~ \"Azure Portal\")\n;\nlet successPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n//| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n| distinct TimeGenerated, UserPrincipalName, Id, ResultType\n;\nlet failPortalSignins = azPortalSignins\n| where TimeGenerated >= ago(timeRange)\n// Azure Portal only and exclude non-failure Result Types\n| where ResultType !in (\"0\", \"50125\", \"50140\")\n// Tagging identities not resolved to friendly names\n| extend Unresolved = iff(Identity matches regex isGUID, true, false)\n;\n// Verify there is no success for the same connection attempt after the fail\nlet failnoSuccess = failPortalSignins | join kind= leftouter (\n successPortalSignins \n) on UserPrincipalName, Id\n| where TimeGenerated > TimeGenerated1\n| project-away TimeGenerated1, UserPrincipalName1, Id1, ResultType1\n;\n// Lookup up resolved identities from last 7 days\nlet identityLookup = azPortalSignins\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName;\n// Join resolved names to unresolved list from portal signins\nlet unresolvedNames = failnoSuccess | where Unresolved == true | join kind= inner (\n identityLookup \n) on UserId\n| extend UserDisplayName = lu_UserDisplayName, UserPrincipalName = lu_UserPrincipalName\n| project-away lu_UserDisplayName, lu_UserPrincipalName;\n// Join Signins that had resolved names with list of unresolved that now have a resolved name\nlet u_azPortalSignins = failnoSuccess | where Unresolved == false | union unresolvedNames;\nu_azPortalSignins\n| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend Status = strcat(ResultType, \": \", ResultDescription), OS = tostring(DeviceDetail.operatingSystem), Browser = tostring(DeviceDetail.browser)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n| extend FullLocation = strcat(Region,'|', State, '|', City)\n| summarize TimeGenerated = makelist(TimeGenerated), Status = makelist(Status), IPAddresses = makelist(IPAddress), IPAddressCount = dcount(IPAddress), FailedLogonCount = count()\nby UserPrincipalName, UserId, UserDisplayName, AppDisplayName, Browser, OS, FullLocation, Type\n| mvexpand TimeGenerated, IPAddresses, Status\n| extend TimeGenerated = todatetime(tostring(TimeGenerated)), IPAddress = tostring(IPAddresses), Status = tostring(Status)\n| project-away IPAddresses\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, UserId, UserDisplayName, Status, FailedLogonCount, IPAddress, IPAddressCount, AppDisplayName, Browser, OS, FullLocation, Type\n| where (IPAddressCount >= threshold_IPAddressCount and FailedLogonCount >= threshold_Failed) or FailedLogonCount >= threshold_FailedwithSingleIP\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed login attempts to Azure Portal",
+ "enabled": false,
+ "description": "Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon \nattempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack. \nThe following are excluded due to success and non-failure results:\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n0 - successful logon\n50125 - Sign-in was interrupted due to a password reset or password registration entry.\n50140 - This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.",
+ "alertRuleTemplateName": "223db5c1-1bf8-47d8-8806-bed401b356a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2660371487f6d151f2e19a25ddda5f7a115d24f3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:00 +0000
Subject: [PATCH 156/375] Exported file: Failed logon attempts by valid
accounts within 10 mins.json.json
---
...mpts by valid accounts within 10 mins.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
new file mode 100644
index 00000000..51f35ef7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts by valid accounts within 10 mins.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c4f34b46-8c20-46f0-b790-23d2bd555b6a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let threshold = 20;\nSecurityEvent \n| where EventID == 4625\n| where AccountType =~ \"User\"\n| where SubStatus !='0xc0000064' and Account !in ('\\\\', '-\\\\-')\n// SubStatus '0xc0000064' signifies 'Account name does not exist'\n| extend ResourceId = column_ifexists(\"_ResourceId\", _ResourceId), SourceComputerId = column_ifexists(\"SourceComputerId\", SourceComputerId)\n| extend Reason = case(\nSubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',\nSubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',\nSubStatus =~ '0xC000006A', 'User logon with misspelled or bad password', \nSubStatus =~ '0xC000006D', 'Bad user name or password',\nSubStatus =~ '0xC000006E', 'Unknown user name or bad password',\nSubStatus =~ '0xC000006F', 'User logon outside authorized hours',\nSubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',\nSubStatus =~ '0xC0000071', 'User logon with expired password',\nSubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',\nSubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation', \nSubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',\nSubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',\nSubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',\nSubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',\nSubStatus =~ '0xC0000193', 'User logon with expired account',\nSubStatus =~ '0xC0000224', 'User is required to change password at next logon',\nSubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',\nSubStatus =~ '0xC0000234', 'User logon with account locked',\nSubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',\nSubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',\nstrcat('Unknown reason substatus: ', SubStatus))\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID, \nActivity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName, \nLogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress\n| where FailedLogonCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts by valid accounts within 10 mins",
+ "enabled": false,
+ "description": "Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.",
+ "alertRuleTemplateName": "0777f138-e5d8-4eab-bec1-e11ddfbc2be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From dde330f9b3c84f1703266987b683be0d9899f6b8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:01 +0000
Subject: [PATCH 157/375] Exported file: Failed logon attempts in
authpriv.json.json
---
.../Failed logon attempts in authpriv.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
diff --git a/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
new file mode 100644
index 00000000..b0cdc9f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Failed logon attempts in authpriv.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b1e0484-a8d7-4116-bbc0-294d9d45aa1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 15;\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\n// are aggregated.\nlet authfail = Syslog\n| where Facility =~ \"authpriv\" // looks at authpriv messages\n| where SyslogMessage contains \"authentication failure\" and SyslogMessage contains \" uid=0\"\n| parse SyslogMessage with * \"rhost=\" ExternalIP\n| project TimeGenerated, Computer, ProcessName, HostIP, ExternalIP, ProcessID; \n// Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \nlet userfail = Syslog \n| where Facility =~ \"authpriv\" \n| where SyslogMessage contains \"user unknown\"\n| project TimeGenerated, Computer, HostIP, ProcessID;\n// Join the two log messages above\nlet userauthfail = authfail | join (userfail) on Computer, HostIP, ProcessID\n| project TimeGenerated, Computer, HostIP, ExternalIP, ProcessID ;\n// Extract the EventTime of the first logon attempt\nlet firstfail = userauthfail\n| summarize arg_min(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, FirstLogonAttempt = TimeGenerated;\n// Extract the EventTime of the last logon attempt\nlet lastfail = userauthfail\n| summarize arg_max(TimeGenerated, *) by Computer, ExternalIP\n| project Computer, ExternalIP, LatestLogonAttempt = TimeGenerated;\n// Join first and last logon attempt data and calculate the time between them (AttemptPeriodLength).\nlet faildates = firstfail | join (lastfail) on Computer, ExternalIP\n| project ExternalIP, Computer, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt;\n// Count the number of failed logon attempts by External IP and internal machine\nlet totalfails = userauthfail\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), TotalLogonAttempts = count() by ExternalIP, Computer, HostIP\n| project StartTimeUtc, EndTimeUtc, ExternalIP, Computer, HostIP, TotalLogonAttempts;\n// Combine total attempts with timing data from above\nlet finalfails = totalfails | join (faildates) on Computer, ExternalIP\n| project StartTimeUtc, EndTimeUtc, SourceAddress = ExternalIP, DestinationHost = Computer, DestinationIP = HostIP, TotalLogonAttempts, FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts\n| order by DestinationHost asc nulls last;\nfinalfails \n| where TotalLogonAttempts >= threshold\n| extend timestamp = StartTimeUtc, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Failed logon attempts in authpriv",
+ "enabled": false,
+ "description": "Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15.",
+ "alertRuleTemplateName": "e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1ba3a79ff2727d217e691e482139937834d8db96 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:02 +0000
Subject: [PATCH 158/375] Exported file: First access credential added to
Application or Service Principal where no credential was present.json.json
---
...cipal where no credential was present.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
diff --git a/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
new file mode 100644
index 00000000..b6d69ff1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/First access credential added to Application or Service Principal where no credential was present.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f3f94d19-f440-483e-b11a-231f93731fe8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set == \"[]\"\n| parse new_value_set with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "First access credential added to Application or Service Principal where no credential was present",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where there was no previous verify KeyCredential associated.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "2cfc3c6e-f424-4b88-9cc9-c89f482d016a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9b8c8c5474673b50cd8a1e47824a63bfcb5a69b5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:03 +0000
Subject: [PATCH 159/375] Exported file: Fortinet - Beacon pattern
detected.json.json
---
.../Fortinet - Beacon pattern detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
diff --git a/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
new file mode 100644
index 00000000..ec5ccc3a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Fortinet - Beacon pattern detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f9862418-b01a-40d9-84e1-bece0e2e89bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 1d;\nlet TimeDeltaThresholdInSeconds = 60; // we ignore beacons diffs that fall below this threshold \nlet TotalBeaconsThreshold = 4; // minimum number of beacons required in a session to surface a row\nlet JitterTolerance = 0.2; // tolerance to jitter, e.g. - 0.2 = 20% jitter is tolerated either side of the periodicity\nlet PrivateIPregex = @\"^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.\"; // exclude destinations that fall into this category\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where TimeGenerated > ago(starttime)\n// eliminate bad data\n| where isnotempty(SourceIP) and isnotempty(DestinationIP) and SourceIP != \"0.0.0.0\"\n// filter out deny, close, rst and SNMP to reduce data volume\n| where DeviceAction !in (\"close\", \"client-rst\", \"server-rst\", \"deny\") and DestinationPort != 161\n// map input fields\n| project TimeGenerated , SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// where destination IPs are public\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n// sort into source->destination 'sessions'\n| sort by SourceIP asc, DestinationIP asc, DestinationPort asc, TimeGenerated asc\n| serialize\n// time diff the contact times between source and destination to get a list of deltas\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1), nextDestIP = next(DestinationIP, 1), nextDestPort = next(DestinationPort, 1)\n| extend TimeDeltainSeconds = datetime_diff(\"second\",nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP and DestinationIP == nextDestIP and DestinationPort == nextDestPort\n// remove small time deltas below the set threshold\n| where TimeDeltainSeconds > TimeDeltaThresholdInSeconds\n| project TimeGenerated, TimeDeltainSeconds, SourceIP, DestinationIP, DestinationPort, ReceivedBytes, SentBytes, DeviceAction \n// summarize the deltas by source->destination\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), sum(ReceivedBytes), sum(SentBytes), makelist(TimeDeltainSeconds), makeset(DeviceAction) by SourceIP, DestinationIP, DestinationPort\n// get some statistical properties of the delta distribution and smooth any outliers (e.g. laptop shut overnight, working hours)\n| extend series_stats(list_TimeDeltainSeconds), outliers=series_outliers(list_TimeDeltainSeconds)\n// expand the deltas and the outliers\n| mvexpand list_TimeDeltainSeconds to typeof(double), outliers to typeof(double)\n// replace outliers with the average of the distribution\n| extend list_TimeDeltainSeconds_normalized=iff(outliers > 1.5 or outliers < -1.5, series_stats_list_TimeDeltainSeconds_avg , list_TimeDeltainSeconds)\n// summarize with the smoothed distribution\n| summarize BeaconCount=count(), makelist(list_TimeDeltainSeconds), list_TimeDeltainSeconds_normalized=makelist(list_TimeDeltainSeconds_normalized), makeset(set_DeviceAction) by StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, sum_ReceivedBytes, sum_SentBytes\n// get stats on the smoothed distribution\n| extend series_stats(list_TimeDeltainSeconds_normalized)\n// match jitter tolerance on smoothed distrib\n| extend MaxJitter = (series_stats_list_TimeDeltainSeconds_normalized_avg*JitterTolerance)\n| where series_stats_list_TimeDeltainSeconds_normalized_stdev < MaxJitter\n// where the minimum beacon threshold is satisfied and there was some data transfer\n| where BeaconCount > TotalBeaconsThreshold and (sum_SentBytes > 0 or sum_ReceivedBytes > 0)\n// final projection\n| project StartTime, EndTime, SourceIP, DestinationIP, DestinationPort, BeaconCount, TimeDeltasInSeconds=list_list_TimeDeltainSeconds, Periodicity=series_stats_list_TimeDeltainSeconds_normalized_avg, ReceivedBytes=sum_ReceivedBytes, SentBytes=sum_SentBytes, Actions=set_set_DeviceAction\n// where periodicity is order of magnitude larger than time delta threshold (eliminates FPs whose periodicity is close to the values we ignored)\n| where Periodicity >= (10*TimeDeltaThresholdInSeconds)\n| extend timestamp = StartTime, IPCustomEntity = DestinationIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Fortinet - Beacon pattern detected",
+ "enabled": false,
+ "description": "Identifies patterns in the time deltas of contacts between internal and external IPs in Fortinet network data that are consistent with beaconing.\n Accounts for randomness (jitter) and seasonality such as working hours that may have been introduced into the beacon pattern.\n The lookback is set to 1d, the minimum granularity in time deltas is set to 60 seconds and the minimum number of beacons required to emit a\n detection is set to 4.\n Increase the lookback period to capture beacons with larger periodicities.\n The jitter tolerance is set to 0.2 - This means we account for an overall 20% deviation from the infered beacon periodicity. Seasonality is dealt with\n automatically using series_outliers.\n Note: In large environments it may be necessary to reduce the lookback period to get fast query times.",
+ "alertRuleTemplateName": "3255ec41-6bd6-4f35-84b1-c032b18bbfcb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 907f6385ae80b0c8ed2a599d7753448a62cb6b2f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:03 +0000
Subject: [PATCH 160/375] Exported file: Full Admin policy created and then
attached to Roles, Users or Groups.json.json
---
...en attached to Roles, Users or Groups.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
diff --git a/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
new file mode 100644
index 00000000..daa33fc5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Full Admin policy created and then attached to Roles, Users or Groups.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74a06942-f4b8-440a-bcbb-829dc41948ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let EventNameList = dynamic([\"AttachUserPolicy\",\"AttachRolePolicy\",\"AttachGroupPolicy\"]);\nlet createPolicy = \"CreatePolicy\";\nlet timeframe = 1d;\nlet lookback = 14d;\n// Creating Master table with all the events to use with materialize for better performance\nlet EventInfo = AWSCloudTrail\n| where TimeGenerated >= ago(lookback)\n| where EventName in (EventNameList) or EventName == createPolicy;\n//Checking for Policy creation event with Full Admin Privileges since lookback period.\nlet FullAdminPolicyEvents = materialize( EventInfo\n| where TimeGenerated >= ago(lookback)\n| where EventName == createPolicy\n| extend PolicyName = tostring(parse_json(RequestParameters).policyName)\n| extend Statement = parse_json(tostring((parse_json(RequestParameters).policyDocument))).Statement\n| mvexpand Statement\n| extend Action = parse_json(Statement).Action , Effect = tostring(parse_json(Statement).Effect), Resource = tostring(parse_json(Statement).Resource)\n| mvexpand Action\n| extend Action = tostring(Action)\n| where Effect =~ \"Allow\" and Action == \"*\" and Resource == \"*\"\n| distinct TimeGenerated, EventName, PolicyName, SourceIpAddress, UserIdentityArn, UserIdentityUserName\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n| project-rename StartTime = TimeGenerated );\nlet PolicyAttach = materialize( EventInfo\n| where TimeGenerated >= ago(timeframe)\n| where EventName in (EventNameList)\n| extend PolicyName = tostring(split(tostring(parse_json(RequestParameters).policyArn),\"/\")[1])\n| summarize AttachEventCount=count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventSource, EventName, UserIdentityType , UserIdentityArn, SourceIpAddress, UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1])), PolicyName\n| extend AttachEvent = pack(\"StartTime\", StartTime, \"EndTime\", EndTime, \"EventName\", EventName, \"UserIdentityType\", UserIdentityType, \"UserIdentityArn\", UserIdentityArn, \"SourceIpAddress\", SourceIpAddress, \"UserIdentityUserName\", UserIdentityUserName)\n| project EventSource, PolicyName, AttachEvent, AttachEventCount\n);\n// Joining the list of PolicyNames and checking if it has been attached to any Roles/Users/Groups.\n// These Roles/Users/Groups will be Privileged and can be used by adversaries as pivot point for privilege escalation via multiple ways.\nFullAdminPolicyEvents\n| join kind=leftouter\n(\n PolicyAttach\n)\non PolicyName\n| project-away PolicyName1\n| extend timestamp = StartTime, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Full Admin policy created and then attached to Roles, Users or Groups",
+ "enabled": false,
+ "description": "Identity and Access Management (IAM) securely manages access to AWS services and resources. \nIdentifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). \nThis policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.\nAWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html\nand AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html",
+ "alertRuleTemplateName": "826bb2f8-7894-4785-9a6b-a8a855d8366f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a5b3f801aece948e31c33aab127e330fd125c45e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:04 +0000
Subject: [PATCH 161/375] Exported file: Gain Code Execution on ADFS Server via
Remote WMI Execution.json.json
---
... ADFS Server via Remote WMI Execution.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
new file mode 100644
index 00000000..533e89ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via Remote WMI Execution.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aab9ad2-d911-4d72-95ba-0fa53d80af93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n| union isfuzzy=true (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n| distinct Computer);\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where ParentProcessName has 'wmiprvse.exe'\n// Looking for rundll32.exe is based on intel from the blog linked in the description\n// This can be commented out or altered to filter out known internal uses\n| where CommandLine has_any ('rundll32') \n| project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n// Search for recent logons to identify lateral movement\n| join kind= inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4624 and LogonType == 3\n| where Account !endswith \"$\"\n| project TargetLogonId\n) on TargetLogonId\n),\n(\nEvent\n| where TimeGenerated > ago(timeframe)\n| where Source == \"Microsoft-Windows-Sysmon\"\n// Check for WMI Events\n| where Computer in~ (ADFS_Servers) and EventID in (19, 20, 21)\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| project TimeGenerated, EventType, Image, Computer, UserName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via Remote WMI Execution",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through remote WMI Execution.\nIn order to use this query you need to be collecting Sysmon EventIDs 19, 20, and 21.\nIf you do not have Sysmon data in your workspace this query will raise an error stating:\n Failed to resolve scalar expression named \"[@Name]\"\nFor more on how WMI was used in Solorigate see https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/.\nThe query contains some features from the following detections to look for potentially malicious ADFS activity. See them for more details.\n- ADFS Key Export (Sysmon): https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSKeyExportSysmon.yaml\n- ADFS DKM Master Key Export: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ADFS-DKM-MasterKey-Export.yaml",
+ "alertRuleTemplateName": "0bd65651-1404-438b-8f63-eecddcec87b4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 34202c87d2954dabcd2a96e9948b4d8bfe6082cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:05 +0000
Subject: [PATCH 162/375] Exported file: Gain Code Execution on ADFS Server via
SMB + Remote Service or Scheduled Task.json.json
---
...MB + Remote Service or Scheduled Task.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
diff --git a/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
new file mode 100644
index 00000000..dd9c9768
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf490122-cedd-48e7-ba93-246d9ba9bfae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\n// Adjust for a longer timeframe for identifying ADFS Servers\nlet lookback = 6d;\n// Identify ADFS Servers\nlet ADFS_Servers = (\nSecurityEvent\n| where TimeGenerated > ago(timeframe+lookback)\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Computer in~ (ADFS_Servers)\n| where Account !endswith \"$\"\n// Check for scheduled task events\n| where EventID in (4697, 4698, 4699, 4700, 4701, 4702)\n| extend EventDataParsed = parse_xml(EventData)\n| extend SubjectLogonId = tostring(EventDataParsed.EventData.Data[3][\"#text\"])\n// Check specifically for access to IPC$ share and PIPE\\svcctl and PIPE\\atsvc for Service Control Services and Schedule Control Services\n| union ( \n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n | where Computer in~ (ADFS_Servers)\n | where Account !endswith \"$\"\n | where EventID == 5145\n | where RelativeTargetName =~ \"svcctl\" or RelativeTargetName =~ \"atsvc\"\n)\n// Check for lateral movement\n| join kind=inner\n(SecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where Account !endswith \"$\"\n| where EventID == 4624 and LogonType == 3\n) on $left.SubjectLogonId == $right.TargetLogonId\n| project TimeGenerated, Account, Computer, EventID, RelativeTargetName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Gain Code Execution on ADFS Server via SMB + Remote Service or Scheduled Task",
+ "enabled": false,
+ "description": "This query detects instances where an attacker has gained the ability to execute code on an ADFS Server through SMB and Remote Service or Scheduled Task.",
+ "alertRuleTemplateName": "12dcea64-bec2-41c9-9df2-9f28461b1295"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9d692bc4f7658880435838cebdbdd57af0628d3a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:06 +0000
Subject: [PATCH 163/375] Exported file: GitHub Activites from a New
Country.json.json
---
.../GitHub Activites from a New Country.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
new file mode 100644
index 00000000..39ec52a6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Activites from a New Country.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9970db1b-bed7-4ca6-a5ea-effa3aac7b05')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAudit\n| where Country != \"\");\n GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Activites from a New Country",
+ "enabled": false,
+ "description": "Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.",
+ "alertRuleTemplateName": "f041e01d-840d-43da-95c8-4188f6cef546"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b5daa24137186bbec5554386ce21c5abe369942e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:08 +0000
Subject: [PATCH 164/375] Exported file: GitHub Security Vulnerability in
Repository.json.json
---
... Security Vulnerability in Repository.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
new file mode 100644
index 00000000..f3242ab7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Security Vulnerability in Repository.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1e944163-f959-46f8-9760-95a54652437b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1e944163-f959-46f8-9760-95a54652437b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Informational",
+ "query": "\nGitHubRepo\n| where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "GitHub Security Vulnerability in Repository",
+ "enabled": false,
+ "description": "This alerts when there is a new security vulnerability in a GitHub repository.",
+ "alertRuleTemplateName": "5436f471-b03d-41cb-b333-65891f887c43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 73cb3fc494d6caa802618f45e41cae3eb4f0cf52 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:08 +0000
Subject: [PATCH 165/375] Exported file: GitHub Signin Burst from Multiple
Locations.json.json
---
... Signin Burst from Multiple Locations.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
new file mode 100644
index 00000000..2425d232
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Signin Burst from Multiple Locations.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8d2677a1-dcf3-42b1-848b-a0a7055016d8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName == \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > 1\n| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Signin Burst from Multiple Locations",
+ "enabled": false,
+ "description": "This alerts when there Signin burst from multiple locations in GitHub (AAD SSO).",
+ "alertRuleTemplateName": "d3980830-dd9d-40a5-911f-76b44dfdce16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d44061363cbfcc0b7552ad1ae6562f84c3cfbfaa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:09 +0000
Subject: [PATCH 166/375] Exported file: GitHub Two Factor Auth
Disable.json.json
---
.../GitHub Two Factor Auth Disable.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
diff --git a/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
new file mode 100644
index 00000000..f8a9e188
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/GitHub Two Factor Auth Disable.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/67e76653-affb-4264-9b2a-0dd5f5fc2835')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nGitHubAudit\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, IPaddress, Repository\n| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "GitHub Two Factor Auth Disable",
+ "enabled": false,
+ "description": "Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. ",
+ "alertRuleTemplateName": "3ff0fffb-d963-40c0-b235-3404f915add7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 12888ad21687316e3bbebfdfd08739b531ebc7a8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:10 +0000
Subject: [PATCH 167/375] Exported file: Group created then added to built in
domain local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
new file mode 100644
index 00000000..c85532e1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Group created then added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/36af90d3-daf0-4785-a195-afa11219595f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nlet GroupAddition = SecurityEvent \n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group \n| where EventID in (\"4728\", \"4732\", \"4756\") \n| where AccountType =~ \"User\" and MemberName == \"-\"\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, GroupAddComputer = Computer, GroupAddTargetAccount = TargetAccount, \nGroupAddTargetSid = TargetSid, GroupAddSubjectAccount = SubjectAccount, GroupAddSubjectUserSid = SubjectUserSid, GroupSid = MemberSid;\nlet GroupCreated = SecurityEvent\n// 4727 - A security-enabled global group was created\n// 4731 - A security-enabled local group was created\n// 4754 - A security-enabled universal group was created\n| where EventID in (\"4727\", \"4731\", \"4754\")\n| where AccountType =~ \"User\"\n| project GroupCreateTime = TimeGenerated, GroupCreateEventID = EventID, GroupCreateActivity = Activity, GroupCreateComputer = Computer, GroupCreateTargetAccount = TargetAccount, \nGroupCreateSubjectAccount = SubjectAccount, GroupCreateSubjectUserSid = SubjectUserSid, GroupSid = TargetSid;\nGroupCreated\n| join (\nGroupAddition\n) on GroupSid \n| extend timestamp = GroupCreateTime, AccountCustomEntity = GroupCreateSubjectAccount, HostCustomEntity = GroupCreateComputer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Group created then added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a recently created Group was added to a privileged built in domain local group or global group such as the \nEnterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.\nReferences: For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups.",
+ "alertRuleTemplateName": "a7564d76-ec6b-4519-a66b-fcc80c42332b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eb7f4ace74946471435f68057f957310cdf37c32 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:11 +0000
Subject: [PATCH 168/375] Exported file: HAFNIUM New UM Service Child
Process.json.json
---
.../HAFNIUM New UM Service Child Process.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
new file mode 100644
index 00000000..41dbee52
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM New UM Service Child Process.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/17cf26a4-edee-458d-a467-5933e8c1a1aa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\nSecurityEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| join kind=rightanti (\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where EventID == 4688) on NewProcessName\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM New UM Service Child Process",
+ "enabled": false,
+ "description": "This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "95a15f39-d9cc-4667-8cdd-58f3113691c9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 31a536bb5d54a3274b2767c00066cb32935245df Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:11 +0000
Subject: [PATCH 169/375] Exported file: HAFNIUM Suspicious Exchange
Request.json.json
---
.../HAFNIUM Suspicious Exchange Request.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
new file mode 100644
index 00000000..ada898a7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious Exchange Request.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6b67df71-a90e-424c-8725-e7f9574d716f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let exchange_servers = (\nW3CIISLog\n| where TimeGenerated > ago(14d)\n| where sSiteName =~ \"Exchange Back End\"\n| summarize by Computer);\nW3CIISLog\n| where TimeGenerated > ago(1d)\n| where Computer in (exchange_servers)\n| where csUriQuery startswith \"t=\"\n| project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious Exchange Request",
+ "enabled": false,
+ "description": "This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.\nThe same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "23005e87-2d3a-482b-b03d-edbebd1ae151"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bfec3e9b8cea543d62eb778106999386446a8d51 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:12 +0000
Subject: [PATCH 170/375] Exported file: HAFNIUM Suspicious File
Downloads_.json.json
---
.../HAFNIUM Suspicious File Downloads_.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
new file mode 100644
index 00000000..cbeb0997
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious File Downloads_.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/68b67702-32ef-41ac-a8b2-f793d9689274')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where RawData contains \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^']*)\",2,RawData)\n| extend Extension = strcat(\".\",split(File, \".\")[-1])\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following line to alert only on interactive file download type\n//| where InteractiveFile =~ \"Yes\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious File Downloads.",
+ "enabled": false,
+ "description": "This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "03e04c97-8cae-48b3-9d2f-4ab262e4ffff"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8a229fc0c69fbab15107621100454e39ea1f0262 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:13 +0000
Subject: [PATCH 171/375] Exported file: HAFNIUM Suspicious UM Service
Error.json.json
---
.../HAFNIUM Suspicious UM Service Error.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
new file mode 100644
index 00000000..e45f5345
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM Suspicious UM Service Error.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a814a61a-672f-431f-9b2b-869e9bcaa534')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "Event\n| where EventLog =~ \"Application\"\n| where Source startswith \"MSExchange\"\n| where EventLevelName =~ \"error\"\n| where (RenderedDescription startswith \"Watson report\" and RenderedDescription contains \"umworkerprocess\" and RenderedDescription contains \"TextFormattingRunProperties\") or RenderedDescription startswith \"An unhandled exception occurred in a UM worker process\" or RenderedDescription startswith \"The Microsoft Exchange Unified Messaging service\" or RenderedDescription contains \"MSExchange Unified Messaging\"\n| where RenderedDescription !contains \"System.OutOfMemoryException\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM Suspicious UM Service Error",
+ "enabled": false,
+ "description": "This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "0625fcce-6d52-491e-8c68-1d9b801d25b9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 35c26e3f23c47dbb69ee2df14a40067c5d728ace Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:14 +0000
Subject: [PATCH 172/375] Exported file: HAFNIUM UM Service writing suspicious
file.json.json
---
...UM UM Service writing suspicious file.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
diff --git a/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
new file mode 100644
index 00000000..c3bd2707
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/HAFNIUM UM Service writing suspicious file.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f45e4a0d-2bbf-417c-97b7-643c7d4a0f93')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nunion isfuzzy=true\n(SecurityEvent\n| where EventID == 4663\n| where Process has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where ObjectName has_any (scriptExtensions)\n| where AccessMask in ('0x2','0x100', '0x10', '0x4')\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n),\n(imFileEvent\n| where EventType == \"FileCreated\"\n| where ActingProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n and\n TargetFileName has_any (scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUsername, HostCustomEntity = DvcHostname\n),\n(DeviceFileEvents\n| where ActionType =~ \"FileCreated\"\n| where InitiatingProcessFileName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where FileName has_any(scriptExtensions)\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName, IPCustomEntity = RequestSourceIP)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "HAFNIUM UM Service writing suspicious file",
+ "enabled": false,
+ "description": "This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.\nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/",
+ "alertRuleTemplateName": "7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2a9779f89b13263673824a737e18e3fe9c06e9e7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:15 +0000
Subject: [PATCH 173/375] Exported file: High Number of Urgent Vulnerabilities
Detected (1).json.json
---
...f Urgent Vulnerabilities Detected (1).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
new file mode 100644
index 00000000..500a2085
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected (1).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/02ca5f41-a642-413b-aec0-51b9e20cce8a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| where Detections_s.Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "be52662c-3b23-435a-a6fa-f39bdfc849e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ac93e651de824d3e5afdab177aa251c236e2d288 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:15 +0000
Subject: [PATCH 174/375] Exported file: High Number of Urgent Vulnerabilities
Detected.json.json
---
...er of Urgent Vulnerabilities Detected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
diff --git a/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
new file mode 100644
index 00000000..2cdfbc25
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Number of Urgent Vulnerabilities Detected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/04adf3cf-371a-475f-9f03-f7991a6f3aa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| where Severity_s == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress\n| where count_ >= threshold\n| extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Number of Urgent Vulnerabilities Detected",
+ "enabled": false,
+ "description": "This Creates an incident when a host has a high number of Urgent, severity 5, vulnerabilities detected.",
+ "alertRuleTemplateName": "3edb7215-250b-40c0-8b46-79093949242d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4c22cd7c1e5e99e43dbe90e6e3928c317ac6787a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:16 +0000
Subject: [PATCH 175/375] Exported file: High Urgency Cyberpion Action
Items.json.json
---
.../High Urgency Cyberpion Action Items.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
diff --git a/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
new file mode 100644
index 00000000..cd614521
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High Urgency Cyberpion Action Items.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af5d8d85-ac5f-4ef7-bf10-7b43986ec91d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = 14d;\nlet time_generated_bucket = 1h;\nlet min_urgency = 9;\nlet maxTimeGeneratedBucket = toscalar(\n CyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe)\n | summarize max(bin(TimeGenerated, time_generated_bucket))\n );\nCyberpionActionItems_CL\n | where TimeGenerated > ago(timeframe) and is_open_b == true\n | where bin(TimeGenerated, time_generated_bucket) == maxTimeGeneratedBucket\n | where urgency_d >= min_urgency\n | extend timestamp = opening_datetime_t\n | extend DNSCustomEntity = host_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High Urgency Cyberpion Action Items",
+ "enabled": false,
+ "description": "This query creates an alert for active Cyberpion Action Items with high urgency (9-10).\n Urgency can be altered using the \"min_urgency\" variable in the query.",
+ "alertRuleTemplateName": "8e0403b1-07f8-4865-b2e9-74d1e83200a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d37a8b1c967059df926c1e7040e7dfb179c6cd52 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:17 +0000
Subject: [PATCH 176/375] Exported file: High count of connections by client IP
on many ports.json.json
---
...onnections by client IP on many ports.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
diff --git a/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
new file mode 100644
index 00000000..be38502a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of connections by client IP on many ports.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/16b51acb-d11f-4570-ad5b-2a33fb52e25f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet portThreshold = 30;\nW3CIISLog\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of attempts by client IP on many ports\n| summarize makeset(sPort), makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), ConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| extend portCount = arraylength(set_sPort)\n| where portCount >= portThreshold\n| project TimeGenerated, cIP, set_sPort, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, ConnectionsCount, portCount\n| order by portCount\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of connections by client IP on many ports",
+ "enabled": false,
+ "description": "Identifies when 30 or more ports are used for a given client IP in 10 minutes occurring on the IIS server.\nThis could be indicative of attempted port scanning or exploit attempt at internet facing web applications. \nThis could also simply indicate a misconfigured service or device.\nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "44a555d8-ecee-4a25-95ce-055879b4b14b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9fa78790218eaead1cd0d1fd347f3c367e854267 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:17 +0000
Subject: [PATCH 177/375] Exported file: High count of failed attempts from
same client IP.json.json
---
...f failed attempts from same client IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
new file mode 100644
index 00000000..17f73e2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed attempts from same client IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/837ae291-8946-4918-a036-a22f4da70456')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/837ae291-8946-4918-a036-a22f4da70456')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 1m;\nlet failedThreshold = 20;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed attempts from same client IP\n| summarize makeset(decodedUriQuery), makeset(csUserName), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), cIP, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, cIP, set_csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = cIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed attempts from same client IP",
+ "enabled": false,
+ "description": "Identifies when 20 or more failed attempts from a given client IP in 1 minute occur on the IIS server.\nThis could be indicative of an attempted brute force. This could also simply indicate a misconfigured service or device.\nRecommendations: Validate that these are expected connections from the given Client IP. If the client IP is not recognized, \npotentially block these connections at the edge device.\nIf these are expected connections, verify the credentials are properly configured on the system, service, application or device \nthat is associated with the client IP.\nReferences:\nIIS status code mapping: https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping: https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "19e01883-15d8-4eb6-a7a5-3276cd668388"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 78282ec1e257178d3c0b325c4a066ce8b3bbad66 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:18 +0000
Subject: [PATCH 178/375] Exported file: High count of failed logons by a
user.json.json
---
...High count of failed logons by a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/High count of failed logons by a user.json
diff --git a/SentinelExported-AnalyticsRule/High count of failed logons by a user.json b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
new file mode 100644
index 00000000..83b847c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/High count of failed logons by a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fa27bab-66bb-4d8c-a80e-843f48e2a3b0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeBin = 10m;\nlet failedThreshold = 100;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n// Handling Exchange specific items in IIS logs to remove the unique log identifier in the URI\n| extend csUriQuery = iff(csUriQuery startswith \"MailboxId=\", tostring(split(csUriQuery, \"&\")[0]) , csUriQuery )\n| extend csUriQuery = iff(csUriQuery startswith \"X-ARR-CACHE-HIT=\", strcat(tostring(split(csUriQuery, \"&\")[0]),tostring(split(csUriQuery, \"&\")[1])) , csUriQuery )\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \"Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon failure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account currently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorrect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \"4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \"SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed logons by a user\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull_Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friendly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "High count of failed logons by a user",
+ "enabled": false,
+ "description": "Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\nThis could be indicative of attempted brute force based on known account information.\nThis could also simply indicate a misconfigured service or device. \nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx",
+ "alertRuleTemplateName": "884c4957-70ea-4f57-80b9-1bca3890315b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c0b23c89c322edae96f81cc356a5bb421a0486df Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:19 +0000
Subject: [PATCH 179/375] Exported file: IP with multiple failed Azure AD
logins successfully logs in to Palo Alto VPN.json.json
---
...successfully logs in to Palo Alto VPN.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
diff --git a/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
new file mode 100644
index 00000000..04938243
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29579f11-7599-48db-9ded-b81730a99f26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "//Set a threshold of failed AAD signins from an IP address within 1 day above which we want to deem those logins suspicious.\nlet signin_threshold = 5; \n//Make a list of IPs with AAD signin failures above our threshold.\nlet aadFunc = (tableName:string){\nlet suspicious_signins = \n table(tableName)\n //Looking for logon failure results\n | where ResultType !in (\"0\", \"50125\", \"50140\")\n //Exclude localhost addresses to reduce the chance of FPs\n | where IPAddress !in (\"127.0.0.1\", \"::1\")\n | summarize count() by IPAddress\n | where count_ > signin_threshold\n | summarize make_set(IPAddress);\n suspicious_signins\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet suspicious_signins = \nunion isfuzzy=true aadSignin, aadNonInt\n| summarize make_set(set_IPAddress);\n//See if any of those IPs have sucessfully logged into PA VPNs during the same timeperiod\nCommonSecurityLog\n //Select only PA VPN sucessful logons\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"globalprotect\"\n | where Message has \"GlobalProtect gateway user authentication succeeded\"\n //Parse out the logon source IP from the Message field to match on\n | extend SourceIP = extract(\"Login from: ([^,]+)\", 1, Message) \n | where SourceIP in (suspicious_signins)\n | extend Reason = \"Multiple failed AAD logins from SourceIP\"\n //Parse out other useful information from Message field\n | extend User = extract('User name: ([^,]+)', 1, Message) \n | extend ClientOS = extract('Client OS version: ([^,\\\"]+)', 1, Message)\n | extend Location = extract('Source region: ([^,]{2})',1, Message)\n | project TimeGenerated, Reason, SourceIP, User, ClientOS, Location, Message, DeviceName, ReceiptTime, DeviceVendor, DeviceEventClassID, Computer, FileName\n | extend AccountCustomEntity = User, IPCustomEntity = SourceIP, timestamp = TimeGenerated, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN",
+ "enabled": false,
+ "description": "This query creates a list of IP addresses with a number failed login attempts to AAD \nabove a set threshold. It then looks for any successful Palo Alto VPN logins from any\nof these IPs within the same timeframe.",
+ "alertRuleTemplateName": "ba144bf8-75b8-406f-9420-ed74397f9479"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c15ea158320cde09432d20c2e9982eeebaf286b3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:20 +0000
Subject: [PATCH 180/375] Exported file: Known Barium IP.json.json
---
.../Known Barium IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium IP.json b/SentinelExported-AnalyticsRule/Known Barium IP.json
new file mode 100644
index 00000000..2834837f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/872545df-734f-481c-acd9-4a2d7af889e3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"216.24.185.74\", \"107.175.189.159\", \"192.210.132.102\", \"67.230.163.214\", \n \"199.19.110.240\", \"107.148.130.176\", \"154.212.129.218\", \"172.86.75.54\", \"45.61.136.199\", \n \"149.28.150.195\", \"108.61.214.194\", \"144.202.98.198\", \"149.28.84.98\", \"103.99.209.78\", \n \"45.61.136.2\", \"176.122.162.149\", \"192.3.80.245\", \"149.28.23.32\", \"107.182.18.149\", \"107.174.45.134\", \n \"149.248.18.104\", \"65.49.192.74\", \"156.255.2.154\", \"45.76.6.149\", \"8.9.11.130\", \"140.238.27.255\", \n \"107.182.24.70\", \"176.122.188.254\", \"192.161.161.108\", \"64.64.234.24\", \"104.224.185.36\", \n \"104.233.224.227\", \"104.36.69.105\", \"119.28.139.120\", \"161.117.39.130\", \"66.42.100.42\", \"45.76.31.159\", \n \"149.248.8.134\", \"216.24.182.48\", \"66.42.103.222\", \"218.89.236.11\", \"180.150.227.249\", \"47.75.80.23\",\n \"124.156.164.19\", \"149.248.62.83\", \"150.109.76.174\", \"222.209.187.207\", \"218.38.191.38\", \n \"119.28.226.59\", \"66.42.98.220\", \"74.82.201.8\", \"173.242.122.198\", \"45.32.130.72\", \"89.35.178.10\", \n \"89.43.60.113\"]); \n(union isfuzzy=true \n(CommonSecurityLog \n| where isnotempty(SourceIP) or isnotempty(DestinationIP) \n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList) \n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch \n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n), \n(OfficeActivity \n|extend SourceIPAddress = ClientIP, Account = UserId \n| where SourceIPAddress in (IPList) \n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account \n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer \n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host \n), \n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer \n), \n(Event \n| where Source == \"Microsoft-Windows-Sysmon\" \n| where EventID == 3 \n| extend EvData = parse_xml(EventData) \n| extend EventDetail = EvData.DataItem.EventData.Data \n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"] \n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\") \n), \n(WireData \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer \n), \n(SigninLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(IPAddress) \n| where IPAddress in (IPList) \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n), \n(W3CIISLog \n| where isnotempty(cIP) \n| where cIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName \n), \n(AzureActivity \n| where isnotempty(CallerIpAddress) \n| where CallerIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller \n), \n( \nAWSCloudTrail \n| where isnotempty(SourceIpAddress) \n| where SourceIpAddress in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName \n), \n( \nDeviceNetworkEvents \n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName \n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n) \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium IP",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Barium activity group. \n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "6ee72a9e-2e54-459c-bc9a-9c09a6502a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5415508f1d95971bc9784860b4e7a4306efa8181 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:21 +0000
Subject: [PATCH 181/375] Exported file: Known Barium domains.json.json
---
.../Known Barium domains.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Barium domains.json
diff --git a/SentinelExported-AnalyticsRule/Known Barium domains.json b/SentinelExported-AnalyticsRule/Known Barium domains.json
new file mode 100644
index 00000000..26b4f12c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Barium domains.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/afa9ee13-2d74-4ca6-bb7e-8193ba946d40')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"0.ns1.dns-info.gq\", \"1.ns1.dns-info.gq\", \"10.ns1.dns-info.gq\", \"102.ns1.dns-info.gq\", \n \"104.ns1.dns-info.gq\", \"11.ns1.dns-info.gq\", \"110.ns1.dns-info.gq\", \"115.ns1.dns-info.gq\", \"116.ns1.dns-info.gq\", \n \"117.ns1.dns-info.gq\", \"118.ns1.dns-info.gq\", \"12.ns1.dns-info.gq\", \"120.ns1.dns-info.gq\", \"122.ns1.dns-info.gq\", \n \"123.ns1.dns-info.gq\", \"128.ns1.dns-info.gq\", \"13.ns1.dns-info.gq\", \"134.ns1.dns-info.gq\", \"135.ns1.dns-info.gq\", \n \"138.ns1.dns-info.gq\", \"14.ns1.dns-info.gq\", \"144.ns1.dns-info.gq\", \"15.ns1.dns-info.gq\", \"153.ns1.dns-info.gq\", \n \"157.ns1.dns-info.gq\", \"16.ns1.dns-info.gq\", \"17.ns1.dns-info.gq\", \"18.ns1.dns-info.gq\", \"19.ns1.dns-info.gq\", \n \"1a9604fa.ns1.feedsdns.com\", \"1c7606b6.ns1.steamappstore.com\", \"2.ns1.dns-info.gq\", \"20.ns1.dns-info.gq\", \n \"201.ns1.dns-info.gq\", \"202.ns1.dns-info.gq\", \"204.ns1.dns-info.gq\", \"207.ns1.dns-info.gq\", \"21.ns1.dns-info.gq\", \n \"210.ns1.dns-info.gq\", \"211.ns1.dns-info.gq\", \"216.ns1.dns-info.gq\", \"22.ns1.dns-info.gq\", \"220.ns1.dns-info.gq\", \n \"223.ns1.dns-info.gq\", \"23.ns1.dns-info.gq\", \"24.ns1.dns-info.gq\", \"25.ns1.dns-info.gq\", \"26.ns1.dns-info.gq\", \n \"27.ns1.dns-info.gq\", \"28.ns1.dns-info.gq\", \"29.ns1.dns-info.gq\", \"3.ns1.dns-info.gq\", \"30.ns1.dns-info.gq\", \n \"31.ns1.dns-info.gq\", \"32.ns1.dns-info.gq\", \"33.ns1.dns-info.gq\", \"34.ns1.dns-info.gq\", \"35.ns1.dns-info.gq\", \n \"36.ns1.dns-info.gq\", \"37.ns1.dns-info.gq\", \"39.ns1.dns-info.gq\", \"3d6fe4b2.ns1.steamappstore.com\", \n \"4.ns1.dns-info.gq\", \"40.ns1.dns-info.gq\", \"42.ns1.dns-info.gq\", \"43.ns1.dns-info.gq\", \"44.ns1.dns-info.gq\", \n \"45.ns1.dns-info.gq\", \"46.ns1.dns-info.gq\", \"48.ns1.dns-info.gq\", \"5.ns1.dns-info.gq\", \"50.ns1.dns-info.gq\", \n \"50417.service.gstatic.dnset.com\", \"51.ns1.dns-info.gq\", \"52.ns1.dns-info.gq\", \"53.ns1.dns-info.gq\",\n \"54.ns1.dns-info.gq\", \"55.ns1.dns-info.gq\", \"56.ns1.dns-info.gq\", \"57.ns1.dns-info.gq\", \"58.ns1.dns-info.gq\", \n \"6.ns1.dns-info.gq\", \"60.ns1.dns-info.gq\", \"62.ns1.dns-info.gq\", \"63.ns1.dns-info.gq\", \"64.ns1.dns-info.gq\", \n \"65.ns1.dns-info.gq\", \"67.ns1.dns-info.gq\", \"7.ns1.dns-info.gq\", \"70.ns1.dns-info.gq\", \"71.ns1.dns-info.gq\",\n \"73.ns1.dns-info.gq\", \"77.ns1.dns-info.gq\", \"77075.service.gstatic.dnset.com\", \"7c1947fa.ns1.steamappstore.com\",\n \"8.ns1.dns-info.gq\", \"81.ns1.dns-info.gq\", \"86.ns1.dns-info.gq\", \"87.ns1.dns-info.gq\", \"9.ns1.dns-info.gq\", \n \"94343.service.gstatic.dnset.com\", \"9939.service.gstatic.dnset.com\", \"aa.ns.mircosoftdoc.com\", \n \"aaa.feeds.api.ns1.feedsdns.com\", \"aaa.googlepublic.feeds.ns1.dns-info.gq\", \n \"aaa.resolution.174547._get.cache.up.sourcedns.tk\", \"acc.microsoftonetravel.com\", \n \"accounts.longmusic.com\", \"admin.dnstemplog.com\", \"agent.updatenai.com\", \n \"alibaba.zzux.com\", \"api.feedsdns.com\", \"app.portomnail.com\", \"asia.updatenai.com\", \n \"battllestategames.com\", \"bguha.serveuser.com\", \"binann-ce.com\", \"bing.dsmtp.com\", \n \"blog.cdsend.xyz\", \"brives.minivineyapp.com\", \"bsbana.dynamic-dns.net\", \n \"californiaforce.000webhostapp.com\", \"californiafroce.000webhostapp.com\", \n \"cdn.freetcp.com\", \"cdsend.xyz\", \"cipla.zzux.com\", \"cloudfeeddns.com\", \"comcleanner.info\",\n \"cs.microsoftsonline.net\", \"dns-info.gq\", \"dns05.cf\", \"dns22.ml\", \"dns224.com\", \n \"dnsdist.org\", \"dnstemplog.com\", \"doc.mircosoftdoc.com\", \"dropdns.com\", \n \"eshop.cdn.freetcp.com\", \"exchange.dumb1.com\", \"exchange.misecure.com\", \"exchange.mrbasic.com\",\n \"facebookdocs.com\", \"facebookint.com\", \"facebookvi.com\", \"feed.ns1.dns-info.gq\", \"feedsdns.com\", \n \"firejun.freeddns.com\", \"ftp.dns-info.dyndns.pro\", \"goallbandungtravel.com\", \"goodhk.azurewebsites.net\", \n \"googlepublic.feed.ns1.dns-info.gq\", \"gp.spotifylite.cloud\", \"gskytop.com\", \"gstatic.dnset.com\", \n \"gxxservice.com\", \"helpdesk.cdn.freetcp.com\", \"id.serveuser.com\", \"infestexe.com\", \"item.itemdb.com\",\n \"m.mircosoftdoc.com\", \"mail.transferdkim.xyz\", \"mcafee.updatenai.com\", \"mecgjm.mircosoftdoc.com\",\n \"microdocs.ga\", \"microsock.website\", \"microsocks.net\", \"microsoft.sendsmtp.com\", \n \"microsoftbook.dns05.com\", \"microsoftcontactcenter.com\", \"microsoftdocs.dns05.com\", \"microsoftdocs.ml\", \n \"microsoftonetravel.com\", \"microsoftonlines.net\", \"microsoftprod.com\", \"microsofts.dns1.us\", \"microsoftsonline.net\",\n \"minivineyapp.com\", \"mircosoftdoc.com\", \"mircosoftdocs.com\", \"mlcrosoft.ninth.biz\", \"mlcrosoft.site\", \n \"mm.portomnail.com\", \"msdnupdate.com\", \"msecdn.cloud\", \"mtnl1.dynamic-dns.net\", \"ns.gstatic.dnset.com\", \n \"ns.microsoftprod.com\", \"ns.steamappstore.com\", \"ns1.cdn.freetcp.com\", \"ns1.comcleanner.info\", \"ns1.dns-info.gq\", \n \"ns1.dns05.cf\", \"ns1.dnstemplog.com\", \"ns1.dropdns.com\", \"ns1.microsoftonetravel.com\", \n \"ns1.microsoftonlines.net\", \"ns1.microsoftprod.com\", \"ns1.microsoftsonline.net\", \"ns1.mlcrosoft.site\", \n \"ns1.teams.wikaba.com\", \"ns1.windowsdefende.com\", \"ns2.comcleanner.info\", \"ns2.dnstemplog.com\", \n \"ns2.microsoftonetravel.com\", \"ns2.microsoftprod.com\", \"ns2.microsoftsonline.net\", \"ns2.mlcrosoft.site\", \n \"ns2.windowsdefende.com\", \"ns3.microsoftprod.com\", \"ns3.mlcrosoft.site\", \"nutrition.mrbasic.com\", \n \"nutrition.youdontcare.com\", \"online.mlcrosoft.site\", \"online.msdnupdate.com\", \"outlookservce.site\", \n \"owa.jetos.com\", \"owa.otzo.com\", \"pornotime.co\", \"portomnail.com\", \n \"post.1a0.066e063ac.7c1947fa.ns1.steamappstore.com\", \"pricingdmdk.com\", \"prod.microsoftprod.com\", \n \"product.microsoftprod.com\", \"ptcl.yourtrap.com\", \"query.api.sourcedns.tk\", \"rb.itemdb.com\", \"redditcdn.com\", \n \"rss.otzo.com\", \"secure.msdnupdate.com\", \"service.dns22.ml\", \"service.gstatic.dnset.com\", \"service04.dns04.com\", \n \"settings.teams.wikaba.com\", \"sip.outlookservce.site\", \"sixindent.epizy.com\", \"soft.msdnupdate.com\", \"sourcedns.ml\", \n \"sourcedns.tk\", \"sport.msdnupdate.com\", \"spotifylite.cloud\", \"static.misecure.com\", \"steamappstore.com\", \n \"store.otzo.com\", \"survey.outlookservce.site\", \"team.itemdb.com\", \"temp221.com\", \"test.microsoftprod.com\", \n \"thisisaaa.000webhostapp.com\", \"token.dns04.com\", \"token.dns05.com\", \"transferdkim.xyz\", \n \"travelsanignacio.com\", \"update08.com\", \"updated08.com\", \"updatenai.com\", \"wantforspeed.com\",\n \"web.mircosoftdoc.com\", \"webmail.pornotime.co\", \"webwhois.team.itemdb.com\", \"windowsdefende.com\", \"wnswindows.com\",\n \"ashcrack.freetcp.com\", \"battllestategames.com\", \"binannce.com\", \"cdsend.xyz\", \"comcleanner.info\", \"microsock.website\", \n \"microsocks.net\", \"microsoftsonline.net\", \"mlcrosoft.site\", \"notify.serveuser.com\", \"ns1.microsoftprod.com\", \n \"ns2.microsoftprod.com\", \"pricingdmdk.com\", \"steamappstore.com\", \"update08.com\", \"wnswindows.com\", \n \"youtube.dns05.com\", \"z1.zalofilescdn.com\", \"z2.zalofilescdn.com\", \"zalofilescdn.com\"]); \n(union isfuzzy=true \n (CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (DomainNames) \n | extend Account = SourceUserID, Computer = DeviceName, IPAddress = DestinationIP \n ), \n (DnsEvents \n | extend DNSName = Name \n | where isnotempty(DNSName) \n | where DNSName has_any (DomainNames) \n | extend IPAddress = ClientIP \n ), \n (imDns (domain_has_any=DomainNames)\n | extend DNSName = DnsQuery \n | extend IPAddress = SrcIpAddr, Computer = Dvc\n ), \n (VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' * \n | where isnotempty(DNSName) \n | where DNSName in~ (DomainNames) \n | extend IPAddress = RemoteIp \n ), \n ( \n DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl in~ (DomainNames) \n | extend IPAddress = RemoteIP \n | extend Computer = DeviceName \n ),\n (AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (DomainNames) \n | extend DNSName = Request_Name\n | extend IPAddress = ClientIP \n ),\n (AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (DomainNames) \n | extend DNSName = DestinationHost \n | extend IPAddress = SourceHost\n ) \n ) \n | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Barium domains",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Barium activity group.\n References: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+ "alertRuleTemplateName": "70b12a3b-4899-42cb-910c-5ffaf9d7997d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b05d5e123a2cd39f81296673226124a1393769dd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:22 +0000
Subject: [PATCH 182/375] Exported file: Known CERIUM domains and
hashes.json.json
---
.../Known CERIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
new file mode 100644
index 00000000..6fdffb9b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known CERIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a438db5b-f71f-4cb7-98ad-335e3b8ba533')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = \"miniodaum.ml\";\nlet SHA256Hash = dynamic ([\"53f5773bbfbfbee660989d135c042c9f6f69024b9a4b65bdc0dfd44771762257\", \"0897c80df8b80b4c49bf1ccf876f5f782849608b830c3b5cb3ad212dc3e19eff\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName =~ DomainNames\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = ClientIP\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName =~ DomainNames\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known CERIUM domains and hashes",
+ "enabled": false,
+ "description": "CERIUM malicious webserver and hash values for maldocs and malware. \n Matches domain name IOCs related to the CERIUM activity group with CommonSecurityLog, DnsEvents, and VMConnection dataTypes.",
+ "alertRuleTemplateName": "c87fb346-ea3a-4c64-ba92-3dd383e0f0b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a20fb478762b3d216625afc9f3cfea969b9ce6a4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:22 +0000
Subject: [PATCH 183/375] Exported file: Known GALLIUM domains and
hashes.json.json
---
.../Known GALLIUM domains and hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
new file mode 100644
index 00000000..360e64e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known GALLIUM domains and hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/338cfd75-5f86-4e98-91a0-87733bd4698e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"asyspy256.ddns.net\",\"hotkillmail9sddcc.ddns.net\",\"rosaf112.ddns.net\",\"cvdfhjh1231.myftp.biz\",\"sz2016rose.ddns.net\",\"dffwescwer4325.myftp.biz\",\"cvdfhjh1231.ddns.net\"]);\nlet SHA1Hash = dynamic ([\"53a44c2396d15c3a03723fa5e5db54cafd527635\", \"9c5e496921e3bc882dc40694f1dcc3746a75db19\", \"aeb573accfd95758550cf30bf04f389a92922844\", \"79ef78a797403a4ed1a616c68e07fff868a8650a\", \"4f6f38b4cec35e895d91c052b1f5a83d665c2196\", \"1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d\", \"e841a63e47361a572db9a7334af459ddca11347a\", \"c28f606df28a9bc8df75a4d5e5837fc5522dd34d\", \"2e94b305d6812a9f96e6781c888e48c7fb157b6b\", \"dd44133716b8a241957b912fa6a02efde3ce3025\", \"8793bf166cb89eb55f0593404e4e933ab605e803\", \"a39b57032dbb2335499a51e13470a7cd5d86b138\", \"41cc2b15c662bc001c0eb92f6cc222934f0beeea\", \"d209430d6af54792371174e70e27dd11d3def7a7\", \"1c6452026c56efd2c94cea7e0f671eb55515edb0\", \"c6b41d3afdcdcaf9f442bbe772f5da871801fd5a\", \"4923d460e22fbbf165bbbaba168e5a46b8157d9f\", \"f201504bd96e81d0d350c3a8332593ee1c9e09de\", \"ddd2db1127632a2a52943a2fe516a2e7d05d70d2\"]);\nlet SHA256Hash = dynamic ([\"9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd\", \"7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b\", \"657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5\", \"2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29\", \"52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77\", \"a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3\", \"5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022\", \"6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883\", \"3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e\", \"1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7\", \"fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1\", \"7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c\", \"178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945\", \"51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9\", \"889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79\", \"332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf\", \"44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08\", \"63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef\", \"056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070\"]);\nlet SigNames = dynamic([\"TrojanDropper:Win32/BlackMould.A!dha\", \"Trojan:Win32/BlackMould.B!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"Trojan:Win32/Sidelod.A!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n( imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA1=' SHA1 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA1Hash) \n| extend Account = UserName\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known GALLIUM domains and hashes",
+ "enabled": false,
+ "description": "GALLIUM command and control domains and hash values for tools and malware used by GALLIUM. \n Matches domain name IOCs related to the GALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ ",
+ "alertRuleTemplateName": "26a3b261-b997-4374-94ea-6c37f67f4f39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1fafa17e11a41184daa31f4e290940c0d230f9c2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:23 +0000
Subject: [PATCH 184/375] Exported file: Known IRIDIUM IP.json.json
---
.../Known IRIDIUM IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
diff --git a/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
new file mode 100644
index 00000000..ca0ee39c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known IRIDIUM IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c3ec0a36-7cf7-47df-a82c-fc32720db69f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let IPList = dynamic([\"154.223.45.38\",\"185.141.207.140\",\"185.234.73.19\",\"216.245.210.106\",\"51.91.48.210\",\"46.255.230.229\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"Message\") \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n|extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| where DestinationIPAddress has_any (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = DnsResponseName, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host\n),\n(VMConnection \n| where isnotempty(SourceIp) or isnotempty(DestinationIp) \n| where SourceIp in (IPList) or DestinationIp in (IPList) \n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) \n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n),\n(W3CIISLog \n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n),\n(AzureActivity \n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList) \n| extend DestinationIP = DestinationHost \n| extend IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known IRIDIUM IP",
+ "enabled": false,
+ "description": "IRIDIUM command and control IP. Identifies a match across various data feeds for IP IOCs related to the IRIDIUM activity group.",
+ "alertRuleTemplateName": "7ee72a9e-2e54-459c-bc8a-8c08a6532a63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e2f73204dd903a43849700f4245044fed5eb6743 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:24 +0000
Subject: [PATCH 185/375] Exported file: Known Malware Detected.json.json
---
.../Known Malware Detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Malware Detected.json
diff --git a/SentinelExported-AnalyticsRule/Known Malware Detected.json b/SentinelExported-AnalyticsRule/Known Malware Detected.json
new file mode 100644
index 00000000..4ab955a5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Malware Detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f8bb5fc-a0ec-432a-8b41-dcdad0fe2646')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nCarbonBlackEvents_CL\n| extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec\n| where targetApp_effectiveReputation_s =~ \"KNOWN_MALWARE\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s\n| extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known Malware Detected",
+ "enabled": false,
+ "description": "This creates an incident when a known Malware is detected on a endpoint managed by a Carbon Black.",
+ "alertRuleTemplateName": "9f86885f-f31f-4e66-a39d-352771ee789e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 62e356a8c9e2407b48bab3a1ceb1c64ad61da410 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:25 +0000
Subject: [PATCH 186/375] Exported file: Known Manganese IP and UserAgent
activity.json.json
---
...n Manganese IP and UserAgent activity.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
diff --git a/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
new file mode 100644
index 00000000..74a8e5d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Manganese IP and UserAgent activity.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd68f806-d8b0-4c8f-aa0f-3b78b59f157f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = dynamic([\"45.63.52.41\",\"140.82.17.161\",\"207.148.101.95\",\"45.32.87.51\",\"66.42.98.156\",\"45.76.144.105\",\"217.163.28.35\",\"45.32.141.174\",\"149.28.165.249\",\"209.250.225.247\",\"45.63.100.115\",\"95.179.229.230\",\"209.250.233.247\",\"45.77.121.232\",\"45.76.175.65\",\"104.238.160.237\",\"45.77.181.97\",\"95.179.192.125\",\"149.28.93.184\",\"140.82.16.81\",\"45.76.173.103\",\"45.77.255.22\",\"45.32.11.71\",\"149.28.77.26\",\"45.32.54.50\",\"104.156.233.156\",\"45.32.21.118\",\"45.63.62.109\",\"45.77.244.202\",\"149.248.11.205\",\"104.238.190.244\"]);\nlet IOCTerms = \"\\\\?lang=[/..]*/dev/cmdb/sslvpn_websession|/dana-na/jam/[/..]*home/webserver/htdocs/dana/html5acc/guacamole[/..]*etc/passwd\\\\?\";\n(union isfuzzy=true\n(CommonSecurityLog\n| where isnotempty(SourceIP) or isnotempty(DestinationIP)\n| where SourceIP in (IPList) or DestinationIP in (IPList) or has_any_ipv4 (Message, IPList)\n| extend IPMatch = case(\nSourceIP in (IPList), \"SourceIP\", \nDestinationIP in (IPList), \"DestinationIP\",\n\"Message\") \n| where Message matches regex IOCTerms\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch\n| extend timestamp = StartTimeUtc, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"IP in Message Field\") \n),\n(OfficeActivity\n| where isnotempty(UserAgent) and ClientIP in (IPList)\n| where UserAgent contains \"ExchangeServicesClient/0.0.0.0\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SourceIP = ClientIP, Account = UserId, Type, RecordType, OfficeWorkload, UserAgent, OfficeObjectId, IPMatch = \"ClientIP\"\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Known Manganese IP and UserAgent activity",
+ "enabled": false,
+ "description": "Matches IP plus UserAgent IOCs in OfficeActivity data, along with IP plus Connection string information in the CommonSecurityLog data related to Manganese group activity.\nReferences: \nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/\nhttps://fortiguard.com/psirt/FG-IR-18-384",
+ "alertRuleTemplateName": "a04cf847-a832-4c60-b687-b0b6147da219"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ccd68cf35d59a7bd288421170eaafd8fbab40987 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:25 +0000
Subject: [PATCH 187/375] Exported file: Known NICKEL domains and
hashes.json.json
---
.../Known NICKEL domains and hashes.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
new file mode 100644
index 00000000..9ebf81c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known NICKEL domains and hashes.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe861c55-a355-4af2-8e9e-2e2d8f7a68d9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"beesweiserdog.com\", \n \"bluehostfit.com\", \n \"business-toys.com\", \n \"cleanskycloud.com\", \n \"cumberbat.com\", \n \"czreadsecurity.com\", \n \"dgtresorgouv.com\", \n \"dimediamikedask.com\", \n \"diresitioscon.com\", \n \"elcolectador.com\", \n \"elperuanos.org\", \n \"eprotectioneu.com\", \n \"fheacor.com\", \n \"followthewaterdata.com\", \n \"francevrteepress.com\", \n \"futtuhy.com\", \n \"gardienweb.com\", \n \"heimflugaustr.com\", \n \"ivpsers.com\", \n \"jkeducation.org\", \n \"micrlmb.com\", \n \"muthesck.com\", \n \"netscalertech.com\", \n \"newgoldbalmap.com\", \n \"news-laestrella.com\", \n \"noticialif.com\", \n \"opentanzanfoundation.com\", \n \"optonlinepress.com\", \n \"palazzochigi.com\", \n \"pandemicacre.com\", \n \"papa-ser.com\", \n \"pekematclouds.com\", \n \"pipcake.com\", \n \"popularservicenter.com\", \n \"projectsyndic.com\", \n \"qsadtv.com\", \n \"sankreal.com\", \n \"scielope.com\", \n \"seoamdcopywriting.com\", \n \"slidenshare.com\", \n \"somoswake.com\", \n \"squarespacenow.com\", \n \"subapostilla.com\", \n \"suzukicycles.net\", \n \"tatanotakeeps.com\", \n \"tijuanazxc.com\", \n \"transactioninfo.net\", \n \"eurolabspro.com\", \n \"adelluminate.com\", \n \"headhunterblue.com\", \n \"primenuesty.com\" \n ]);\nlet SHA256Hashes = dynamic ([\"02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2\", \n \"0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c\", \n \"0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c\", \n \"10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95\", \n \"12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21\", \n \"1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49\", \n \"22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844\", \n \"259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef\", \n \"26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822\", \n \"35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2\", \n \"3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838\", \n \"3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65\", \n \"3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6\", \n \"3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1\", \n \"3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90\", \n \"6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b\", \n \"6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce\", \n \"7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0\", \n \"926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c\", \n \"95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a\", \n \"a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b\", \n \"afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a\", \n \"b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124\", \n \"c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa\", \n \"c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda\", \n \"ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94\", \n \"ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6\", \n \"d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce\", \n \"d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6\", \n \"e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba\"\n ]);\nlet SigNames = dynamic([\"Backdoor:Win32/Leeson\", \"Trojan:Win32/Kechang\", \"Backdoor:Win32/Nightimp!dha\", \"Trojan:Win32/QuarkBandit.A!dha\", \"TrojanSpy:Win32/KeyLogger\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hashes) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns(domain_has_any = DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hashes) \n| extend Account = UserName\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hashes)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hashes)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName)\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known NICKEL domains and hashes",
+ "enabled": false,
+ "description": "IOC domains and hash values for tools and malware used by NICKEL. \n Matches domain name, hash IOCs and M365 Defender sigs related to the NICKEL activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.",
+ "alertRuleTemplateName": "9122a9cb-916b-4d98-a199-1b7b0af8d598"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7b5c828a9ac38144ae53978e4f5c893731aec0ab Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:26 +0000
Subject: [PATCH 188/375] Exported file: Known PHOSPHORUS group domains_IP -
October 2020.json.json
---
...HORUS group domains_IP - October 2020.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
diff --git a/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
new file mode 100644
index 00000000..9e2d991a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known PHOSPHORUS group domains_IP - October 2020.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1ef21999-d53f-4840-bde9-6b90ee767bb7')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"de-ma.online\", \"g20saudi.000webhostapp.com\", \"ksat20.000webhostapp.com\"]);\nlet EmailAddresses = dynamic([\"munichconference1962@gmail.com\",\"munichconference@outlook.de\", \"munichconference@outlook.com\", \"t20saudiarabia@gmail.com\", \"t20saudiarabia@hotmail.com\", \"t20saudiarabia@outlook.sa\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(DNSName) and DNSName has_any (DomainNames)) \n or (isnotempty(DestinationHostName) and DestinationHostName has_any (DomainNames)) \n or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames)))\n| extend timestamp = TimeGenerated , AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated , HostCustomEntity = Computer),\n(SecurityAlert\n| where ProviderName =~ 'OATP'\n| extend UPN = case(isnotempty(parse_json(Entities)[0].Upn), parse_json(Entities)[0].Upn, \n isnotempty(parse_json(Entities)[1].Upn), parse_json(Entities)[1].Upn,\n isnotempty(parse_json(Entities)[2].Upn), parse_json(Entities)[2].Upn,\n isnotempty(parse_json(Entities)[3].Upn), parse_json(Entities)[3].Upn,\n isnotempty(parse_json(Entities)[4].Upn), parse_json(Entities)[4].Upn,\n isnotempty(parse_json(Entities)[5].Upn), parse_json(Entities)[5].Upn,\n isnotempty(parse_json(Entities)[6].Upn), parse_json(Entities)[6].Upn,\n isnotempty(parse_json(Entities)[7].Upn), parse_json(Entities)[7].Upn,\n isnotempty(parse_json(Entities)[8].Upn), parse_json(Entities)[8].Upn,\n parse_json(Entities)[9].Upn)\n| where Entities has_any (EmailAddresses)\n| extend timestamp = TimeGenerated, AccountCustomEntity = tostring(UPN)),\n(AzureDiagnostics\n| where ResourceType =~ \"AZUREFIREWALLS\"\n| where msg_s has_any (DomainNames)\n| extend timestamp = TimeGenerated))\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known PHOSPHORUS group domains/IP - October 2020",
+ "enabled": false,
+ "description": "Matches IOCs related to PHOSPHORUS group activity published October 2020 with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: ",
+ "alertRuleTemplateName": "7249500f-3038-4b83-8549-9cd8dfa2d498"
+ }
+ }
+ ]
+}
\ No newline at end of file
From aae70d270b3dd76938ca04c70b633f8ecf2afced Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:27 +0000
Subject: [PATCH 189/375] Exported file: Known Phosphorus group
domains_IP.json.json
---
.../Known Phosphorus group domains_IP.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
diff --git a/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
new file mode 100644
index 00000000..ac14a690
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known Phosphorus group domains_IP.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7e19583d-27e1-41c2-90a9-3f813155c6ce')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet DomainNames = dynamic([\"yahoo-verification.org\",\"support-servics.com\",\"verification-live.com\",\"com-mailbox.com\",\"com-myaccuants.com\",\"notification-accountservice.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\"verify-linkedin.net\", \n\"yahoo-verification.net\",\"yahoo-verify.net\",\"outlook-verify.net\",\"com-users.net\",\"verifiy-account.net\",\"te1egram.net\",\"account-verifiy.net\",\"myaccount-services.net\",\n\"com-identifier-servicelog.name\",\"microsoft-update.bid\",\"outlook-livecom.bid\",\"update-microsoft.bid\",\"documentsfilesharing.cloud\",\"com-microsoftonline.club\",\n\"confirm-session-identifier.info\",\"session-management.info\",\"confirmation-service.info\",\"document-share.info\",\"broadcast-news.info\",\"customize-identity.info\",\"webemail.info\",\n\"com-identifier-servicelog.info\",\"documentsharing.info\",\"notification-accountservice.info\",\"identifier-activities.info\",\"documentofficupdate.info\",\"recoveryusercustomer.info\",\n\"serverbroadcast.info\",\"account-profile-users.info\",\"account-service-management.info\",\"accounts-manager.info\",\"activity-confirmation-service.info\",\"com-accountidentifier.info\",\n\"com-privacy-help.info\",\"com-sessionidentifier.info\",\"com-useraccount.info\",\"confirmation-users-service.info\",\"confirm-identity.info\",\"confirm-session-identification.info\",\n\"continue-session-identifier.info\",\"customer-recovery.info\",\"customers-activities.info\",\"elitemaildelivery.info\",\"email-delivery.info\",\"identify-user-session.info\",\n\"message-serviceprovider.info\",\"notificationapp.info\",\"notification-manager.info\",\"recognized-activity.info\",\"recover-customers-service.info\",\"recovery-session-change.info\",\n\"service-recovery-session.info\",\"service-session-continue.info\",\"session-mail-customers.info\",\"session-managment.info\",\"session-verify-user.info\",\"shop-sellwear.info\",\n\"supportmailservice.info\",\"terms-service-notification.info\",\"user-activity-issues.info\",\"useridentity-confirm.info\",\"users-issue-services.info\",\"verify-user-session.info\",\n\"login-gov.info\",\"notification-signal-agnecy.info\",\"notifications-center.info\",\"identifier-services-sessions.info\",\"customers-manager.info\",\"session-manager.info\",\n\"customer-managers.info\",\"confirmation-recovery-options.info\",\"service-session-confirm.info\",\"session-recovery-options.info\",\"services-session-confirmation.info\",\n\"notification-managers.info\",\"activities-services-notification.info\",\"activities-recovery-options.info\",\"activity-session-recovery.info\",\"customers-services.info\",\n\"sessions-notification.info\",\"download-teamspeak.info\",\"services-issue-notification.info\",\"microsoft-upgrade.mobi\",\"broadcastnews.pro\",\"mobile-messengerplus.network\"]);\nlet IPList = dynamic([\"51.91.200.147\"]);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend RequestURLIP = extract(IPRegex, 0, Message)\n| where (isnotempty(SourceIP) and SourceIP in (IPList)) or (isnotempty(DestinationIP) and DestinationIP in (IPList)) \nor (isnotempty(DNSName) and DNSName in~ (DomainNames)) or (isnotempty(DestinationHostName) and DestinationHostName in~ (DomainNames)) or (isnotempty(RequestURL) and (RequestURL has_any (DomainNames) or RequestURLIP in (IPList))) \nor (isnotempty(Message) and MessageIP in (IPList))\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURLIP in (IPList), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP,IPMatch == \"Message\", MessageIP,\nIPMatch == \"RequestUrl\", RequestURLIP,\"NoMatch\"), Account = SourceUserID, Host = DeviceName\n),\n(DnsEvents \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| where DestinationIPAddress in (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host),\n(imDns\n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| where DestinationIPAddress has_any (IPList) or DNSName has_any (DomainNames) \n| extend timestamp = TimeGenerated, IPCustomEntity = SrcIpAddr, HostCustomEntity = Host),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(SourceIp) or isnotempty(DestinationIp) or isnotempty(DNSName)\n| where SourceIp in (IPList) or DestinationIp in (IPList) or DNSName in~ (DomainNames)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer),\n(OfficeActivity\n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPCustomEntity = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPCustomEntity = SourceHost \n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known Phosphorus group domains/IP",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Phosphorus group activity with CommonSecurityLog, DnsEvents, OfficeActivity and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/.",
+ "alertRuleTemplateName": "155f40c6-610d-497d-85fc-3cf06ec13256"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d27f1db94b23099c0f320fb69585a11f80442cd0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:28 +0000
Subject: [PATCH 190/375] Exported file: Known STRONTIUM group domains - July
2019.json.json
---
...n STRONTIUM group domains - July 2019.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
diff --git a/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
new file mode 100644
index 00000000..8400e3be
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known STRONTIUM group domains - July 2019.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e0adc565-7cd3-47f0-9027-c700df43303a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"irf.services\",\"microsoft-onthehub.com\",\"msofficelab.com\",\"com-mailbox.com\",\"my-sharefile.com\",\"my-sharepoints.com\",\n\"accounts-web-mail.com\",\"customer-certificate.com\",\"session-users-activities.com\",\"user-profile-credentials.com\",\"verify-linke.com\",\"support-servics.net\",\n\"onedrive-sharedfile.com\",\"onedrv-live.com\",\"transparencyinternational-my-sharepoint.com\",\"transparencyinternational-my-sharepoints.com\",\"soros-my-sharepoint.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| extend Account = SourceUserID, Host = DeviceName, IPAddress = SourceIP),\n(DnsEvents \n| extend IPAddress = ClientIP, DNSName = Name, Host = Computer),\n(imDns (domain_has_any=DomainNames)\n| extend IPAddress = SrcIpAddr, DNSName = DnsQuery, Host = Dvc),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPAddress = RemoteIp, Host = Computer),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost)\n)\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend timestamp = TimeGenerated, IPCustomEntity = IPAddress, AccountCustomEntity = Account, HostCustomEntity = Host\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Known STRONTIUM group domains - July 2019",
+ "enabled": false,
+ "description": "Matches domain name IOCs related to Strontium group activity published July 2019 with CommonSecurityLog, DnsEvents and VMConnection dataTypes.\nReferences: https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/.",
+ "alertRuleTemplateName": "074ce265-f684-41cd-af07-613c5f3e6d0d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 099fa4d033eb95ad76459715afb55383947a6f96 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:28 +0000
Subject: [PATCH 191/375] Exported file: Known ZINC Comebacker and Klackring
malware hashes.json.json
---
...mebacker and Klackring malware hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
new file mode 100644
index 00000000..e47bd107
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC Comebacker and Klackring malware hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8a5e860b-05d8-47b1-bb76-f690d926ab12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let tokens = dynamic([\"SSL_HandShaking\", \"ASN2_TYPE_new\", \"sql_blob_open\", \"cmsSetLogHandlerTHR\", \"ntSystemInfo\", \"SetWebFilterString\", \"CleanupBrokerString\", \"glInitSampler\", \"deflateSuffix\", \"ntWindowsProc\"]);\nlet DomainNames = dynamic(['codevexillium.org', 'angeldonationblog.com', 'investbooking.de', 'krakenfolio.com']);\nlet SHA256Hash = dynamic(['58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495','e0e59bfc22876c170af65dcbf19f744ae560cc43b720b23b9d248f4505c02f3e','3d3195697521973efe0097a320cbce0f0f98d29d50e044f4505e1fbc043e8cf9', '0a2d81164d524be7022ba8fd4e1e8e01bfd65407148569d172e2171b5cd76cd4', '96d7a93f6691303d39a9cc270b8814151dfec5683e12094537fd580afdf2e5fe','dc4cf164635db06b2a0b62d313dbd186350bca6fc88438617411a68df13ec83c', '46efd5179e43c9cbf07dcec22ce0d5527e2402655aee3afc016e5c260650284a', '95e42a94d4df1e7e472998f43b9879eb34aaa93f3705d7d3ef9e3b97349d7008', '9d5320e883264a80ea214077f44b1d4b22155446ad5083f4b27d2ab5bd127ef5', '9fd05063ad203581a126232ac68027ca731290d17bd43b5d3311e8153c893fe3', 'ada7e80c9d09f3efb39b729af238fcdf375383caaf0e9e0aed303931dc73b720', 'edb1597789c7ed784b85367a36440bf05267ac786efe5a4044ec23e490864cee', '33665ce1157ddb7cd7e905e3356b39245dfba17b7a658bdbf02b6968656b9998', '3ab770458577eb72bd6239fe97c35e7eb8816bce5a4b47da7bd0382622854f7c', 'b630ad8ffa11003693ce8431d2f1c6b8b126cd32b657a4bfa9c0dbe70b007d6c', '53f3e55c1217dafb8801af7087e7d68b605e2b6dde6368fceea14496c8a9f3e5', '99c95b5272c5b11093eed3ef2272e304b7a9311a22ff78caeb91632211fcb777', 'f21abadef52b4dbd01ad330efb28ef50f8205f57916a26daf5de02249c0f24ef', '2cbdea62e26d06080d114bbd922d6368807d7c6b950b1421d0aa030eca7e85da', '079659fac6bd9a1ce28384e7e3a465be4380acade3b4a4a4f0e67fd0260e9447']);\nlet SigNames = dynamic([\"Backdoor:Script/ComebackerCompile.A!dha\", \"Trojan:Win64/Comebacker.A!dha\", \"Trojan:Win64/Comebacker.A.gen!dha\", \"Trojan:Win64/Comebacker.B.gen!dha\", \"Trojan:Win32/Comebacker.C.gen!dha\", \"Trojan:Win32/Klackring.A!dha\", \"Trojan:Win32/Klackring.B!dha\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in~ (SHA256Hash) or DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n| project Type, TimeGenerated, Computer, Account, IPAddress, FileHash, DNSName\n),\n(DnsEvents\n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend Type = \"DnsEvents\", IPAddress = ClientIP\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(imDns(domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend Type = \"imDns\", IPAddress = SrcIpAddr, Computer=Dvc\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(VMConnection\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n| project Type, TimeGenerated, Computer, IPAddress, DNSName\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| where isnotempty(Hashes)\n| parse Hashes with * 'SHA256=' SHA256 ',' * \n| where SHA256 in~ (SHA256Hash) \n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = Hashes\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (SHA256Hash)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (SHA256Hash)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(DeviceNetworkEvents\n| where RemoteUrl in~ (DomainNames)\n| extend Computer = DeviceName, IPAddress = LocalIP, Account = InitiatingProcessAccountName\n| project Type, TimeGenerated, Computer, Account, IPAddress, RemoteUrl\n),\n(SecurityAlert\n| where ProductName == \"Microsoft Defender Advanced Threat Protection\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where isnotempty(ThreatName)\n| where ThreatName has_any (SigNames)\n| extend Computer = tostring(parse_json(Entities)[0].HostName) \n| project Type, TimeGenerated, Computer\n),\n(DeviceProcessEvents\n| where FileName =~ \"powershell.exe\" or FileName =~ \"rundll32.exe\"\n| where (ProcessCommandLine has \"is64bitoperatingsystem\" and ProcessCommandLine has \"Debug\\\\Browse\") or (ProcessCommandLine has_any (tokens))\n| extend Computer = DeviceName, Account = AccountName, CommandLine = ProcessCommandLine\n| project Type, TimeGenerated, Computer, Account, CommandLine, FileName\n),\n(SecurityEvent\n| where ProcessName has_any (\"powershell.exe\", \"rundll32.exe\")\n| where (CommandLine has \"is64bitoperatingsystem\" and CommandLine has \"Debug\\\\Browse\") or (CommandLine has_any (tokens))\n| project Type, TimeGenerated, Computer, Account, ProcessName, CommandLine \n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC Comebacker and Klackring malware hashes",
+ "enabled": false,
+ "description": "ZINC attacks against security researcher campaign malware hashes.",
+ "alertRuleTemplateName": "09551db0-e147-4a0c-9e7b-918f88847605"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ad15f63a101ed9646aafe91aff922dea4f5534ed Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:29 +0000
Subject: [PATCH 192/375] Exported file: Known ZINC related maldoc
hash.json.json
---
.../Known ZINC related maldoc hash.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
diff --git a/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
new file mode 100644
index 00000000..c3947948
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Known ZINC related maldoc hash.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6587f4a3-260a-470f-a372-fd7d879e9772')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SHA256Hash = \"1174fd03271f80f5e2a6435c72bdd0272a6e3a37049f6190abf125b216a83471\" ;\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where FileHash in (SHA256Hash) \n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updataing\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend Hashes = EventDetail.[16].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA265 ',' * \n| where isnotempty(Hashes)\n| where Hashes in (SHA256Hash) \n| extend Account = UserName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Known ZINC related maldoc hash",
+ "enabled": false,
+ "description": "Document hash used by ZINC in highly targeted spear phishing campaign.",
+ "alertRuleTemplateName": "3174a9ec-d0ad-4152-8307-94ed04fa450a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5fea9f63828fbdebf9a77165a378f2efdd7a5ae6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:30 +0000
Subject: [PATCH 193/375] Exported file: Linked Malicious Storage
Artifacts.json.json
---
.../Linked Malicious Storage Artifacts.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
diff --git a/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
new file mode 100644
index 00000000..ee6c08b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Linked Malicious Storage Artifacts.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/62e59eb2-2ac3-4a04-b73e-9aaea7a00c90')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n//Collect the alert events\nlet alertData = SecurityAlert \n| where DisplayName has \"Potential malware uploaded to\" \n| extend Entities = parse_json(Entities) \n| mv-expand Entities;\n//Parse the IP address data\nlet ipData = alertData \n| where Entities['Type'] =~ \"ip\" \n| extend AttackerIP = tostring(Entities['Address']), AttackerCountry = tostring(Entities['Location']['CountryName']);\n//Parse the file data\nlet FileData = alertData \n| where Entities['Type'] =~ \"file\" \n| extend MaliciousFileDirectory = tostring(Entities['Directory']), MaliciousFileName = tostring(Entities['Name']), MaliciousFileHashes = tostring(Entities['FileHashes']);\n//Combine the File and IP data together\nipData \n| join (FileData) on VendorOriginalId \n| summarize by TimeGenerated, AttackerIP, AttackerCountry, DisplayName, ResourceId, AlertType, MaliciousFileDirectory, MaliciousFileName, MaliciousFileHashes\n//Create a type column so we can track if it was a File storage or blobl storage upload \n| extend type = iff(DisplayName has \"file\", \"File\", \"Blob\") \n| join (\n union\n StorageFileLogs, \n StorageBlobLogs \n //File upload operations \n | where OperationName =~ \"PutBlob\" or OperationName =~ \"PutRange\"\n //Parse out the uploader IP \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0])\n //Extract the filename from the Uri \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri)\n //Base64 decode the MD5 filehash, we will encounter non-ascii hex so string operations don't work\n //We can work around this by making it an array then converting it to hex from an int \n | extend base64Char = base64_decode_toarray(ResponseMd5) \n | mv-expand base64Char \n | extend hexChar = tohex(toint(base64Char))\n | extend hexChar = iff(strlen(hexChar) < 2, strcat(\"0\", hexChar), hexChar) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | summarize make_list(hexChar) by CorrelationId, ResponseMd5, FileName, AccountName, TimeGenerated, RequestBodySize, ClientIP, SourceTable \n | extend Md5Hash = strcat_array(list_hexChar, \"\")\n //Pack the file information the summarise into a ClientIP row \n | extend p = pack(\"FileName\", FileName, \"FileSize\", RequestBodySize, \"Md5Hash\", Md5Hash, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize UploadedFileInfo=make_list(p), FilesUploaded=count() by ClientIP \n | join kind=leftouter (\n union\n StorageFileLogs,\n StorageBlobLogs \n | where OperationName =~ \"DeleteFile\" or OperationName =~ \"DeleteBlob\" \n | extend ClientIP = tostring(split(CallerIpAddress, \":\", 0)[0]) \n | extend FileName = extract(@\"\\/([\\w\\-. ]+)\\?\", 1, Uri) \n | extend SourceTable = iff(OperationName has \"range\", \"StorageFileLogs\", \"StorageBlobLogs\") \n | extend p = pack(\"FileName\", FileName, \"Time\", TimeGenerated, \"SourceTable\", SourceTable) \n | summarize DeletedFileInfo=make_list(p), FilesDeleted=count() by ClientIP\n ) on ClientIP\n ) on $left.AttackerIP == $right.ClientIP \n| mvexpand UploadedFileInfo \n| extend LinkedMaliciousFileName = UploadedFileInfo.FileName \n| extend LinkedMaliciousFileHash = UploadedFileInfo.Md5Hash \n| project AlertTimeGenerated = TimeGenerated, tostring(LinkedMaliciousFileName), tostring(LinkedMaliciousFileHash), AlertType, AttackerIP, AttackerCountry, MaliciousFileDirectory, MaliciousFileName, FilesUploaded, UploadedFileInfo \n| extend FileHashCustomEntity = LinkedMaliciousFileName, HashAlgorithm = \"MD5\", IPCustomEntity = AttackerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Linked Malicious Storage Artifacts",
+ "enabled": false,
+ "description": "An IP address which uploaded malicious content to an Azure Blob or File Storage container (triggering a malware alert) also uploaded additional files.",
+ "alertRuleTemplateName": "b9e3b9f8-a406-4151-9891-e5ff1ddd8c1d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9b80b80fb724af22e7205116e0a3c7f82efd9537 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:31 +0000
Subject: [PATCH 194/375] Exported file: Log4j vulnerability exploit aka
Log4Shell IP IOC.json.json
---
...rability exploit aka Log4Shell IP IOC.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
diff --git a/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
new file mode 100644
index 00000000..d3dd465c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Log4j vulnerability exploit aka Log4Shell IP IOC.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6392295f-31e9-45da-8c14-5554a2b3fb7c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet IPList = externaldata(IPAddress:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Log4j_IOC_List.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or Message has_any (IPList)\n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"No Match\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIP, DestinationIP, DeviceProduct, DeviceAction, Message, MessageIP, Protocol, SourcePort, DestinationPort, DeviceAddress, DeviceName, IPMatch, LogType = Type \n| extend timestamp = StartTime, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"No Match\")\n),\n(OfficeActivity \n| extend SourceIPAddress = ClientIP, Account = UserId\n| where SourceIPAddress in (IPList)\n| extend timestamp = TimeGenerated , IPCustomEntity = SourceIPAddress , AccountCustomEntity = Account, LogType = Type\n),\n(DnsEvents\n| where IPAddresses has_any (IPList)\n| extend DestinationIPAddress = IPAddresses, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imDns (response_has_any_prefix=IPList)\n| extend DestinationIPAddress = ResponseName, Host = SrcIpAddr\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host, LogType = Type\n),\n(imNetworkSession (dstipaddr_has_any_prefix=IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = DstIpAddr, HostCustomEntity = SrcIpAddr, LogType = Type\n),\n (VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList)\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"None\"), Host = Computer, LogType = Type\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\"), LogType = Type\n),\n(WireData\n| where isnotempty(RemoteIP) \n| where RemoteIP in (IPList) \n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, LogType = Type\n),\n(SigninLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(AADNonInteractiveUserSignInLogs\n| where isnotempty(IPAddress)\n| where IPAddress in (IPList)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, LogType = Type\n),\n(W3CIISLog\n| where isnotempty(cIP)\n| where cIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, LogType = Type\n),\n(AzureActivity\n| where isnotempty(CallerIpAddress)\n| where CallerIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, LogType = Type\n),\n(\nAWSCloudTrail\n| where isnotempty(SourceIpAddress)\n| where SourceIpAddress in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, LogType = Type\n), \n( \nDeviceNetworkEvents\n| where isnotempty(RemoteIP)\n| where RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nAzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallNetworkRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (IPList)\n| extend DestinationIP = DestinationHost\n| extend IPCustomEntity = SourceHost, LogType = Type\n),\n(\nDeviceProcessEvents \n| where InitiatingProcessFileName =~ \"java.exe\" and ProcessCommandLine has_all ('curl -s','wget') or\nProcessCommandLine has_all ('curl',@'${jndi') or \nProcessCommandLine has_any (\"${jndi:ldap://\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop://\",\"${jndi:\",'${web:','${jvmrunargs:')\n| extend LogType = Type\n),\n(\nDeviceNetworkEvents\n| where RemoteIP in(IPList) and ActionType != \"ConnectionFailed\"\n| extend LogType = Type\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Log4j vulnerability exploit aka Log4Shell IP IOC",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IP IOCs related to the Log4j vulnerability exploit aka Log4Shell described in CVE-2021-44228. \n References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228",
+ "alertRuleTemplateName": "6e575295-a7e6-464c-8192-3e1d8fd6a990"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cd8b38230720de3dfcd02c1c00a2939e18815afd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:31 +0000
Subject: [PATCH 195/375] Exported file: Login to AWS Management Console
without MFA.json.json
---
...to AWS Management Console without MFA.json | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
diff --git a/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
new file mode 100644
index 00000000..cde09b40
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Login to AWS Management Console without MFA.json
@@ -0,0 +1,71 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ebbc52fe-8427-412b-98a7-6804d5506f7d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"ConsoleLogin\" \n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| where MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation",
+ "Persistence",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Login to AWS Management Console without MFA",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
+ "alertRuleTemplateName": "d25b1998-a592-4bc5-8a3a-92b39eedb1bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5faa2b1ab37e3b3651e534a0681dd28e54084f22 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:32 +0000
Subject: [PATCH 196/375] Exported file: MFA Rejected by User.json.json
---
.../MFA Rejected by User.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA Rejected by User.json
diff --git a/SentinelExported-AnalyticsRule/MFA Rejected by User.json b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
new file mode 100644
index 00000000..bd685e97
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA Rejected by User.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b3345cc6-ee8c-46d4-abc9-8adae4b877d1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SigninLogs\n| where ResultType == 500121\n| extend additionalDetails_ = tostring(Status.additionalDetails)\n| where additionalDetails_ =~ \"MFA denied; user declined the authentication\"\n| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA Rejected by User",
+ "enabled": false,
+ "description": "Identifies accurances where a user has rejected an MFA prompt. This could be an indicator that a threat actor has compromised the username and password of this user account and is using it to try and log into the account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "d99cf5c3-d660-436c-895b-8a8f8448da23"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9b71a0dd919da2eb58e869b7a6fc57c87379f842 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:33 +0000
Subject: [PATCH 197/375] Exported file: MFA disabled for a user.json.json
---
.../MFA disabled for a user.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MFA disabled for a user.json
diff --git a/SentinelExported-AnalyticsRule/MFA disabled for a user.json b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
new file mode 100644
index 00000000..32292735
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MFA disabled for a user.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/704b2418-b2bd-4b4a-8f9e-cf47562e133d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(AuditLogs \n| where OperationName =~ \"Disable Strong Authentication\"\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \n| extend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\n),\n(AWSCloudTrail\n| where EventName in~ (\"DeactivateMFADevice\", \"DeleteVirtualMFADevice\") \n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\n)\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "MFA disabled for a user",
+ "enabled": false,
+ "description": "Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ",
+ "alertRuleTemplateName": "65c78944-930b-4cae-bd79-c3664ae30ba7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4e3e485bf77d32e0613d2b8afd5f8bd854a967d2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:34 +0000
Subject: [PATCH 198/375] Exported file: MSHTML vulnerability CVE-2021-40444
attack.json.json
---
...L vulnerability CVE-2021-40444 attack.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
diff --git a/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
new file mode 100644
index 00000000..d7624dab
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/MSHTML vulnerability CVE-2021-40444 attack.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3aa3ab52-566f-46a0-a5c9-caba62eaa518')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "( union isfuzzy=true\n(SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| extend FileName = Process, ProcessCommandLine = CommandLine\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n),\n(DeviceProcessEvents\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\nor ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingProcessAccountUpn, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1 \n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend Image = column_ifexists(\"Image\", \"\"), ProcessCommandLine = column_ifexists(\"CommandLine\", \"\")\n| extend FileName = split(Image, '\\\\', -1)[-1]\n| where (FileName in~('control.exe','rundll32.exe') and ProcessCommandLine has '.cpl:')\n or ProcessCommandLine matches regex @'\\\".[a-zA-Z]{2,4}:\\.\\.\\/\\.\\.'\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "MSHTML vulnerability CVE-2021-40444 attack",
+ "enabled": false,
+ "description": "This query detects attacks that exploit the CVE-2021-40444 MSHTML vulnerability using specially crafted Microsoft Office documents. \n The detection searches for relevant files used in the attack along with regex matches in commnadline to look for pattern similar to : \".cpl:../../msword.inf\"\n Refrence: https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/",
+ "alertRuleTemplateName": "972c89fa-c969-4d12-932f-04d55d145299"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ab4fa6a2694864035e7fa366d514188e79dcba1e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:34 +0000
Subject: [PATCH 199/375] Exported file: Mail redirect via ExO transport
rule.json.json
---
.../Mail redirect via ExO transport rule.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
diff --git a/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
new file mode 100644
index 00000000..1da049e2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail redirect via ExO transport rule.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4af76a04-0e2a-4892-ae63-3de3b4e9ead2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where OfficeWorkload == \"Exchange\"\n| where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n| extend p = parse_json(Parameters)\n| extend RuleName = case(\n Operation =~ \"Set-TransportRule\", tostring(OfficeObjectId),\n Operation =~ \"New-TransportRule\", tostring(p[1].Value),\n \"Unknown\"\n ) \n| mvexpand p\n| where (p.Name =~ \"BlindCopyTo\" or p.Name =~ \"RedirectMessageTo\") and isnotempty(p.Value)\n| extend RedirectTo = p.Value\n| extend ClientIPOnly = case( \n ClientIP has \".\" and ClientIP has \":\", tostring(split(ClientIP,\":\")[0]), \n ClientIP has \".\" and ClientIP has \"-\", tostring(split(ClientIP,\"-\")[0]), \n ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\n ClientIP\n ) \n| extend Port = case(\n ClientIP has \".\" and ClientIP has \":\", (split(ClientIP,\":\")[1]),\n ClientIP has \".\" and ClientIP has \"-\", (split(ClientIP,\"-\")[1]),\n ClientIP has \"[\" and ClientIP has \":\", tostring(split(ClientIP,\"]:\")[1]),\n ClientIP has \"[\" and ClientIP has \"-\", tostring(split(ClientIP,\"]-\")[1]),\n ClientIP\n )\n| extend ClientIP = ClientIPOnly\n| project TimeGenerated, RedirectTo, ClientIP, Port, UserId, Operation, RuleName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Mail redirect via ExO transport rule",
+ "enabled": false,
+ "description": "Identifies when Exchange Online transport rule configured to forward emails.\nThis could be an adversary mailbox configured to collect mail from multiple user accounts.",
+ "alertRuleTemplateName": "500415fb-bba7-4227-a08a-9857fb61b6a7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From edbc33eaed89c297b8951fb837296b4979212cfc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:35 +0000
Subject: [PATCH 200/375] Exported file: Mail.Read Permissions Granted to
Application.json.json
---
...ad Permissions Granted to Application.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
diff --git a/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
new file mode 100644
index 00000000..44975a82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mail.Read Permissions Granted to Application.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/84cfa531-ea08-4c84-a1a1-d85c55c45f06')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nAuditLogs\n| where Category =~ \"ApplicationManagement\"\n| where ActivityDisplayName has_any (\"Add delegated permission grant\",\"Add app role assignment to service principal\")\n| where Result =~ \"success\"\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend props = parse_json(tostring(TargetResources[0].modifiedProperties))\n| mv-expand props\n| extend UserAgent = tostring(AdditionalDetails[0].value)\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend UserIPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| extend DisplayName = tostring(props.displayName)\n| extend Permissions = tostring(parse_json(tostring(props.newValue)))\n| where Permissions has_any (\"Mail.Read\", \"Mail.ReadWrite\")\n| extend PermissionsAddedTo = tostring(TargetResources[0].displayName)\n| extend Type = tostring(TargetResources[0].type)\n| project-away props\n| join kind=leftouter(\n AuditLogs\n | where ActivityDisplayName has \"Consent to application\"\n | extend AppName = tostring(TargetResources[0].displayName)\n | extend AppId = tostring(TargetResources[0].id)\n | project AppName, AppId, CorrelationId) on CorrelationId\n| project-reorder TimeGenerated, OperationName, InitiatingUser, UserIPAddress, UserAgent, PermissionsAddedTo, Permissions, AppName, AppId, CorrelationId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUser, IPCustomEntity = UserIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Mail.Read Permissions Granted to Application",
+ "enabled": false,
+ "description": "This query look for applications that have been granted (Delegated or App/Role) permissions to Read Mail (Permissions field has Mail.Read) and subsequently has been consented to. This can help identify applications that have been abused to gain access to mailboxes.",
+ "alertRuleTemplateName": "2560515c-07d1-434e-87fb-ebe3af267760"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c4be297bb1867a6d46640d5bd7a5bce848334565 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:36 +0000
Subject: [PATCH 201/375] Exported file: Malformed user agent.json.json
---
.../Malformed user agent.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malformed user agent.json
diff --git a/SentinelExported-AnalyticsRule/Malformed user agent.json b/SentinelExported-AnalyticsRule/Malformed user agent.json
new file mode 100644
index 00000000..085e69a9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malformed user agent.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/89bbc939-d47e-4b36-82dc-bcec562f0763')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\n(union isfuzzy=true\n(OfficeActivity | where UserAgent != \"\"),\n(OfficeActivity\n| where RecordType in (\"AzureActiveDirectory\", \"AzureActiveDirectoryStsLogon\")\n| extend OperationName = Operation\n| parse ExtendedProperties with * 'User-Agent\\\\\":\\\\\"' UserAgent2 '\\\\' *\n| parse ExtendedProperties with * 'UserAgent\", \"Value\": \"' UserAgent1 '\"' *\n| where isnotempty(UserAgent1) or isnotempty(UserAgent2)\n| extend UserAgent = iff( RecordType == 'AzureActiveDirectoryStsLogon', UserAgent1, UserAgent2)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(AzureDiagnostics\n| where ResourceType =~ \"APPLICATIONGATEWAYS\" \n| where OperationName =~ \"ApplicationGatewayAccess\" \n| extend ClientIP = columnifexists(\"clientIP_s\", \"None\"), UserAgent = columnifexists(\"userAgent_s\", \"None\")\n| where UserAgent != '-'\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, requestUri_s, httpMethod_s, host_s, requestQuery_s, Type\n),\n(\nW3CIISLog\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n),\n(SigninLogs\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n),\n(AADNonInteractiveUserSignInLogs \n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n)\n)\n// Likely artefact of hardcoding\n| where UserAgent startswith \"User\" or UserAgent startswith '\\\"'\n// Incorrect casing\nor (UserAgent startswith \"Mozilla\" and not(UserAgent containscs \"Mozilla\"))\n// Incorrect casing\nor UserAgent containscs \"(Compatible;\"\n// Missing MSIE version\nor UserAgent matches regex @\"MSIE\\s?;\"\n// Incorrect spacing around MSIE version\nor UserAgent matches regex @\"MSIE(?:\\d|.{1,5}?\\d\\s;)\"\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Malformed user agent",
+ "enabled": false,
+ "description": "Malware authors will sometimes hardcode user agent string values when writing the network communication component of their malware.\nMalformed user agents can be an indication of such malware.",
+ "alertRuleTemplateName": "a357535e-f722-4afe-b375-cff362b2b376"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8c0b5270f1af2d2dcb5e3627f4db8e40da4347ab Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:37 +0000
Subject: [PATCH 202/375] Exported file: Malicious Inbox Rule.json.json
---
.../Malicious Inbox Rule.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
diff --git a/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
new file mode 100644
index 00000000..42b68850
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious Inbox Rule.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6f4474f5-8c95-4248-a56d-510a85fb07b3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\", \"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\nOfficeActivity\n| where Operation =~ \"New-InboxRule\"\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" or Parameters has \"DeleteMessage\"\n| extend Events=todynamic(Parameters)\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\n| where SubjectContainsWords has_any (Keywords)\n or BodyContainsWords has_any (Keywords)\n or SubjectOrBodyContainsWords has_any (Keywords)\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIPAddress, AccountCustomEntity = UserId , HostCustomEntity = OriginatingServer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malicious Inbox Rule",
+ "enabled": false,
+ "description": "Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords. \n This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.\nReference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/",
+ "alertRuleTemplateName": "7b907bf7-77d4-41d0-a208-5643ff75bf9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 45c274a462dbcb0364f92ebc0313866ccbbe1f11 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:37 +0000
Subject: [PATCH 203/375] Exported file: Malicious web application requests
linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)
alerts.json.json
---
...rmerly Microsoft Defender ATP) alerts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
diff --git a/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
new file mode 100644
index 00000000..bbd554cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/91d5304a-0628-4ab8-9c57-670bb4da620b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet alertTimeWindow = 1h;\nlet logTimeWindow = 7d;\n// Define script extensions that suit your web application environment - a sample are provided below\nlet scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]); \nlet alertData = materialize(SecurityAlert \n| where TimeGenerated > ago(alertTimeWindow) \n| where ProviderName == \"MDATP\" \n// Parse and expand the alert JSON \n| extend alertData = parse_json(Entities) \n| mvexpand alertData);\nlet fileData = alertData\n// Extract web script files from MDATP alerts - our malicious web scripts - candidate webshells\n| where alertData.Type =~ \"file\" \n| where alertData.Name has_any(scriptExtensions) \n| extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory);\nlet hostData = alertData\n// Extract server details from alerts and map to alert id\n| where alertData.Type =~ \"host\"\n| project HostName = tostring(alertData.HostName), DnsDomain = tostring(alertData.DnsDomain), SystemAlertId\n| distinct HostName, DnsDomain, SystemAlertId;\n// Join the files on their impacted servers\nlet webshellData = fileData\n| join kind=inner (hostData) on SystemAlertId \n| project TimeGenerated, FileName, Directory, HostName, DnsDomain;\nwebshellData\n| join ( \n// Find requests that were made to this file on the impacted server in the W3CIISLog table \nW3CIISLog \n| where TimeGenerated > ago(logTimeWindow) \n// Restrict to accesses to script extensions \n| where csUriStem has_any(scriptExtensions)\n| extend splitUriStem = split(csUriStem, \"/\") \n| extend FileName = splitUriStem[-1], HostName = sComputerName\n// Summarize potential attacker activity\n| summarize count(), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), RequestUserAgents=make_set(csUserAgent), ReqestMethods=make_set(csMethod), RequestStatusCodes=make_set(scStatus), RequestCookies=make_set(csCookie), RequestReferers=make_set(csReferer), RequestQueryStrings=make_set(csUriQuery) by AttackerIP=cIP, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName), HostName \n) on FileName, HostName\n| project StartTime, EndTime, AttackerIP, RequestUserAgents, HostName, SiteName, ShellLocation, ReqestMethods, RequestStatusCodes, RequestCookies, RequestReferers, RequestQueryStrings, RequestCount = count_\n// Expose the attacker ip address as a custom entity\n| extend timestamp=StartTime, IPCustomEntity = AttackerIP, HostCustomEntity = HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Malicious web application requests linked with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts",
+ "enabled": false,
+ "description": "Takes Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) alerts where web scripts are present in the evidence and correlates with requests made to those scripts\nin the WCSIISLog to surface new alerts for potentially malicious web request activity.\nThe lookback for alerts is set to 1h and the lookback for W3CIISLogs is set to 7d. A sample set of popular web script extensions\nhas been provided in scriptExtensions that should be tailored to your environment.",
+ "alertRuleTemplateName": "fbfbf530-506b-49a4-81ad-4030885a195c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 385b7ae5480a3ab59cbd4cf248caa26978e092cb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:38 +0000
Subject: [PATCH 204/375] Exported file: Malware in the recycle bin (Normalized
Process Events).json.json
---
...cycle bin (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
new file mode 100644
index 00000000..95da1d03
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e669ef82-838e-40b8-8423-efd8303206c6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]); \nimProcessCreate\n| where CommandLine has \"recycler\"\n| where Process has_any (procList)\n| extend FileName = tostring(split(Process, '\\\\')[-1])\n| where FileName in~ (procList)\n| project StartTimeUtc = TimeGenerated, Dvc, User, Process, FileName, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, HostCustomEntity = Dvc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "61988db3-0565-49b5-b8e3-747195baac6e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a12b8839675365339495057eb25005767ae68059 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:39 +0000
Subject: [PATCH 205/375] Exported file: Malware in the recycle bin.json.json
---
.../Malware in the recycle bin.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Malware in the recycle bin.json
diff --git a/SentinelExported-AnalyticsRule/Malware in the recycle bin.json b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
new file mode 100644
index 00000000..89fa2d07
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Malware in the recycle bin.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e485f07-3a11-4eb5-ac2a-d1b82aca8c62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet procList = dynamic([\"cmd.exe\",\"ftp.exe\",\"schtasks.exe\",\"powershell.exe\",\"rundll32.exe\",\"regsvr32.exe\",\"msiexec.exe\"]);\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, NewProcessName,\nFileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nProcessCreationEvents \n| where FileName in~ (procList)\n| where CommandLine contains \":\\\\recycler\"\n| project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, FileName, CommandLine, ParentProcessName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Malware in the recycle bin",
+ "enabled": false,
+ "description": "Identifies malware that has been hidden in the recycle bin.\nReferences: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.",
+ "alertRuleTemplateName": "75bf9902-0789-47c1-a5d8-f57046aa72df"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 53d8cc6beccb2d61d101509a3cfa72103ca88b6f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:40 +0000
Subject: [PATCH 206/375] Exported file: Mass secret retrieval from Azure Key
Vault.json.json
---
...secret retrieval from Azure Key Vault.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
diff --git a/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
new file mode 100644
index 00000000..830e90fb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Mass secret retrieval from Azure Key Vault.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f5a5c06-ca09-4075-890a-e46be2ee412a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet EventCountThreshold = 25;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds \n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList) \n| summarize count() by identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, OperationName\n| where count_ > EventCountThreshold \n| join (\nAzureDiagnostics\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where OperationName in~ (OperationList) \n) on identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g \n| summarize EventCount=sum(count_), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = EndTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Mass secret retrieval from Azure Key Vault",
+ "enabled": false,
+ "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise",
+ "alertRuleTemplateName": "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2cd1c4d59a437c05707d33c4da730458f7eacd6a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:40 +0000
Subject: [PATCH 207/375] Exported file: Microsoft COVID-19 file hash indicator
matches.json.json
---
... COVID-19 file hash indicator matches.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
diff --git a/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
new file mode 100644
index 00000000..da0a76f1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Microsoft COVID-19 file hash indicator matches.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58279f6d-5629-40b2-852b-66c575dbb0ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string, TlpLevel: string, Product: string, ThreatType: string, Description: string )\n[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv\"] with (format=\"csv\"));\nlet fileHashIndicators = covidIndicators\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) \n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by FileHashValue\n| project CommonSecurityLog_TimeGenerated, FileHashValue, FileHashType, Description, ThreatType, \nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction, \nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Microsoft COVID-19 file hash indicator matches",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash published in the Microsoft COVID-19 Threat Intel Feed - as described at https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/",
+ "alertRuleTemplateName": "2be4ef67-a93f-4d8a-981a-88158cb73abd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7ce82c19810fcb20a2f90a569d57665330f16e84 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:41 +0000
Subject: [PATCH 208/375] Exported file: Modified domain federation trust
settings.json.json
---
...fied domain federation trust settings.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
diff --git a/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
new file mode 100644
index 00000000..bc30cc1f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Modified domain federation trust settings.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/45f5eb6b-e221-44e3-928c-a372d76d1a6d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName)\n| mv-expand AdditionalDetails\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\n| where NewDomainValue has \"Federated\"\n)\n)\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Modified domain federation trust settings",
+ "enabled": false,
+ "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be rare. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4db5bc6169135e58cf8f1ae44ccd23efd25327d0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:42 +0000
Subject: [PATCH 209/375] Exported file: Monitor AWS Credential abuse or
hijacking.json.json
---
...tor AWS Credential abuse or hijacking.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
diff --git a/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
new file mode 100644
index 00000000..3a788cd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Monitor AWS Credential abuse or hijacking.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44975607-3f23-4632-871e-b08b59ebd68c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nAWSCloudTrail\n| where EventName =~ \"GetCallerIdentity\" and UserIdentityType =~ \"AssumedRole\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SourceIpAddress, EventName, EventTypeName, UserIdentityType, UserIdentityAccountId, UserIdentityPrincipalid, \nUserAgent, UserIdentityUserName, SessionMfaAuthenticated,AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTime, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress\n| sort by EndTime desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Monitor AWS Credential abuse or hijacking",
+ "enabled": false,
+ "description": "Looking for GetCallerIdentity Events where the UserID Type is AssumedRole \nAn attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.\nA legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.\nMore Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws\nAWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html ",
+ "alertRuleTemplateName": "32555639-b639-4c2b-afda-c0ae0abefa55"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 58f958bbb2c1a9d65fe0153bbab695a0e8ddcd8e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:43 +0000
Subject: [PATCH 210/375] Exported file: Multiple Password Reset by
user.json.json
---
.../Multiple Password Reset by user.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
new file mode 100644
index 00000000..d4e7b35e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Password Reset by user.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9df8fa13-f28b-41d5-8065-9d7e234aaa26')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet PerUserThreshold = 5;\nlet TotalThreshold = 100;\nlet action = dynamic([\"change\", \"changed\", \"reset\"]);\nlet pWord = dynamic([\"password\", \"credentials\"]);\nlet PasswordResetMultiDataSource =\n(union isfuzzy=true\n(//Password reset events\n//4723: An attempt was made to change an account's password\n//4724: An attempt was made to reset an accounts password\nSecurityEvent\n| where EventID in (\"4723\",\"4724\")\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName),\n(//Azure Active Directory Password reset events\nAuditLogs\n| where OperationName has_any (pWord) and OperationName has_any (action) and Result =~ \"success\"\n| extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), \nTargetUserName = tolower(tostring(TargetResources[0].displayName))\n| project TimeGenerated, AccountType, Account, Computer = \"\", Type),\n(//OfficeActive ActiveDirectory Password reset events\nOfficeActivity\n| where OfficeWorkload == \"AzureActiveDirectory\" \n| where (ExtendedProperties has_any (pWord) or ModifiedProperties has_any (pWord)) and (ExtendedProperties has_any (action) or ModifiedProperties has_any (action))\n| extend AccountType = UserType, Account = OfficeObjectId \n| project TimeGenerated, AccountType, Account, Type, Computer = \"\"),\n(// Unix syslog password reset events\nSyslog\n| where Facility in (\"auth\",\"authpriv\")\n| where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)\n| extend AccountType = iif(SyslogMessage contains \"root\", \"Root\", \"Non-Root\")\n| where SyslogMessage matches regex \".*password changed for.*\"\n| parse SyslogMessage with * \"password changed for\" Account\n| project TimeGenerated, AccountType, Account, Computer = HostName, Type)\n);\nlet pwrmd = PasswordResetMultiDataSource\n| project TimeGenerated, Computer, AccountType, Account, Type, TargetUserName;\n(union isfuzzy=true \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Account, Type\n| where Total > PerUserThreshold\n| extend ResetPivot = \"PerUserReset\"), \n(pwrmd\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), TargetUserList = make_set(TargetUserName, 25), TargetUserName = arg_max(TargetUserName, TimeGenerated), Total=count() by Type\n| where Total > TotalThreshold\n| extend ResetPivot = \"TotalUserReset\")\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Password Reset by user",
+ "enabled": false,
+ "description": "This query will determine multiple password resets by user across multiple data sources. \nAccount manipulation including password reset may aid adversaries in maintaining access to credentials \nand certain permission levels within an environment.",
+ "alertRuleTemplateName": "0b9ae89d-8cad-461c-808f-0494f70ad5c4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 02e6016d91cc17878d2ea67bd8678720e8ac3733 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:43 +0000
Subject: [PATCH 211/375] Exported file: Multiple RDP connections from Single
System.json.json
---
...le RDP connections from Single System.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
diff --git a/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
new file mode 100644
index 00000000..7e1b85c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple RDP connections from Single System.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aaa53051-1af4-42d9-a523-c08752580ade')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\nlet threshold = 2.0;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerCountToday = dcount(Computer), ComputerSet = makeset(Computer), ProcessSet = makeset(ProcessName) \nby Account = tolower(Account), IpAddress, AccountType, Activity, LogonTypeName\n| join kind=leftouter (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize ComputerCountPrev7Days = dcount(Computer) by Account = tolower(Account), IpAddress\n) on Account, IpAddress\n| extend Ratio = iff(isempty(ComputerCountPrev7Days), toreal(ComputerCountToday), ComputerCountToday / (ComputerCountPrev7Days * 1.0))\n// Where the ratio of today to previous 7 days is more than double.\n| where Ratio > threshold\n| project StartTimeUtc, EndTimeUtc, Account, IpAddress, ComputerSet, ComputerCountToday, ComputerCountPrev7Days, Ratio, AccountType, Activity, LogonTypeName, ProcessSet\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Multiple RDP connections from Single System",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to multiple systems and above the normal for the previous 7 days. \nConnections from the same system with the same account within the same day.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "78422ef2-62bf-48ca-9bab-72c69818a425"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 676386bb6fc068f77aa95862b9650ad8cbe9d801 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:44 +0000
Subject: [PATCH 212/375] Exported file: Multiple Teams deleted by a single
user.json.json
---
...ltiple Teams deleted by a single user.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
diff --git a/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
new file mode 100644
index 00000000..71af8d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple Teams deleted by a single user.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c20c6d74-5470-4242-a748-d5625abb65b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// Adjust this value to change how many Teams should be deleted before including\nlet max_delete_count = 3;\n// Adjust this value to change the timewindow the query runs over\n OfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\" \n| where Operation =~ \"TeamDeleted\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId\n| where array_length(DeletedTeams) > max_delete_count\n| extend timestamp = StartTime, AccountCustomEntity = UserId\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Multiple Teams deleted by a single user",
+ "enabled": false,
+ "description": "This detection flags the occurrences of deleting multiple teams within an hour.\nThis data is a part of Office 365 Connector in Microsoft Sentinel.",
+ "alertRuleTemplateName": "173f8699-6af5-484a-8b06-8c47ba89b380"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 15fd9953a108f5b6be97ccfe997527f0a80f9e69 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:45 +0000
Subject: [PATCH 213/375] Exported file: Multiple users email forwarded to same
destination.json.json
---
...s email forwarded to same destination.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
diff --git a/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
new file mode 100644
index 00000000..4346f1d9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Multiple users email forwarded to same destination.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/066d6852-04de-4dab-9b95-bd3d2835a859')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nOfficeActivity\n| where Operation =~ \"Set-Mailbox\"\n| where Parameters has \"ForwardingSmtpAddress\"\n| extend parsed = parse_json(Parameters)\n| mv-expand parsed\n| where parsed.Name == \"ForwardingSmtpAddress\"\n| extend parameterName = tostring(parsed.Name), fwdingDestination = tostring(parsed.Value)\n| where isnotempty(fwdingDestination)\n| extend ClientIPOnly = case( \nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[0]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[0]), \nClientIP has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[0]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[0]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(trim_start(@'[[]',tostring(split(ClientIP_,\"]\")[0]))),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n) \n| extend Port = case(\nClientIP has \".\" and ClientIP has ':', tostring(split(ClientIP,\":\")[1]), \nClientIP has \".\" and ClientIP has '-', tostring(split(ClientIP,\"-\")[1]), \nClientIP has ']-', tostring(split(ClientIP,\"]-\")[1]), \nClientIP has ']:', tostring(split(ClientIP,\"]:\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has ':', tostring(split(ClientIP_,\":\")[1]), \nisempty(ClientIP) and ClientIP_ has \".\" and ClientIP_ has '-', tostring(split(ClientIP_,\"-\")[1]), \nisempty(ClientIP) and ClientIP_ has ']-', tostring(split(ClientIP_,\"]-\")[1]),\nisempty(ClientIP) and ClientIP_ has ']:', tostring(split(ClientIP_,\"]:\")[1]),\nisnotempty(ClientIP), ClientIP,\nisnotempty(ClientIP_), ClientIP_,\n\"IP Not Available\"\n)\n| extend UserId = iff(isempty(UserId), UserId_, UserId)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId), \nPorts = make_set(Port), EventCount = count() by fwdingDestination, ClientIP = ClientIPOnly \n| where DistinctUserCount > 1\n| mv-expand UserId\n| extend UserId = tostring(UserId), Ports = tostring(Ports)\n| distinct StartTimeUtc, EndTimeUtc, UserId, DistinctUserCount, ClientIP, Ports, fwdingDestination, EventCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Multiple users email forwarded to same destination",
+ "enabled": false,
+ "description": "Identifies when multiple (more than one) users mailboxes are configured to forward to the same destination. \nThis could be an attacker-controlled destination mailbox configured to collect mail from multiple compromised user accounts.",
+ "alertRuleTemplateName": "871ba14c-88ef-48aa-ad38-810f26760ca3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 77b1f5e47ae238ec4d20fb67f5e6951eb597999e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:45 +0000
Subject: [PATCH 214/375] Exported file: NOBELIUM - Domain and IP IOCs - March
2021.json.json
---
...IUM - Domain and IP IOCs - March 2021.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
new file mode 100644
index 00000000..bb90e636
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain and IP IOCs - March 2021.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b63935f5-aae3-45b5-bd0d-f2da794fd126')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let DomainNames = dynamic(['onetechcompany.com', 'reyweb.com', 'srfnetwork.org', 'sense4baby.fr', 'nikeoutletinc.org', 'megatoolkit.com']);\nlet IPList = dynamic(['185.225.69.69']);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (DomainNames) or RequestURL has_any (DomainNames) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (DomainNames), \"RequestUrl\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or Name has_any (DomainNames) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(imDns\n| where DnsResponseName has_any (IPList) or DnsQuery has_any(DomainNames) \n| extend DestinationIPAddress = DnsResponseName, DNSName = DnsQuery, Host = Dvc\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or RemoteDnsCanonicalNames has_any (DomainNames)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(OfficeActivity\n| where ClientIP in (IPList)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (DomainNames) or RemoteIP in (IPList)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain and IP IOCs - March 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains and IP IOCs related to NOBELIUM.\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "bb8a3481-dd14-4e76-8dcc-bbec8776d695"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7726fb796917fedfc2348b279f374cc3697dd3ba Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:46 +0000
Subject: [PATCH 215/375] Exported file: NOBELIUM - Domain, Hash and IP IOCs -
May 2021.json.json
---
...- Domain, Hash and IP IOCs - May 2021.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
new file mode 100644
index 00000000..7c8dfcb9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Domain, Hash and IP IOCs - May 2021.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce11fda8-f604-4547-af58-fa313e8a8146')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let iocs = externaldata(DateAdded:string,FirstSeen:string,IoC:string,Type:string,TLP:string)\n[@\"https://raw.githubusercontent.com/microsoft/mstic/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256s = (iocs | where Type =~ \"SHA256\"| project IoC);\nlet ips = (iocs | where Type =~ \"IP\"| project IoC);\nlet IPList = dynamic([\"192.99.221.77\",\"83.171.237.173\"]);\nlet domains = (iocs | where Type =~ \"Domain\"| project IoC);\nlet IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet sha256Hashes = dynamic([\"2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252\",\n\"d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142\",\n\"94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916\",\n\"48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0\",\n\"ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c\",\n\"ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330\"]);\n(union isfuzzy=true\n(CommonSecurityLog\n| where SourceIP in (IPList) or DestinationIP in (IPList) or DestinationHostName in~ (domains) or RequestURL has_any (domains) or Message has_any (IPList)\n| parse Message with * '(' DNSName ')' * \n| extend MessageIP = extract(IPRegex, 0, Message)\n| extend IPMatch = case(SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", MessageIP in (IPList), \"Message\", RequestURL in (domains), \"RequestUrl\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", MessageIP in (IPList), \"Message\", \"NoMatch\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, IPMatch == \"Message\", MessageIP, \"NoMatch\"), AccountCustomEntity = SourceUserID\n),\n(DnsEvents\n| where IPAddresses in (IPList) or IPAddresses in (ips) or Name in~ (domains) \n| extend DestinationIPAddress = IPAddresses, DNSName = Name, Host = Computer\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIPAddress, HostCustomEntity = Host\n),\n(VMConnection\n| where SourceIp in (IPList) or DestinationIp in (IPList) or SourceIp in (ips) or DestinationIp in (ips) or RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| extend IPMatch = case( SourceIp in (IPList), \"SourceIP\", DestinationIp in (IPList), \"DestinationIP\", SourceIp in (ips), \"SourceIP\", DestinationIp in (ips), \"DestinationIP\", \"None\") \n| extend timestamp = TimeGenerated, IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIp, IPMatch == \"DestinationIP\", DestinationIp, \"NoMatch\"), HostCustomEntity = Computer\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"]\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", \"None\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer , IPCustomEntity = case(IPMatch == \"SourceIP\", SourceIP, IPMatch == \"DestinationIP\", DestinationIP, \"None\")\n), \n(OfficeActivity\n| where ClientIP in (IPList) or ClientIP in (ips)\n| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId\n),\n(DeviceNetworkEvents\n| where RemoteUrl has_any (domains) or RemoteIP in (IPList) or RemoteIP in (ips)\n| extend timestamp = TimeGenerated, DNSName = RemoteUrl, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(WindowsFirewall\n| where SourceIP in (IPList) or DestinationIP in (IPList) or SourceIP in (ips) or DestinationIP in (ips)\n| extend IPMatch = case( SourceIP in (IPList), \"SourceIP\", DestinationIP in (IPList), \"DestinationIP\", SourceIP in (ips), \"SourceIP\", DestinationIP in (ips), \"DestinationIP\", \"None\")\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP\n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost\n),\n(Event\n//This query uses sysmon data depending on table name used this may need updating\n| where Source == \"Microsoft-Windows-Sysmon\"\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| where EventDetail has_any (sha256Hashes) or EventDetail has_any (sha256s)\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, FileHash\n),\n(DeviceFileEvents\n| where SHA256 in~ (sha256Hashes) or SHA256 in~ (sha256s)\n| extend Account = RequestAccountName, Computer = DeviceName, IPAddress = RequestSourceIP, CommandLine = InitiatingProcessCommandLine, FileHash = SHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(imFileEvent\n| where TargetFileSHA256 in~ (sha256Hashes) or TargetFileSHA256 in~ (sha256s)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes) or FileHash in (sha256s)\n| extend timestamp = TimeGenerated\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Domain, Hash and IP IOCs - May 2021",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains, hashes and IP IOCs related to NOBELIUM.\nRef: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/",
+ "alertRuleTemplateName": "677da133-e487-4108-a150-5b926591a92b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 93e593290a5716a23204598c32a09fdf07ffcb73 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:47 +0000
Subject: [PATCH 216/375] Exported file: NOBELIUM - Script payload stored in
Registry.json.json
---
...M - Script payload stored in Registry.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
new file mode 100644
index 00000000..6cef6629
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - Script payload stored in Registry.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b131e363-3009-4942-a35c-14d5c7284ead')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let cmdTokens0 = dynamic(['vbscript','jscript']);\nlet cmdTokens1 = dynamic(['mshtml','RunHTMLApplication']);\nlet cmdTokens2 = dynamic(['Execute','CreateObject','RegRead','window.close']);\nSecurityEvent\n| where TimeGenerated >= ago(14d)\n| where EventID == 4688\n| where CommandLine has @'\\Microsoft\\Windows\\CurrentVersion'\n| where not(CommandLine has_any (@'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', @'\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'))\n// If you are receiving false positives, then it may help to make the query more strict by uncommenting one or both of the lines below to refine the matches\n//| where CommandLine has_any (cmdTokens0)\n//| where CommandLine has_all (cmdTokens1)\n| where CommandLine has_all (cmdTokens2)\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - Script payload stored in Registry",
+ "enabled": false,
+ "description": "This query idenifies when a process execution commandline indicates that a registry value is written to allow for later execution a malicious script\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "00cb180c-08a8-4e55-a276-63fb1442d5b5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 537e5a6d3707a5088d91c3cece509d4e90c7eb05 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:48 +0000
Subject: [PATCH 217/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript (Normalized Process Events).json.json
---
... vbscript (Normalized Process Events).json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
new file mode 100644
index 00000000..052758f7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events).json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/beb39f94-ac53-4ab4-b1c2-7b591497b571')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imProcessCreate\n| where Process hassuffix 'rundll32.exe'\n| where CommandLine has_any ('Execute','RegRead','window.close')\n| project TimeGenerated, Dvc, User, Process, CommandLine, ActingProcessName, EventVendor, EventProduct\n| extend timestamp = TimeGenerated, HostCustomEntity = Dvc, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript (Normalized Process Events)",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\nReferences: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "bdf04f58-242b-4729-b376-577c4bdf5d3a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9208a8c4cfee54926ea699e4ac6abb8ce784363f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:48 +0000
Subject: [PATCH 218/375] Exported file: NOBELIUM - suspicious rundll32.exe
execution of vbscript.json.json
---
...us rundll32.exe execution of vbscript.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
new file mode 100644
index 00000000..db510457
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM - suspicious rundll32.exe execution of vbscript.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3d7a19b1-33bc-429e-b5d3-b6d0ab02216c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4688\n| where Process =~ 'rundll32.exe' \n| where CommandLine has_all ('Execute','RegRead','window.close')\n| project TimeGenerated, Computer, Account, Process, NewProcessName, CommandLine, ParentProcessName, _ResourceId\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM - suspicious rundll32.exe execution of vbscript",
+ "enabled": false,
+ "description": "This query idenifies when rundll32.exe executes a specific set of inline VBScript commands\n References: https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/",
+ "alertRuleTemplateName": "d82e1987-4356-4a7b-bc5e-064f29b143c0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f3649a4ccaccd403124b57a8287e9da440fcc617 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:49 +0000
Subject: [PATCH 219/375] Exported file: NOBELIUM IOCs related to FoggyWeb
backdoor.json.json
---
...IUM IOCs related to FoggyWeb backdoor.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
diff --git a/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
new file mode 100644
index 00000000..aa714c41
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/NOBELIUM IOCs related to FoggyWeb backdoor.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57b338f9-1c0e-42ee-9b56-1af8886e2047')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/FoggyWebIOC.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet sha256Hashes = (iocs | where Type == \"sha256\" | project IoC);\nlet FilePaths = (iocs | where Type =~ \"FilePath\" | project IoC);\nlet POST_URI = (iocs | where Type =~ \"URI1\" | project IoC);\nlet GET_URI = (iocs | where Type =~ \"URI2\" | project IoC);\n//Include in the list below, the ADFS servers you know about in your environment. In the next part of the query, we will try to identify them for you if you have the telemetry.\nlet ADFS_Servers1 = datatable(Computer:string)\n[ \"..\",\n\"..\"\n];\n// Automatically identify potential ADFS services in your environment by searching process event telemetry for \"Microsoft.IdentityServer.ServiceHost.exe\".\nlet ADFS_Servers2 = \n(union isfuzzy=true\n(SecurityEvent\n| where EventID == 4688 and SubjectLogonId != \"0x3e4\"\n| where ProcessName has \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n),\n(DeviceProcessEvents\n| where InitiatingProcessFileName == 'Microsoft.IdentityServer.ServiceHost.exe'\n| extend Computer = DeviceName\n| distinct Computer\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key=tostring(['@Name']), Value=['#text']\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)\n| extend process = split(Image, '\\\\', -1)[-1]\n| where process =~ \"Microsoft.IdentityServer.ServiceHost.exe\"\n| distinct Computer\n)\n);\nlet ADFS_Servers =\nADFS_Servers1\n| union (ADFS_Servers2 | distinct Computer);\n(union isfuzzy=true\n(DeviceNetworkEvents\n| where DeviceName in (ADFS_Servers)\n| where isnotempty(InitiatingProcessSHA256) or isnotempty(InitiatingProcessFolderPath)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or InitiatingProcessFolderPath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\" and EventID == '7'\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend ImageLoaded = EventDetail.[5].[\"#text\"], Hashes = EventDetail.[11].[\"#text\"]\n| parse Hashes with * 'SHA256=' SHA256 '\",' *\n| where ImageLoaded has_any (FilePaths) or SHA256 has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, ImageLoaded, EventID\n| extend Type = strcat(Type,\":\",EventID, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(CommonSecurityLog\n| where FileHash in (sha256Hashes)\n| project TimeGenerated, Message, SourceUserID, FileHash, Type\n| extend timestamp = TimeGenerated, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceEvents\n| where DeviceName in (ADFS_Servers)\n| extend FilePath = strcat(FolderPath, '\\\\', FileName)\n| where InitiatingProcessSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceFileEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(DeviceImageLoadEvents\n| where DeviceName in (ADFS_Servers)\n| where FolderPath has_any (FilePaths) or SHA256 has_any (sha256Hashes)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type\n| extend Account = InitiatingProcessAccountName, Computer = DeviceName, CommandLine = InitiatingProcessCommandLine, FileHash = InitiatingProcessSHA256, Image = InitiatingProcessFolderPath\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where Computer in (ADFS_Servers)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| where EventDetail has_any (sha256Hashes) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256\n| extend Type = strcat(Type, \": \", Source), Account = UserName, FileHash = SHA256, Image = EventDetail.[4].[\"#text\"] \n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = FileHash\n),\n(W3CIISLog \n| where ( csMethod == 'GET' and csUriStem has_any (GET_URI)) or (csMethod == 'POST' and csUriStem has_any (POST_URI))\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), cIP_MethodCount = count() \nby cIP, cIP_MethodCountType = \"Count of repeated entries, this is to reduce rowsets returned\", csMethod, \ncsHost, scStatus, sIP, csUriStem, csUriQuery, csUserName, csUserAgent, csCookie, csReferer\n| extend timestamp = StartTime, IPCustomEntity = cIP, HostCustomEntity = csHost, AccountCustomEntity = csUserName\n),\n(imFileEvent\n| where DvcHostname in (ADFS_Servers)\n| where TargetFileSHA256 has_any (sha256Hashes) or FilePath has_any (FilePaths)\n| extend Account = ActorUsername, Computer = DvcHostname, IPAddress = SrcIpAddr, CommandLine = ActingProcessCommandLine, FileHash = TargetFileSHA256\n| project Type, TimeGenerated, Computer, Account, IPAddress, CommandLine, FileHash\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "NOBELIUM IOCs related to FoggyWeb backdoor",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for IOCs related to FoggyWeb backdoor by the threat actor NOBELIUM.\n FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server.\n It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.\n Reference: https://aka.ms/nobelium-foggy-web",
+ "alertRuleTemplateName": "c37711a4-5f44-4472-8afc-0679bc0ef966"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f11358e1d20711e92a178e764701a0923a13688f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:50 +0000
Subject: [PATCH 220/375] Exported file: Network endpoint to host executable
correlation.json.json
---
...dpoint to host executable correlation.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
diff --git a/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
new file mode 100644
index 00000000..af693c3b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Network endpoint to host executable correlation.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d012df68-9c36-431a-acc1-704063e21101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d012df68-9c36-431a-acc1-704063e21101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endpointData = \n(SecurityEvent\n | where EventID == 4688\n | extend shortFileName = tostring(split(NewProcessName, '\\\\')[-1])\n );\n// Correlate suspect executables seen in TrendMicro rule updates with similar activity on endpoints\nCommonSecurityLog\n| where DeviceVendor =~ \"Trend Micro\"\n| where Activity =~ \"Deny List updated\" \n| where RequestURL endswith \".exe\"\n| project TimeGenerated, Activity , RequestURL , SourceIP, DestinationIP\n| extend suspectExeName = tolower(tostring(split(RequestURL, '/')[-1]))\n| join (endpointData) on $left.suspectExeName == $right.shortFileName \n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = TargetUserName, HostCustomEntity = Computer, URLCustomEntity = RequestURL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Network endpoint to host executable correlation",
+ "enabled": false,
+ "description": "Correlates blocked URLs hosting [malicious] executables with host endpoint data\nto identify potential instances of executables of the same name having been recently run.",
+ "alertRuleTemplateName": "01f64465-b1ef-41ea-a7f5-31553a11ad43"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 65a9b37244903362c9bbc93c5c0d432556546c6b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:51 +0000
Subject: [PATCH 221/375] Exported file: New Agent Added to Pool by New User or
Added to a New OS Type_.json.json
---
...y New User or Added to a New OS Type_.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
diff --git a/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
new file mode 100644
index 00000000..9ce08ffd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New Agent Added to Pool by New User or Added to a New OS Type_.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fa482a76-22d1-469d-8a47-510e71286ddd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lookback = 14d;\nlet timeframe = 1d;\n// exclude allowed users from query such as the ADO service\nlet allowed_users = dynamic([\"Azure DevOps Service\"]);\nunion\n// Look for agents being added to a pool of a OS type not seen with that pool before\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where OperationName =~ \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])\n| project AgentPoolName, OsDescription\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| extend OsDescription = tostring(Data.OsDescription)\n| where isnotempty(OsDescription)\n| extend OsDescription = tostring(split(OsDescription, \"#\", 0)[0])) on AgentPoolName, OsDescription),\n// Look for users addeing agents to a pool that they have not added agents to before.\n(AzureDevOpsAuditing\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n| where ActorUPN !in (allowed_users)\n| project AgentPoolName, ActorUPN\n| join kind=rightanti (AzureDevOpsAuditing\n| where TimeGenerated > ago(timeframe)\n| where OperationName == \"Library.AgentAdded\"\n| where ActorUPN !in (allowed_users)\n| extend AgentPoolName = tostring(Data.AgentPoolName)\n) on AgentPoolName, ActorUPN)\n| extend AgentName = tostring(Data.AgentName)\n| extend OsDescription = tostring(Data.OsDescription)\n| extend SystemDetails = Data.SystemCapabilities\n| project-reorder TimeGenerated, OperationName, ScopeDisplayName, AgentPoolName, AgentName, ActorUPN, IpAddress, UserAgent, OsDescription, SystemDetails, Data\n| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New Agent Added to Pool by New User or Added to a New OS Type.",
+ "enabled": false,
+ "description": "As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. \nAn attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have \nnot added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a \nconfigurable allow list to allow for certain users to be excluded from the logic.",
+ "alertRuleTemplateName": "4ce177b3-56b1-4f0e-b83e-27eed4cb0b16"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a5c7faed723e500349b8fbfe4bf698e76bc352c6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:51 +0000
Subject: [PATCH 222/375] Exported file: New CloudShell User.json.json
---
.../New CloudShell User.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New CloudShell User.json
diff --git a/SentinelExported-AnalyticsRule/New CloudShell User.json b/SentinelExported-AnalyticsRule/New CloudShell User.json
new file mode 100644
index 00000000..52d70ed6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New CloudShell User.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb49283b-b564-43d4-868c-2a6186144d8e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet match_window = 3m;\nAzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/listKeys/action\") \n| where ActivityStatusValue == \"Success\"\n| extend TimeKey = bin(TimeGenerated, match_window), AzureIP = CallerIpAddress\n| join kind = inner\n(AzureActivity\n| where ResourceGroup has \"cloud-shell\"\n| where (OperationNameValue =~ \"Microsoft.Storage/storageAccounts/write\") \n| extend TimeKey = bin(TimeGenerated, match_window), UserIP = CallerIpAddress\n) on Caller, TimeKey\n| summarize count() by TimeKey, Caller, ResourceGroup, SubscriptionId, TenantId, AzureIP, UserIP, HTTPRequest, Type, Properties, CategoryValue, OperationList = strcat(OperationNameValue, ' , ', OperationNameValue1)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New CloudShell User",
+ "enabled": false,
+ "description": "Identifies when a user creates an Azure CloudShell for the first time.\nMonitor this activity to ensure only expected user are using CloudShell",
+ "alertRuleTemplateName": "6d7214d9-4a28-44df-aafb-0910b9e6ae3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c947b3d439b6094b54e29a34118e8245c7bd981d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:52 +0000
Subject: [PATCH 223/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts (1).json.json
---
...ty Detected Across Multiple Hosts (1).json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
new file mode 100644
index 00000000..caab1b82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts (1).json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f88f852a-b2cb-4e34-b282-36549eb50b2b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetectionV2_CL\n| extend Status = tostring(Status_s), Vulnerability = tostring(QID_s), Severity = tostring(Severity_s)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(QID_s)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "6116dc19-475a-4148-84b2-efe89c073e27"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 51209857416687ad32b9973c9c2df0454795f43f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:53 +0000
Subject: [PATCH 224/375] Exported file: New High Severity Vulnerability
Detected Across Multiple Hosts.json.json
---
...bility Detected Across Multiple Hosts.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
diff --git a/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
new file mode 100644
index 00000000..82fd3921
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New High Severity Vulnerability Detected Across Multiple Hosts.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61a3f08d-ad2d-49cb-baac-9edc6235e968')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 10;\nQualysHostDetection_CL\n| mv-expand todynamic(Detections_s)\n| extend Status = tostring(Detections_s.Status), Vulnerability = tostring(Detections_s.Results), Severity = tostring(Detections_s.Severity)\n| where Status =~ \"New\" and Severity == \"5\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), dcount(NetBios_s) by tostring(Detections_s.QID)\n| where dcount_NetBios_s >= threshold\n| extend timestamp = StartTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New High Severity Vulnerability Detected Across Multiple Hosts",
+ "enabled": false,
+ "description": "This creates an incident when a new high severity vulnerability is detected across multilple hosts",
+ "alertRuleTemplateName": "84cf1d59-f620-4fee-b569-68daf7008b7b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 923bda13788c3c3433032241b7c5e18935309ce8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:54 +0000
Subject: [PATCH 225/375] Exported file: New PA, PCA, or PCAS added to Azure
DevOps.json.json
---
...A, PCA, or PCAS added to Azure DevOps.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
diff --git a/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
new file mode 100644
index 00000000..3e492d79
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New PA, PCA, or PCAS added to Azure DevOps.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efe3369b-f57f-4fb2-9570-d7a9fe32b526')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AzureDevOpsAuditing\n| where OperationName =~ \"Group.UpdateGroupMembership.Add\"\n| where Details has_any (\"Project Administrators\", \"Project Collection Administrators\", \"Project Collection Service Accounts\", \"Build Administrator\")\n| project-reorder TimeGenerated, Details, ActorUPN, IpAddress, UserAgent, AuthenticationMechanism, ScopeDisplayName\n| extend timekey = bin(TimeGenerated, 1h)\n| extend ActorUserId = tostring(Data.MemberId)\n| project timekey, ActorUserId, AddingUser=ActorUPN, TimeAdded=TimeGenerated, PermissionGrantDetails = Details\n// Get details of operations conducted by user soon after elevation of permissions\n| join (AzureDevOpsAuditing\n| extend ActorUserId = tostring(Data.MemberId)\n| extend timekey = bin(TimeGenerated, 1h)) on timekey, ActorUserId\n| summarize ActionsWhenAdded = make_set(OperationName) by ActorUPN, AddingUser, TimeAdded, PermissionGrantDetails, IpAddress, UserAgent\n| extend timestamp = TimeAdded, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New PA, PCA, or PCAS added to Azure DevOps",
+ "enabled": false,
+ "description": "In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. \nThis detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of \nusers granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these \nshould also be conducted.",
+ "alertRuleTemplateName": "35ce9aff-1708-45b8-a295-5e9a307f5f17"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 413b814e0e291eac2c0f0e0905eb18404c60e773 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:55 +0000
Subject: [PATCH 226/375] Exported file: New UserAgent observed in last 24
hours.json.json
---
...w UserAgent observed in last 24 hours.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
diff --git a/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
new file mode 100644
index 00000000..ffd6f64e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New UserAgent observed in last 24 hours.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e6e0e8ce-5a81-4f90-b1c9-9a9368aeee3e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet UserAgentAll =\n(union isfuzzy=true\n(OfficeActivity\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, RecordType, Operation\n),\n(\nW3CIISLog\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(csUserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n),\n(\nAWSCloudTrail\n| where TimeGenerated >= ago(starttime)\n| where isnotempty(UserAgent)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventSource, EventName\n))\n// remove wordSize blocks of non-numeric hex characters prior to word extraction\n| extend UserAgentNoHexAlphas = replace(\"([A-Fa-f]{4,})\", \"x\", UserAgent)\n// once blocks of hex chars are removed, extract wordSize blocks of a-z\n| extend Tokens = extract_all(\"([A-Za-z]{4,})\", UserAgentNoHexAlphas)\n// concatenate extracted words to create a summarized user agent for baseline and comparison\n| extend NormalizedUserAgent = strcat_array(Tokens, \"|\")\n| project-away UserAgentNoHexAlphas, Tokens;\nUserAgentAll\n| where StartTime >= ago(endtime)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), count() by UserAgent, NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n| join kind=leftanti\n(\nUserAgentAll\n| where StartTime < ago(endtime)\n| summarize by NormalizedUserAgent, SourceIP, Account, Type, RecordType, Operation, EventSource, EventName, sSiteName, csMethod, csUriStem\n)\non NormalizedUserAgent\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, AccountCustomEntity = Account\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "CommandAndControl",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "New UserAgent observed in last 24 hours",
+ "enabled": false,
+ "description": "Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection\nextracts words from user agents to build the baseline and determine rareity rather than perform a\ndirect comparison. This avoids FPs caused by version numbers and other high entropy user agent components.\nThese new UserAgents could be benign. However, in normally stable environments,\nthese new UserAgents could provide a starting point for investigating malicious activity.\nNote: W3CIISLog can be noisy depending on the environment, however OfficeActivity and AWSCloudTrail are\nusually stable with low numbers of detections.",
+ "alertRuleTemplateName": "b725d62c-eb77-42ff-96f6-bdc6745fc6e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 890247ce278cad2059d288cbabb2ad517abd0516 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:55 +0000
Subject: [PATCH 227/375] Exported file: New access credential added to
Application or Service Principal.json.json
---
...d to Application or Service Principal.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
diff --git a/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
new file mode 100644
index 00000000..45837da8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New access credential added to Application or Service Principal.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bb0035d3-3ac9-40d5-976e-6076f906473c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "AuditLogs\n| where OperationName has_any (\"Add service principal\", \"Certificates and secrets management\") // captures \"Add service principal\", \"Add service principal credentials\", and \"Update application - Certificates and secrets management\" events\n| where Result =~ \"success\"\n| mv-expand target = TargetResources\n| where tostring(InitiatedBy.user.userPrincipalName) has \"@\" or tostring(InitiatedBy.app.displayName) has \"@\"\n| extend targetDisplayName = tostring(TargetResources[0].displayName)\n| extend targetId = tostring(TargetResources[0].id)\n| extend targetType = tostring(TargetResources[0].type)\n| extend keyEvents = TargetResources[0].modifiedProperties\n| mv-expand keyEvents\n| where keyEvents.displayName =~ \"KeyDescription\"\n| extend new_value_set = parse_json(tostring(keyEvents.newValue))\n| extend old_value_set = parse_json(tostring(keyEvents.oldValue))\n| where old_value_set != \"[]\"\n| extend diff = set_difference(new_value_set, old_value_set)\n| where isnotempty(diff)\n| parse diff with * \"KeyIdentifier=\" keyIdentifier:string \",KeyType=\" keyType:string \",KeyUsage=\" keyUsage:string \",DisplayName=\" keyDisplayName:string \"]\" *\n| where keyUsage == \"Verify\" or keyUsage == \"\"\n| extend UserAgent = iff(AdditionalDetails[0].key == \"User-Agent\",tostring(AdditionalDetails[0].value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n// The below line is currently commented out but Microsoft Sentinel users can modify this query to show only Application or only Service Principal events in their environment\n//| where targetType =~ \"Application\" // or targetType =~ \"ServicePrincipal\"\n| project-away diff, new_value_set, old_value_set\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New access credential added to Application or Service Principal",
+ "enabled": false,
+ "description": "This will alert when an admin or app owner account adds a new credential to an Application or Service Principal where a verify KeyCredential was already present for the app.\nIf a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.\nAdditional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "79566f41-df67-4e10-a703-c38a6213afd8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f846c3c0ed0869d5aff23b47925c107942857ce7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:56 +0000
Subject: [PATCH 228/375] Exported file: New executable via Office FileUploaded
Operation.json.json
---
...ble via Office FileUploaded Operation.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
diff --git a/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
new file mode 100644
index 00000000..038be497
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New executable via Office FileUploaded Operation.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fb64019b-7f35-4f0b-8d8d-1fc74fd7f1e2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// a threshold can be enabled, see commented line below for PrevSeenCount\nlet threshold = 2;\nlet uploadOp = 'FileUploaded';\n// Extensions that are interesting. Add/Remove to this list as you see fit\nlet execExt = dynamic(['exe', 'inf', 'gzip', 'cmd', 'bat']);\nlet starttime = 8d;\nlet endtime = 1d;\nOfficeActivity | where TimeGenerated >= ago(endtime)\n// Limited to File Uploads due to potential noise, comment out the Operation statement below to include any operation type\n// Additional, but potentially noisy operation types that include Uploads and Downloads can be included by adding the following - Operation contains \"upload\" or Operation contains \"download\"\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| project TimeGenerated, OfficeId, OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, UserAgent, Site_Url, SourceRelativeUrl, SourceFileName\n| join kind= leftanti (\nOfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where Operation =~ uploadOp\n| where SourceFileExtension has_any (execExt)\n| summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName\n// To exclude previous matches when only above a specific count, change threshold above and uncomment the line below\n//| where PrevSeenCount > threshold\n| mvexpand SourceRelativeUrl, UserId\n| extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId)\n) on SourceFileName, SourceRelativeUrl, UserId \n| extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2])\n| extend UserIdUserFolderFormat = tolower(replace('@|\\\\.', '_',UserId))\n// identify when UserId is not a match to the specific site url personal folder reference\n| extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) \n| summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), \nUserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName)\nby OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder\n| extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "New executable via Office FileUploaded Operation",
+ "enabled": false,
+ "description": "Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive.\nList currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions.\nAdditionally, identifies when a given user is uploading these files to another users workspace.\nThis may be indication of a staging location for malware or other malicious activity.",
+ "alertRuleTemplateName": "d722831e-88f5-4e25-b106-4ef6e29f8c13"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 66e1ed87d7f41c726571d90f3e3d851477315c9c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:57 +0000
Subject: [PATCH 229/375] Exported file: New internet-exposed SSH
endpoints.json.json
---
.../New internet-exposed SSH endpoints.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
diff --git a/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
new file mode 100644
index 00000000..77ac33c9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New internet-exposed SSH endpoints.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/de4a8f18-acf0-4738-a6b2-2302216fdf48')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.'; \nlet avgthreshold = 0;\nlet probabilityLimit = 0.01;\nlet ssh_logins = Syslog\n| where Facility contains \"auth\" and ProcessName =~ \"sshd\"\n| where SyslogMessage has \"Accepted\"\n| extend SourceIP = extract(\"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\",1,SyslogMessage) \n| where isnotempty(SourceIP)\n| extend ipType = iff(SourceIP matches regex PrivateIPregex,\"private\" ,\"public\");\nssh_logins \n| summarize privatecount=countif(ipType==\"private\"), publiccount=countif(ipType==\"public\") by HostName, HostIP, bin(EventTime, 1d)\n| summarize \npublicIPLoginHistory = make_list(pack('IPCount', publiccount, 'logon_time', EventTime)),\nprivateIPLoginHistory = make_list(pack('IPCount', privatecount, 'logon_time', EventTime)) by HostName, HostIP\n| mv-apply publicIPLoginHistory = publicIPLoginHistory on\n(\n order by todatetime(publicIPLoginHistory['logon_time']) asc\n | summarize publicIPLoginCountList=make_list(toint(publicIPLoginHistory['IPCount'])), publicAverage=avg(toint(publicIPLoginHistory['IPCount'])), publicStd=stdev(toint(publicIPLoginHistory['IPCount'])), maxPublicLoginCount=max(toint(publicIPLoginHistory['IPCount']))\n)\n| mv-apply privateIPLoginHistory = privateIPLoginHistory on\n(\n order by todatetime(privateIPLoginHistory['logon_time']) asc\n | summarize privateIPLoginCountList=make_list(toint(privateIPLoginHistory['IPCount'])), privateAverage=avg(toint(privateIPLoginHistory['IPCount'])), privateStd=stdev(toint(privateIPLoginHistory['IPCount']))\n)\n// Some logins from private IPs\n| where privateAverage > avgthreshold\n// There is a non-zero number of logins from public IPs\n| where publicAverage > avgthreshold\n// Approximate probability of seeing login from a public IP is < 1%\n| extend probabilityPublic = publicAverage / (privateAverage + publicAverage)\n| where probabilityPublic < probabilityLimit\n// Today has the highest number of logins from public IPs that we've seen in the last week\n| extend publicLoginCountToday = publicIPLoginCountList[-1]\n| where publicLoginCountToday >= maxPublicLoginCount\n| extend HostCustomEntity = HostName\n// Optionally retrieve the original raw data for those logins that we've identified as potentially suspect\n// | join kind=rightsemi (\n// ssh_logins\n// | where ipType == \"public\"\n// ) on HostName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "New internet-exposed SSH endpoints",
+ "enabled": false,
+ "description": "Looks for SSH endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.",
+ "alertRuleTemplateName": "4915c713-ab38-432e-800b-8e2d46933de6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 31c30bfbc8efe0987e38d6d4bf6ae2ad6e432944 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:58 +0000
Subject: [PATCH 230/375] Exported file: New user created and added to the
built-in administrators group.json.json
---
... to the built-in administrators group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
diff --git a/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
new file mode 100644
index 00000000..5c94c4cb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/New user created and added to the built-in administrators group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/495ef656-bd0f-4a92-a97c-17eab3d1b0b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "SecurityEvent\n| where EventID == 4720\n| where AccountType == \"User\"\n| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), \nCreatedUser = tolower(TargetAccount), CreatedUserSid = TargetSid, AccountUsedToCreateUser = strcat(SubjectAccount), SidofAccountUsedToCreateUser = SubjectUserSid\n| join (\nSecurityEvent \n| where AccountType == \"User\"\n// 4732 - A member was added to a security-enabled local group\n| where EventID == 4732\n//TargetSid is the builin Admins group: S-1-5-32-544\n| where TargetSid == \"S-1-5-32-544\"\n| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = tolower(TargetAccount), \nGroupSid = TargetSid, AccountThatAddedUser = SubjectAccount, SIDofAccountThatAddedUser = SubjectUserSid, CreatedUserSid = MemberSid\n)\non CreatedUserSid\n//Create User first, then the add to the group.\n| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, GroupAddTime, GroupAddEventID, \nGroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, AccountThatAddedUser, SIDofAccountThatAddedUser \n| extend timestamp = CreatedUserTime, AccountCustomEntity = CreatedUser, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "New user created and added to the built-in administrators group",
+ "enabled": false,
+ "description": "Identifies when a user account was created and then added to the builtin Administrators group in the same day.\nThis should be monitored closely and all additions reviewed.",
+ "alertRuleTemplateName": "aa1eff90-29d4-49dc-a3ea-b65199f516db"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b11ef32114f29208430125697b7e60543b53ccfb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:58 +0000
Subject: [PATCH 231/375] Exported file: Non Domain Controller Active Directory
Replication.json.json
---
...ntroller Active Directory Replication.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
diff --git a/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
new file mode 100644
index 00000000..c5cfad18
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Non Domain Controller Active Directory Replication.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/916dae72-d95a-41c4-9370-30ff57177fbf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Enter a reference list of hostnames for your DC servers\n//let DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\nSecurityEvent\n//| where Computer in (DCServersList)\n| where EventID == 4662 and ObjectServer == 'DS'\n| where AccountType != 'Machine'\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\n| join kind=leftouter\n(\n SecurityEvent\n //| where Computer in (DCServersList)\n | where EventID == 4624 and LogonType == 3\n | where AccountType != 'Machine'\n | project TargetLogonId, IpAddress\n)\non $left.SubjectLogonId == $right.TargetLogonId\n| project-reorder TimeGenerated, Computer, Account, IpAddress\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, SourceAddress = IpAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Non Domain Controller Active Directory Replication",
+ "enabled": false,
+ "description": "This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\nA domain user with privileged permissions to use directory replication services is rare. Ref: https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html'",
+ "alertRuleTemplateName": "b9d2eebc-5dcb-4888-8165-900db44443ab"
+ }
+ }
+ ]
+}
\ No newline at end of file
From dfeb574f0f0867ba699d8b274afe8901b7769053 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:17:59 +0000
Subject: [PATCH 232/375] Exported file: OMI Vulnerability
Exploitation.json.json
---
.../OMI Vulnerability Exploitation.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
diff --git a/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
new file mode 100644
index 00000000..c84ef3f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/OMI Vulnerability Exploitation.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c34a8927-e01b-4de6-ae5f-52fb6ac204f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OMIVulnerabilityPatchVersion = \"OMIVulnerabilityPatchVersion:1.13.40-0\";\nHeartbeat\n| where Category == \"Direct Agent\"\n| summarize arg_max(TimeGenerated,*) by Computer\n| parse strcat(\"Version:\" , Version) with * \"Version:\" Major:long \".\"\nMinor:long \".\" Patch:long \"-\" *\n| parse OMIVulnerabilityPatchVersion with * \"OMIVulnerabilityPatchVersion:\"\nOMIVersionMajor:long \".\" OMIVersionMinor:long \".\" OMIVersionPatch:long \"-\" *\n| where Major
Date: Sun, 26 Feb 2023 02:18:00 +0000
Subject: [PATCH 233/375] Exported file: Office policy tampering.json.json
---
.../Office policy tampering.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Office policy tampering.json
diff --git a/SentinelExported-AnalyticsRule/Office policy tampering.json b/SentinelExported-AnalyticsRule/Office policy tampering.json
new file mode 100644
index 00000000..319b74f2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Office policy tampering.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b5f615-d10b-4b28-9d3e-eaceb0b9d54b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let opList = OfficeActivity \n| summarize by Operation\n//| where Operation startswith \"Remove-\" or Operation startswith \"Disable-\"\n| where Operation has_any (\"Remove\", \"Disable\")\n| where Operation contains \"AntiPhish\" or Operation contains \"SafeAttachment\" or Operation contains \"SafeLinks\" or Operation contains \"Dlp\" or Operation contains \"Audit\"\n| summarize make_set(Operation);\nOfficeActivity\n// Only admin or global-admin can disable/remove policy\n| where RecordType =~ \"ExchangeAdmin\"\n| where UserType in~ (\"Admin\",\"DcAdmin\")\n// Pass in interesting Operation list\n| where Operation in~ (opList)\n| extend ClientIPOnly = case( \nClientIP has \".\", tostring(split(ClientIP,\":\")[0]), \nClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))),\nClientIP\n) \n| extend Port = case(\nClientIP has \".\", (split(ClientIP,\":\")[1]),\nClientIP has \"[\", tostring(split(ClientIP,\"]:\")[1]),\nClientIP\n)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP = ClientIPOnly, Port, ResultStatus, Parameters\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Office policy tampering",
+ "enabled": false,
+ "description": "Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. \nAn adversary may use this technique to evade detection or avoid other policy based defenses.\nReferences: https://docs.microsoft.com/powershell/module/exchange/advanced-threat-protection/remove-antiphishrule?view=exchange-ps.",
+ "alertRuleTemplateName": "fbd72eb8-087e-466b-bd54-1ca6ea08c6d3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8abc320acf90343dd735a99cded3f3650e142bff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:01 +0000
Subject: [PATCH 234/375] Exported file: PIM Elevation Request
Rejected.json.json
---
.../PIM Elevation Request Rejected.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
diff --git a/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
new file mode 100644
index 00000000..dec0deb4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PIM Elevation Request Rejected.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a9e6f155-4049-4401-89e3-a9f769675eb6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where ActivityDisplayName =~'Add member to role completed (PIM activation)'\n| where Result == \"failure\"\n| extend Role = tostring(TargetResources[3].displayName)\n| extend User = tostring(TargetResources[2].displayName)\n| project-reorder TimeGenerated, User, Role, OperationName, Result, ResultDescription\n| extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n| extend AccountCustomEntity = User, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "PIM Elevation Request Rejected",
+ "enabled": false,
+ "description": "Identifies when a user is rejected for a privileged role elevation via PIM. Monitor rejections for indicators of attacker compromise of the requesting account.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-identity-management",
+ "alertRuleTemplateName": "7d7e20f8-3384-4b71-811c-f5e950e8306c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7057bd4fa8848576dbc1342f1218de47847b7a62 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:02 +0000
Subject: [PATCH 235/375] Exported file: Palo Alto - possible internal to
external port scanning.json.json
---
...le internal to external port scanning.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
new file mode 100644
index 00000000..1a1c74aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - possible internal to external port scanning.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/74131d4a-83fd-4606-a5f4-71dc1d169a3d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog \n| where isnotempty(DestinationPort) and DeviceAction !in (\"reset-both\", \"deny\") \n// filter out common usage ports. Add ports that are legitimate for your environment\n| where DestinationPort !in (\"443\", \"53\", \"389\", \"80\", \"0\", \"880\", \"8888\", \"8080\")\n| where ApplicationProtocol == \"incomplete\" \n// filter out IANA ephemeral or negotiated ports as per https://en.wikipedia.org/wiki/Ephemeral_port\n| where DestinationPort !between (toint(49512) .. toint(65535)) \n| where Computer != \"\" \n| where DestinationIP !startswith \"10.\"\n// Filter out any graceful reset reasons of AGED OUT which occurs when a TCP session closes with a FIN due to aging out. \n| where AdditionalExtensions !has \"reason=aged-out\" \n// Filter out any TCP FIN which occurs when a TCP FIN is used to gracefully close half or both sides of a connection.\n| where AdditionalExtensions !has \"reason=tcp-fin\" \n// Uncomment one of the following where clauses to trigger on specific TCP reset reasons\n// See Palo Alto article for details - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK\n// TCP RST-server - Occurs when the server sends a TCP reset to the client\n// | where AdditionalExtensions has \"reason=tcp-rst-from-server\" \n// TCP RST-client - Occurs when the client sends a TCP reset to the server\n// | where AdditionalExtensions has \"reason=tcp-rst-from-client\" \n| extend reason = tostring(split(AdditionalExtensions, \";\")[3])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP\n| where count_ >= 10\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction\n| extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - possible internal to external port scanning",
+ "enabled": false,
+ "description": "Identifies a list of internal Source IPs (10.x.x.x Hosts) that have triggered 10 or more non-graceful tcp server resets from one or more Destination IPs which \nresults in an \"ApplicationProtocol = incomplete\" designation. The server resets coupled with an \"Incomplete\" ApplicationProtocol designation can be an indication \nof internal to external port scanning or probing attack. \nReferences: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUvCAK and\nhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTaCAK",
+ "alertRuleTemplateName": "5b72f527-e3f6-4a00-9908-8e4fee14da9f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fb92600d8167563fe065c4d7cfad980acc6cd02d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:03 +0000
Subject: [PATCH 236/375] Exported file: Palo Alto - potential beaconing
detected.json.json
---
...o Alto - potential beaconing detected.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
diff --git a/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
new file mode 100644
index 00000000..88c05774
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Palo Alto - potential beaconing detected.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e901d93b-d192-4fac-8c53-9e023b8ef3c0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 2d;\nlet endtime = 1d;\nlet TimeDeltaThreshold = 10;\nlet TotalEventsThreshold = 15;\nlet PercentBeaconThreshold = 80;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\" and Activity == \"TRAFFIC\"\n| where TimeGenerated between (ago(starttime)..ago(endtime))\n| extend DestinationIPType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIPType == \"public\"\n| project TimeGenerated, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| sort by SourceIP asc,TimeGenerated asc, DestinationIP asc, DestinationPort asc\n| serialize\n| extend nextTimeGenerated = next(TimeGenerated, 1), nextSourceIP = next(SourceIP, 1)\n| extend TimeDeltainSeconds = datetime_diff('second',nextTimeGenerated,TimeGenerated)\n| where SourceIP == nextSourceIP\n//Whitelisting criteria/ threshold criteria\n| where TimeDeltainSeconds > TimeDeltaThreshold \n| project TimeGenerated, TimeDeltainSeconds, DeviceName, SourceUserID, SourceIP, SourcePort, DestinationIP, DestinationPort, ReceivedBytes, SentBytes\n| summarize count(), sum(ReceivedBytes), sum(SentBytes), make_list(TimeDeltainSeconds) \nby TimeDeltainSeconds, bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| summarize (MostFrequentTimeDeltaCount, MostFrequentTimeDeltainSeconds) = arg_max(count_, TimeDeltainSeconds), TotalEvents=sum(count_), TotalSentBytes = sum(sum_SentBytes), TotalReceivedBytes = sum(sum_ReceivedBytes) \nby bin(TimeGenerated, 1h), DeviceName, SourceUserID, SourceIP, DestinationIP, DestinationPort\n| where TotalEvents > TotalEventsThreshold \n| extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100\n| where BeaconPercent > PercentBeaconThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Palo Alto - potential beaconing detected",
+ "enabled": false,
+ "description": "Identifies beaconing patterns from Palo Alto Network traffic logs based on recurrent timedelta patterns. \nThe query leverages various KQL functions to calculate time deltas and then compares it with total events observed in a day to find percentage of beaconing. \nThis outbound beaconing pattern to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts.\nReference Blog:\nhttp://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/",
+ "alertRuleTemplateName": "f0be259a-34ac-4946-aa15-ca2b115d5feb"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8b62df8849c38c698f28eb4f5b0b9a8cd216cacf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:03 +0000
Subject: [PATCH 237/375] Exported file: Password spray attack against Azure AD
application.json.json
---
...y attack against Azure AD application.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
diff --git a/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
new file mode 100644
index 00000000..a50426ef
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Password spray attack against Azure AD application.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5141be2-18ae-4afc-a9f5-b07e5746cee1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeRange = 3d;\nlet lookBack = 7d;\nlet authenticationWindow = 20m;\nlet authenticationThreshold = 5;\nlet isGUID = \"[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{12}\";\nlet failureCodes = dynamic([50053, 50126, 50055]); // invalid password, account is locked - too many sign ins, expired password\nlet successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);\n// Lookup up resolved identities from last 7 days\nlet aadFunc = (tableName:string){\nlet identityLookup = table(tableName)\n| where TimeGenerated >= ago(lookBack)\n| where not(Identity matches regex isGUID)\n| where isnotempty(UserId)\n| summarize by UserId, lu_UserDisplayName = UserDisplayName, lu_UserPrincipalName = UserPrincipalName, Type;\n// collect window threshold breaches\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), count() by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, UserPrincipalName, Type\n| summarize FailedPrincipalCount = dcount(UserPrincipalName) by bin(TimeGenerated, authenticationWindow), IPAddress, AppDisplayName, Type\n| where FailedPrincipalCount >= authenticationThreshold\n| summarize WindowThresholdBreaches = count() by IPAddress, Type\n| join kind= inner (\n// where we breached a threshold, join the details back on all failure data\ntable(tableName)\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(failureCodes)\n| extend LocationDetails = todynamic(LocationDetails)\n| extend FullLocation = strcat(LocationDetails.countryOrRegion,'|', LocationDetails.state, '|', LocationDetails.city)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), make_set(ClientAppUsed), make_set(FullLocation), FailureCount = count() by IPAddress, AppDisplayName, UserPrincipalName, UserDisplayName, Identity, UserId, Type\n// lookup any unresolved identities\n| extend UnresolvedUserId = iff(Identity matches regex isGUID, UserId, \"\")\n| join kind= leftouter (\n identityLookup \n) on $left.UnresolvedUserId==$right.UserId\n| extend UserDisplayName=iff(isempty(lu_UserDisplayName), UserDisplayName, lu_UserDisplayName)\n| extend UserPrincipalName=iff(isempty(lu_UserPrincipalName), UserPrincipalName, lu_UserPrincipalName)\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), make_set(UserPrincipalName), make_set(UserDisplayName), make_set(set_ClientAppUsed), make_set(set_FullLocation), make_list(FailureCount) by IPAddress, AppDisplayName, Type\n| extend FailedPrincipalCount = arraylength(set_UserPrincipalName)\n) on IPAddress\n| project IPAddress, StartTime, EndTime, TargetedApplication=AppDisplayName, FailedPrincipalCount, UserPrincipalNames=set_UserPrincipalName, UserDisplayNames=set_UserDisplayName, ClientAppsUsed=set_set_ClientAppUsed, Locations=set_set_FullLocation, FailureCountByPrincipal=list_FailureCount, WindowThresholdBreaches, Type\n| join kind= inner (\ntable(tableName) // get data on success vs. failure history for each IP\n| where TimeGenerated > ago(timeRange)\n| where ResultType in(successCodes) or ResultType in(failureCodes) // success or failure types\n| summarize GlobalSuccessPrincipalCount = dcountif(UserPrincipalName, (ResultType in(successCodes))), ResultTypeSuccesses = make_set_if(ResultType, (ResultType in(successCodes))), GlobalFailPrincipalCount = dcountif(UserPrincipalName, (ResultType in(failureCodes))), ResultTypeFailures = make_set_if(ResultType, (ResultType in(failureCodes))) by IPAddress, Type\n| where GlobalFailPrincipalCount > GlobalSuccessPrincipalCount // where the number of failed principals is greater than success - eliminates FPs from IPs who authenticate successfully alot and as a side effect have alot of failures\n) on IPAddress\n| project-away IPAddress1\n| extend timestamp=StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Password spray attack against Azure AD application",
+ "enabled": false,
+ "description": "Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same\nIP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range\nare bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.\nThis can be an indicator that an attack was successful.\nThe default failure acccount threshold is 5, Default time window for failures is 20m and default look back window is 3 days\nNote: Due to the number of possible accounts involved in a password spray it is not possible to map identities to a custom entity.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.",
+ "alertRuleTemplateName": "48607a29-a26a-4abf-8078-a06dbdd174a4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 97b5f023c3ae77e139fc1e634c39e88908d117ff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:04 +0000
Subject: [PATCH 238/375] Exported file: Port Scan Detected.json.json
---
.../Port Scan Detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Port Scan Detected.json
diff --git a/SentinelExported-AnalyticsRule/Port Scan Detected.json b/SentinelExported-AnalyticsRule/Port Scan Detected.json
new file mode 100644
index 00000000..9aee9b63
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Port Scan Detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4f1de90b-7ff1-441a-af02-0a2a86ca9848')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nSophosXGFirewall\n| where Log_Type =~ \"Firewall\"\n| where not(ipv4_is_match(\"10.0.0.0\",Src_IP,8) or ipv4_is_match(\"172.16.0.0\",Src_IP,12) or ipv4_is_match(\"192.168.0.0\",Src_IP,16))\n| summarize dcount(Dst_Port) by Src_IP, bin(TimeGenerated, 5m)\n| where dcount_Dst_Port > threshold\n| extend timestamp = TimeGenerated, IPCustomEntity = Src_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Port Scan Detected",
+ "enabled": false,
+ "description": "This alert creates an incident when a source IP addresses attempt to communicate with a large amount of distinct ports within a short period.",
+ "alertRuleTemplateName": "427e4c9e-8cf4-4094-a684-a2d060dbca38"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 687233022404846786354c84a451901c155163fe Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:05 +0000
Subject: [PATCH 239/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Oct 2020.json.json
---
...pted credential harvesting - Oct 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
new file mode 100644
index 00000000..90a1a987
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Oct 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/14c4920e-9a71-4680-aa78-da32072e8dc2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let User_Agents = dynamic ([\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70\", \n\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.1 Safari/605.1.15\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0\", \n\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\", \n\"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = todynamic(ExtendedProperties).Value\n| where UserAgent =~ \"ms-office\" or UserAgent has_any (User_Agents)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Oct 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.",
+ "alertRuleTemplateName": "68271db2-cbe9-4009-b1d3-bb3b5fe5713c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d7a7337fc5c7cbc2befb606e63a51ddaa1352963 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:06 +0000
Subject: [PATCH 240/375] Exported file: Possible STRONTIUM attempted
credential harvesting - Sept 2020.json.json
---
...ted credential harvesting - Sept 2020.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
diff --git a/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
new file mode 100644
index 00000000..a0d47cdb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible STRONTIUM attempted credential harvesting - Sept 2020.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/941e3a2b-8eed-4cb4-afba-1322838fcbb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P7D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let IPs = dynamic ([\"199.249.230.\",\"185.220.101.\",\"23.129.64.\",\"109.70.100.\",\"185.220.102.\"]);\nOfficeActivity\n| where RecordType in (\"AzureActiveDirectoryAccountLogon\", \"AzureActiveDirectoryStsLogon\") \n| where Operation != 'UserLoggedIn'\n| extend UserAgent = iff(parse_json(ExtendedProperties)[0].Name =~ \"UserAgent\", extractjson(\"$[0].Value\", ExtendedProperties, typeof(string)),\"\")\n| mv-expand parse_json(ExtendedProperties)\n| where ExtendedProperties.Name =~ \"RequestType\"\n| extend RequestType = ExtendedProperties.Value\n| where ClientIP has_any (IPs)\n| summarize authAttempts=dcount(TimeGenerated), firstAttempt=min(TimeGenerated), lastAttempt=max(TimeGenerated), uniqueIPs=dcount(ClientIP), uniqueAccounts=dcount(UserId), attemptedAccounts=make_set(UserId) by UserAgent\n| where authAttempts > 2500\n| extend timestamp = firstAttempt\n| sort by uniqueAccounts\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Possible STRONTIUM attempted credential harvesting - Sept 2020",
+ "enabled": false,
+ "description": "Surfaces potential STRONTIUM group Office365 credential harvesting attempts within OfficeActivity Logon events.\nReferences: https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/.",
+ "alertRuleTemplateName": "04384937-e927-4595-8f3c-89ff58ed231f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 82598fda882434e641f0d87eb652cc2df67a5829 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:06 +0000
Subject: [PATCH 241/375] Exported file: Possible contact with a domain
generated by a DGA.json.json
---
...tact with a domain generated by a DGA.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
diff --git a/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
new file mode 100644
index 00000000..15c28f10
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Possible contact with a domain generated by a DGA.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/340041fc-2cb7-423b-9da9-ec04a258f864')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet triThreshold = 500;\nlet startTime = 6h;\nlet dgaLengthThreshold = 8;\n// fetch the alexa top 1M domains\nlet top1M = (externaldata (Position:int, Domain:string) [@\"http://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip\"] with (format=\"csv\", zipPattern=\"*.csv\"));\n// extract tri grams that are above our threshold - i.e. are common\nlet triBaseline = top1M\n| extend Domain = tolower(extract(\"([^.]*).{0,7}$\", 1, Domain))\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", Domain), extract_all(\"(...)\", substring(Domain, 1)), extract_all(\"(...)\", substring(Domain, 2)))\n| mvexpand Trigram=AllTriGrams\n| summarize triCount=count() by tostring(Trigram)\n| sort by triCount desc\n| where triCount > triThreshold\n| distinct Trigram;\n// collect domain information from common security log, filter and extract the DGA candidate and its trigrams\nlet allDataSummarized = CommonSecurityLog\n| where TimeGenerated > ago(startTime)\n| where isnotempty(DestinationHostName)\n| extend Name = tolower(DestinationHostName)\n| distinct Name\n| where Name has \".\"\n| where Name !endswith \".home\" and Name !endswith \".lan\"\n// extract DGA candidate\n| extend DGADomain = extract(\"([^.]*).{0,7}$\", 1, Name)\n| where strlen(DGADomain) > dgaLengthThreshold\n// throw out domains with number in them\n| where DGADomain matches regex \"^[A-Za-z]{0,}$\"\n// extract the tri grams from summarized data\n| extend AllTriGrams = array_concat(extract_all(\"(...)\", DGADomain), extract_all(\"(...)\", substring(DGADomain, 1)), extract_all(\"(...)\", substring(DGADomain, 2)));\n// throw out domains that have repeating tri's and/or >=3 repeating letters\nlet nonRepeatingTris = allDataSummarized\n| join kind=leftanti\n(\n allDataSummarized\n | mvexpand AllTriGrams\n | summarize count() by tostring(AllTriGrams), DGADomain\n | where count_ > 1\n | distinct DGADomain\n)\non DGADomain;\n// find domains that do not have a common tri in the baseline\nlet dataWithRareTris = nonRepeatingTris\n| join kind=leftanti\n(\n nonRepeatingTris\n | mvexpand AllTriGrams\n | extend Trigram = tostring(AllTriGrams)\n | distinct Trigram, DGADomain\n | join kind=inner\n (\n triBaseline\n )\n on Trigram\n | distinct DGADomain\n)\non DGADomain;\ndataWithRareTris\n// join DGAs back on connection data\n| join kind=inner\n(\n CommonSecurityLog\n | where TimeGenerated > ago(startTime)\n | where isnotempty(DestinationHostName)\n | extend DestinationHostName = tolower(DestinationHostName)\n | project-rename Name=DestinationHostName, DataSource=DeviceVendor\n | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by Name, SourceIP, DestinationIP, DataSource\n)\non Name\n| project StartTime, EndTime, Name, DGADomain, SourceIP, DestinationIP, DataSource\n| extend timestamp=StartTime, IPCustomEntity=SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Possible contact with a domain generated by a DGA",
+ "enabled": false,
+ "description": "Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used\nby malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model\nof what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm.\nThe triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely.\nThe start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.",
+ "alertRuleTemplateName": "4acd3a04-2fad-4efc-8a4b-51476594cec4"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9437fa675e08c19a9ed26a3480bb9f0dd78005c0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:07 +0000
Subject: [PATCH 242/375] Exported file: Potential Build Process Compromise -
MDE.json.json
---
...ential Build Process Compromise - MDE.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
new file mode 100644
index 00000000..7ddfad51
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise - MDE.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/66ee9d45-4e7e-4b0d-a361-377cd3662750')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([]);\nDeviceProcessEvents\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where FileName has_any (build_processes)\n| summarize by BuildParentProcess=InitiatingProcessFileName, BuildProcess=FileName, BuildAccount = AccountName, DeviceName, BuildCommand=ProcessCommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nDeviceFileEvents\n| where TimeGenerated > ago(timeframe)\n| where InitiatingProcessFileName !in (allow_list)\n| where ActionType == \"FileCreated\" or ActionType == \"FileModified\"\n// Look for code files, edit this to include file extensions used in build.\n| where FileName endswith \".cs\" or FileName endswith \".cpp\"\n| summarize by FileEditParentProcess=InitiatingProcessParentFileName, FileEditAccount = InitiatingProcessAccountName, DeviceName, FileEdited=FileName, FileEditProcess=InitiatingProcessFileName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, DeviceName\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, DeviceName, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=DeviceName, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise - MDE",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process. This query uses Microsoft Defender for Endpoint telemetry.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "1bf6e165-5e32-420e-ab4f-0da8558a8be2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 73dc819901878467029c933b080529b73ab7a38d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:08 +0000
Subject: [PATCH 243/375] Exported file: Potential Build Process
Compromise.json.json
---
.../Potential Build Process Compromise.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
diff --git a/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
new file mode 100644
index 00000000..5e33be49
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Build Process Compromise.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9199567e-9c5d-4078-8f0f-40e9d4d5836c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// How far back to look for events from\nlet timeframe = 1d;\n// How close together build events and file modifications should occur to alert (make this smaller to reduce FPs)\nlet time_window = 5m;\n// Edit this to include build processes used\nlet build_processes = dynamic([\"MSBuild.exe\", \"dotnet.exe\", \"VBCSCompiler.exe\"]);\n// Include any processes that you want to allow to edit files during/around the build process\nlet allow_list = dynamic([\"\"]);\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for build process starts\n| where EventID == 4688\n| where Process has_any (build_processes)\n| summarize by BuildParentProcess=ParentProcessName, BuildProcess=Process, BuildAccount = Account, Computer, BuildCommand=CommandLine, timekey= bin(TimeGenerated, time_window), BuildProcessTime=TimeGenerated\n| join kind=inner(\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n// Look for file modifications to code file\n| where EventID == 4663\n| where Process !in (allow_list)\n// Look for code files, edit this to include file extensions used in build.\n| where ObjectName endswith \".cs\" or ObjectName endswith \".cpp\"\n// 0x6 and 0x4 for file append, 0x100 for file replacements\n| where AccessMask == \"0x6\" or AccessMask == \"0x4\" or AccessMask == \"0X100\"\n| summarize by FileEditParentProcess=ParentProcessName, FileEditAccount = Account, Computer, FileEdited=ObjectName, FileEditProcess=ProcessName, timekey= bin(TimeGenerated, time_window), FileEditTime=TimeGenerated)\n// join where build processes and file modifications seen at same time on same host\non timekey, Computer\n// Limit to only where the file edit happens after the build process starts\n| where BuildProcessTime <= FileEditTime\n| summarize make_set(FileEdited), make_set(FileEditProcess), make_set(FileEditAccount) by timekey, Computer, BuildParentProcess, BuildProcess\n| extend HostCustomEntity=Computer, timestamp=timekey\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Potential Build Process Compromise",
+ "enabled": false,
+ "description": "The query looks for source code files being modified immediately after a build process is started. The purpose of this is to look for malicious code injection during the build process.\nMore details: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-the-software-supply-chain-with-azure-sentinel/ba-p/2176463",
+ "alertRuleTemplateName": "5ef06767-b37c-4818-b035-47de950d0046"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d88b0d96de87e408ce90539e82b2bf2be81f7720 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:08 +0000
Subject: [PATCH 244/375] Exported file: Potential DGA detected
(ASimDNS).json.json
---
.../Potential DGA detected (ASimDNS).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
new file mode 100644
index 00000000..c02a471f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected (ASimDNS).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4059cc8c-74ef-43f9-abed-bb067aa015ae')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let referencestarttime = 10d;\nlet referenceendtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = (stime:datetime, etime:datetime) \n {imDns(responsecodename='NXDOMAIN', starttime=stime, endtime=etime)\n | where DnsQueryTypeName in (\"A\", \"AAAA\")\n | where ipv4_is_match(\"127.0.0.1\", SrcIpAddr) == False\n | where DnsQuery !contains \"/\" and DnsQuery contains \".\"};\nnxDomainDnsEvents (stime=ago(referenceendtime) ,etime=now())\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold\n // Filter out previously seen IPs\n | join kind=leftanti (nxDomainDnsEvents (stime=ago(referencestarttime), etime=ago(referenceendtime))\n | extend sld = tostring(split(DnsQuery, \".\")[-2])\n | summarize dcount(sld) by SrcIpAddr\n | where dcount_sld > threshold ) on SrcIpAddr\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents (stime=ago(referencestarttime), etime=now()) | summarize by DnsQuery, SrcIpAddr) on SrcIpAddr\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(DnsQuery, 100) by SrcIpAddr, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected (ASimDNS)",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelDns)'",
+ "alertRuleTemplateName": "983a6922-894d-413c-9f04-d7add0ecc307"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8928407d6364124371d2becf1f962e7645aeb064 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:09 +0000
Subject: [PATCH 245/375] Exported file: Potential DGA detected.json.json
---
.../Potential DGA detected.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DGA detected.json
diff --git a/SentinelExported-AnalyticsRule/Potential DGA detected.json b/SentinelExported-AnalyticsRule/Potential DGA detected.json
new file mode 100644
index 00000000..9a4f96e5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DGA detected.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/511e0713-a13f-4f83-8021-b8a22bb9bcc4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P10D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 10d;\nlet endtime = 1d;\nlet threshold = 100;\nlet nxDomainDnsEvents = DnsEvents \n| where ResultCode == 3 \n| where QueryType in (\"A\", \"AAAA\")\n| where ipv4_is_match(\"127.0.0.1\", ClientIP) == False\n| where Name !contains \"/\"\n| where Name contains \".\";\nnxDomainDnsEvents\n| where TimeGenerated > ago(endtime)\n| extend sld = tostring(split(Name, \".\")[-2])\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(sld) by ClientIP\n| where dcount_sld > threshold\n// Filter out previously seen IPs\n| join kind=leftanti (nxDomainDnsEvents\n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | extend sld = tostring(split(Name, \".\")[-2])\n | summarize dcount(sld) by ClientIP\n | where dcount_sld > threshold ) on ClientIP\n// Pull out sample NXDomain responses for those remaining potentially infected IPs\n| join kind = inner (nxDomainDnsEvents | summarize by Name, ClientIP) on ClientIP\n| summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), sampleNXDomainList=make_list(Name, 100) by ClientIP, dcount_sld\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Potential DGA detected",
+ "enabled": false,
+ "description": "Identifies clients with a high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains\nwhere most C2s are not live). Alert is generated when a new IP address is seen (based on not being seen associated with \nNXDomain records in prior 10-day baseline period).",
+ "alertRuleTemplateName": "a0907abe-6925-4d90-af2b-c7e89dc201a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 601f287cc7d03fe63e16160df1b0a4ce9cb87c38 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:10 +0000
Subject: [PATCH 246/375] Exported file: Potential DHCP Starvation
Attack.json.json
---
.../Potential DHCP Starvation Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
new file mode 100644
index 00000000..f7eac851
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential DHCP Starvation Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/94d72012-0846-4f42-9d26-51f9cdb2fa6e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1000;\nInfobloxNIOS\n| where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n| summarize count() by ServerIP, bin(TimeGenerated,5m)\n| where count_ > threshold\n| join kind=inner (InfobloxNIOS\n | where ProcessName =~ \"dhcpd\" and Log_Type =~ \"DHCPREQUEST\"\n ) on ServerIP\n| extend timestamp = TimeGenerated, IPCustomEntity = ServerIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential DHCP Starvation Attack",
+ "enabled": false,
+ "description": "This creates an incident in the event that an excessive amount of DHCPREQUEST have been recieved by a DHCP Server and could potentially be an indication of a DHCP Starvation Attack.",
+ "alertRuleTemplateName": "57e56fc9-417a-4f41-a579-5475aea7b8ce"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 17ceef3224c75b0e46fd765a83333c265a17f319 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:11 +0000
Subject: [PATCH 247/375] Exported file: Potential Kerberoasting.json.json
---
.../Potential Kerberoasting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Kerberoasting.json
diff --git a/SentinelExported-AnalyticsRule/Potential Kerberoasting.json b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
new file mode 100644
index 00000000..93218cde
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Kerberoasting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/697575c4-83f0-4d98-9594-b6f254db566a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 1d;\nlet endtime = 1h;\nlet prev23hThreshold = 4;\nlet prev1hThreshold = 15;\nlet Kerbevent =\nSecurityEvent\n| where TimeGenerated >= ago(starttime)\n| where EventID == 4769\n| parse EventData with * 'TicketEncryptionType\">' TicketEncryptionType \"<\" *\n| where TicketEncryptionType == '0x17'\n| parse EventData with * 'TicketOptions\">' TicketOptions \"<\" *\n| where TicketOptions == '0x40810000'\n| parse EventData with * 'Status\">' Status \"<\" *\n| where Status == '0x0'\n| parse EventData with * 'ServiceName\">' ServiceName \"<\" *\n| where ServiceName !contains \"$\" and ServiceName !contains \"krbtgt\" \n| parse EventData with * 'TargetUserName\">' TargetUserName \"<\" *\n| where TargetUserName !contains \"$@\" and TargetUserName !contains ServiceName\n| parse EventData with * 'IpAddress\">::ffff:' ClientIPAddress \"<\" *;\nlet Kerbevent23h = Kerbevent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime)\n| summarize ServiceNameCountPrev23h = dcount(ServiceName), ServiceNameSet23h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status\n| where ServiceNameCountPrev23h < prev23hThreshold;\nlet Kerbevent1h = \nKerbevent\n| where TimeGenerated >= ago(endtime)\n| summarize min(TimeGenerated), max(TimeGenerated), ServiceNameCountPrev1h = dcount(ServiceName), ServiceNameSet1h = makeset(ServiceName) \nby Computer, TargetUserName,TargetDomainName, ClientIPAddress, TicketOptions, TicketEncryptionType, Status;\nKerbevent1h \n| join kind=leftanti\n(\nKerbevent23h\n) on TargetUserName, TargetDomainName\n// Threshold value set above is based on testing, this value may need to be changed for your environment.\n| where ServiceNameCountPrev1h > prev1hThreshold\n| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, TargetUserName, Computer, ClientIPAddress, TicketOptions, \nTicketEncryptionType, Status, ServiceNameCountPrev1h, ServiceNameSet1h, TargetDomainName\n| extend timestamp = StartTimeUtc, AccountCustomEntity = strcat(TargetDomainName,\"\\\\\", TargetUserName), HostCustomEntity = Computer, IPCustomEntity = ClientIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Kerberoasting",
+ "enabled": false,
+ "description": "A service principal name (SPN) is used to uniquely identify a service instance in a Windows environment. \nEach SPN is usually associated with a service account. Organizations may have used service accounts with weak passwords in their environment. \nAn attacker can try requesting Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC) which contains \na hash of the Service account. This can then be used for offline cracking. This hunting query looks for accounts that are generating excessive \nrequests to different resources within the last hour compared with the previous 24 hours. Normal users would not make an unusually large number \nof request within a small time window. This is based on 4769 events which can be very noisy so environment based tweaking might be needed.",
+ "alertRuleTemplateName": "1572e66b-20a7-4012-9ec4-77ec4b101bc8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 797a577375992d414b9bcc0069df3faf78601e8b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:11 +0000
Subject: [PATCH 248/375] Exported file: Potential Password Spray Attack (Uses
Authentication Normalization).json.json
---
...k (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
new file mode 100644
index 00000000..3fc7a639
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8adb0ef2-02b3-4efd-81b3-20f79556d862')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let FailureThreshold = 15;\nimAuthentication\n| where EventType== 'Logon' and EventResult== 'Failure'\n// reason: creds \n| where EventResultDetails in ('No such user or password', 'Incorrect password')\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\n , Users = make_set(TargetUserId,100) \n by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\n| where UserCount > FailureThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "6a2e2ff4-5568-475e-bef2-b95f12b9367b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 540feccdd29ec84c6f866a86e2b423143b66ac84 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:12 +0000
Subject: [PATCH 249/375] Exported file: Potential Password Spray
Attack.json.json
---
.../Potential Password Spray Attack.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
diff --git a/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
new file mode 100644
index 00000000..ac884a34
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Potential Password Spray Attack.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9798584d-ebeb-4a0d-89f1-df23ee5a9edf')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOkta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Potential Password Spray Attack",
+ "enabled": false,
+ "description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack",
+ "alertRuleTemplateName": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7556cfe0163fbbb210f4ec4382e5f6d8873e98d0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:13 +0000
Subject: [PATCH 250/375] Exported file: Powershell Empire cmdlets seen in
command line.json.json
---
...l Empire cmdlets seen in command line.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
diff --git a/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
new file mode 100644
index 00000000..1a6df223
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Powershell Empire cmdlets seen in command line.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7d070056-c31e-46a3-8ab6-299510132e4f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet regexEmpire = @\"SetDelay|GetDelay|Set-LostLimit|Get-LostLimit|Set-Killdate|Get-Killdate|Set-WorkingHours|Get-WorkingHours|Get-Sysinfo|Add-Servers|Invoke-ShellCommand|Start-AgentJob|Update-Profile|Get-FilePart|Encrypt-Bytes|Decrypt-Bytes|Encode-Packet|Decode-Packet|Send-Message|Process-Packet|Process-Tasking|Get-Task|Start-Negotiate|Invoke-DllInjection|Invoke-ReflectivePEInjection|Invoke-Shellcode|Invoke-ShellcodeMSIL|Get-ChromeDump|Get-ClipboardContents|Get-IndexedItem|Get-Keystrokes|Invoke-Inveigh|Invoke-NetRipper|local:Invoke-PatchDll|Invoke-NinjaCopy|Get-Win32Types|Get-Win32Constants|Get-Win32Functions|Sub-SignedIntAsUnsigned|Add-SignedIntAsUnsigned|Compare-Val1GreaterThanVal2AsUInt|Convert-UIntToInt|Test-MemoryRangeValid|Write-BytesToMemory|Get-DelegateType|Get-ProcAddress|Enable-SeDebugPrivilege|Invoke-CreateRemoteThread|Get-ImageNtHeaders|Get-PEBasicInfo|Get-PEDetailedInfo|Import-DllInRemoteProcess|Get-RemoteProcAddress|Copy-Sections|Update-MemoryAddresses|Import-DllImports|Get-VirtualProtectValue|Update-MemoryProtectionFlags|Update-ExeFunctions|Copy-ArrayOfMemAddresses|Get-MemoryProcAddress|Invoke-MemoryLoadLibrary|Invoke-MemoryFreeLibrary|Out-Minidump|Get-VaultCredential|Invoke-DCSync|Translate-Name|Get-NetDomain|Get-NetForest|Get-NetForestDomain|Get-DomainSearcher|Get-NetComputer|Get-NetGroupMember|Get-NetUser|Invoke-Mimikatz|Invoke-PowerDump|Invoke-TokenManipulation|Exploit-JMXConsole|Exploit-JBoss|Invoke-Thunderstruck|Invoke-VoiceTroll|Set-WallPaper|Invoke-PsExec|Invoke-SSHCommand|Invoke-PSInject|Invoke-RunAs|Invoke-SendMail|Invoke-Rule|Get-OSVersion|Select-EmailItem|View-Email|Get-OutlookFolder|Get-EmailItems|Invoke-MailSearch|Get-SubFolders|Get-GlobalAddressList|Invoke-SearchGAL|Get-SMTPAddress|Disable-SecuritySettings|Reset-SecuritySettings|Get-OutlookInstance|New-HoneyHash|Set-MacAttribute|Invoke-PatchDll|Get-SecurityPackages|Install-SSP|Invoke-BackdoorLNK|New-ElevatedPersistenceOption|New-UserPersistenceOption|Add-Persistence|Invoke-CallbackIEX|Add-PSFirewallRules|Invoke-EventLoop|Invoke-PortBind|Invoke-DNSLoop|Invoke-PacketKnock|Invoke-CallbackLoop|Invoke-BypassUAC|Get-DecryptedCpassword|Get-GPPInnerFields|Invoke-WScriptBypassUAC|Get-ModifiableFile|Get-ServiceUnquoted|Get-ServiceFilePermission|Get-ServicePermission|Invoke-ServiceUserAdd|Invoke-ServiceCMD|Write-UserAddServiceBinary|Write-CMDServiceBinary|Write-ServiceEXE|Write-ServiceEXECMD|Restore-ServiceEXE|Invoke-ServiceStart|Invoke-ServiceStop|Invoke-ServiceEnable|Invoke-ServiceDisable|Get-ServiceDetail|Find-DLLHijack|Find-PathHijack|Write-HijackDll|Get-RegAlwaysInstallElevated|Get-RegAutoLogon|Get-VulnAutoRun|Get-VulnSchTask|Get-UnattendedInstallFile|Get-Webconfig|Get-ApplicationHost|Write-UserAddMSI|Invoke-AllChecks|Invoke-ThreadedFunction|Test-Login|Get-UserAgent|Test-Password|Get-ComputerDetails|Find-4648Logons|Find-4624Logons|Find-AppLockerLogs|Find-PSScriptsInPSAppLog|Find-RDPClientConnections|Get-SystemDNSServer|Invoke-Paranoia|Invoke-WinEnum{|Get-SPN|Invoke-ARPScan|Invoke-Portscan|Invoke-ReverseDNSLookup|Invoke-SMBScanner|New-InMemoryModule|Add-Win32Type|Export-PowerViewCSV|Get-MacAttribute|Copy-ClonedFile|Get-IPAddress|Convert-NameToSid|Convert-SidToName|Convert-NT4toCanonical|Get-Proxy|Get-PathAcl|Get-NameField|Convert-LDAPProperty|Get-NetDomainController|Add-NetUser|Add-NetGroupUser|Get-UserProperty|Find-UserField|Get-UserEvent|Get-ObjectAcl|Add-ObjectAcl|Invoke-ACLScanner|Get-GUIDMap|Get-ADObject|Set-ADObject|Get-ComputerProperty|Find-ComputerField|Get-NetOU|Get-NetSite|Get-NetSubnet|Get-DomainSID|Get-NetGroup|Get-NetFileServer|SplitPath|Get-DFSshare|Get-DFSshareV1|Get-DFSshareV2|Get-GptTmpl|Get-GroupsXML|Get-NetGPO|Get-NetGPOGroup|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Find-GPOLocation|Find-GPOComputerAdmin|Get-DomainPolicy|Get-NetLocalGroup|Get-NetShare|Get-NetLoggedon|Get-NetSession|Get-NetRDPSession|Invoke-CheckLocalAdminAccess|Get-LastLoggedOn|Get-NetProcess|Find-InterestingFile|Invoke-CheckWrite|Invoke-UserHunter|Invoke-StealthUserHunter|Invoke-ProcessHunter|Invoke-EventHunter|Invoke-ShareFinder|Invoke-FileFinder|Find-LocalAdminAccess|Get-ExploitableSystem|Invoke-EnumerateLocalAdmin|Get-NetDomainTrust|Get-NetForestTrust|Find-ForeignUser|Find-ForeignGroup|Invoke-MapDomainTrust|Get-Hex|Create-RemoteThread|Get-FoxDump|Decrypt-CipherText|Get-Screenshot|Start-HTTP-Server|Local:Invoke-CreateRemoteThread|Local:Get-Win32Functions|Local:Inject-NetRipper|GetCommandLine|ElevatePrivs|Get-RegKeyClass|Get-BootKey|Get-HBootKey|Get-UserName|Get-UserHashes|DecryptHashes|DecryptSingleHash|Get-UserKeys|DumpHashes|Enable-SeAssignPrimaryTokenPrivilege|Enable-Privilege|Set-DesktopACLs|Set-DesktopACLToAllowEveryone|Get-PrimaryToken|Get-ThreadToken|Get-TokenInformation|Get-UniqueTokens|Invoke-ImpersonateUser|Create-ProcessWithToken|Free-AllTokens|Enum-AllTokens|Invoke-RevertToSelf|Set-Speaker(\\$Volume){\\$wshShell|Local:Get-RandomString|Local:Invoke-PsExecCmd|Get-GPPPassword|Local:Inject-BypassStuff|Local:Invoke-CopyFile\\(\\$sSource,|ind-Fruit|New-IPv4Range|New-IPv4RangeFromCIDR|Parse-Hosts|Parse-ILHosts|Exclude-Hosts|Get-TopPort|Parse-Ports|Parse-IpPorts|Remove-Ports|Write-PortscanOut|Convert-SwitchtoBool|Get-ForeignUser|Get-ForeignGroup\";\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents};\nlet decodedPS = ProcessCreationEvents\n| where CommandLine contains \" -encodedCommand\"\n| parse kind=regex flags=i CommandLine with * \"-EncodedCommand \" encodedCommand\n| project StartTimeUtc = TimeGenerated, encodedCommand = tostring(split(encodedCommand, ' ')[0]), CommandLine\n// Note: currently the base64_decode_tostring function is limited to supporting UTF8\n| extend decodedCommand = translate('\\0','', base64_decode_tostring(substring(encodedCommand, 0, strlen(encodedCommand) - (strlen(encodedCommand) %8)))), encodedCommand, CommandLine , strlen(encodedCommand);\n(decodedPS\n| union \n(ProcessCreationEvents\n| where FileName in~ (\"powershell.exe\",\"powershell_ise.exe\")\n| where CommandLine !contains \"-encodedcommand\")\n| extend StartTimeUtc = TimeGenerated\n)\n| where CommandLine matches regex regexEmpire\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Powershell Empire cmdlets seen in command line",
+ "enabled": false,
+ "description": "Identifies instances of PowerShell Empire cmdlets in powershell process command line data.",
+ "alertRuleTemplateName": "ef88eb96-861c-43a0-ab16-f3835a97c928"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fd9763c1db0432502d0e585328176bb9ef182946 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:14 +0000
Subject: [PATCH 251/375] Exported file: Privileged Accounts - Sign in Failure
Spikes.json.json
---
...ged Accounts - Sign in Failure Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
new file mode 100644
index 00000000..da1e5f2c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Accounts - Sign in Failure Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bd7f6a68-30e8-4c54-8d94-0cf7fd9a8b5b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\nIdentityInfo\n| where AssignedRoles contains \"Admin\"\n| mv-expand AssignedRoles\n| extend Roles = tostring(AssignedRoles), AccountUPN = tolower(AccountUPN)\n| where Roles contains \"Admin\"\n| distinct Roles, AccountUPN\n| join kind=inner (\n // Failed Signins attempts with reasoning related to MFA.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultType != 0\n | extend UserPrincipalName = tolower(UserPrincipalName)\n) on $left.AccountUPN == $right.UserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, Roles, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName, Roles\n| project TimeGenerated, Roles, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project Roles, UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Accounts - Sign in Failure Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor",
+ "alertRuleTemplateName": "34c5aff9-a8c2-4601-9654-c7e46342d03b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8032ef73b672b7b860f92174426a366d900eb4b8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:14 +0000
Subject: [PATCH 252/375] Exported file: Privileged Role Assigned Outside
PIM.json.json
---
.../Privileged Role Assigned Outside PIM.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
diff --git a/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
new file mode 100644
index 00000000..c112b51e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Privileged Role Assigned Outside PIM.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c746716-20a6-46bd-98fd-d5c9d0aa1553')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName =~ 'Add member to role (permanent)'\n| extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Privileged Role Assigned Outside PIM",
+ "enabled": false,
+ "description": "Identifies a privileged role being assigned to a user outside of PIM\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "269435e3-1db8-4423-9dfc-9bf59997da1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 641c787e2285572916fe56a781c6d2e11533f8c1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:15 +0000
Subject: [PATCH 253/375] Exported file: Probable AdFind Recon Tool Usage
(Normalized Process Events).json.json
---
...ool Usage (Normalized Process Events).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
new file mode 100644
index 00000000..e9ccfb0c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage (Normalized Process Events).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2f33cb73-78b6-4886-8434-f319deea8d62')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nimProcessCreate\n//looks for execution from a shell\n| where ActingProcessName has_any (parentProcesses)\n| extend ActingProcessFileName = tostring(split(ActingProcessName, '\\\\')[-1])\n| where ActingProcessFileName in~ (parentProcesses)\n// main filter\n| where Process hassuffix \"AdFind.exe\" or TargetProcessSHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or CommandLine has_any (args)\n| extend AccountCustomEntity = User, HostCustomEntity = Dvc, ProcessCustomEntity = ActingProcessName, CommandLineCustomEntity = CommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = TargetProcessSHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)",
+ "alertRuleTemplateName": "45076281-35ae-45e0-b443-c32aa0baf965"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 71f4f214747b2853bc6f973c9451af5fe5721078 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:16 +0000
Subject: [PATCH 254/375] Exported file: Probable AdFind Recon Tool
Usage.json.json
---
.../Probable AdFind Recon Tool Usage.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
diff --git a/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
new file mode 100644
index 00000000..06834d6f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Probable AdFind Recon Tool Usage.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8628a3cf-01b4-40ff-b06c-1ff6d5678535')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet args = dynamic([\"objectcategory\",\"domainlist\",\"dcmodes\",\"adinfo\",\"trustdmp\",\"computers_pwdnotreqd\",\"Domain Admins\", \"objectcategory=person\", \"objectcategory=computer\", \"objectcategory=*\",\"dclist\"]);\nlet parentProcesses = dynamic([\"pwsh.exe\",\"powershell.exe\",\"cmd.exe\"]);\nDeviceProcessEvents\n//looks for execution from a shell\n| where InitiatingProcessFileName in (parentProcesses)\n// main filter\n| where FileName =~ \"AdFind.exe\" or SHA256 == \"c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3\"\n // AdFind common Flags to check for from various threat actor TTPs\n or ProcessCommandLine has_any (args)\n| extend AccountCustomEntity = AccountName, HostCustomEntity = DeviceName, ProcessCustomEntity = InitiatingProcessFileName, CommandLineCustomEntity = ProcessCommandLine, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Probable AdFind Recon Tool Usage",
+ "enabled": false,
+ "description": "Identifies the host and account that executed AdFind by hash and filename in addition to common and unique flags that are used by many threat actors in discovery.",
+ "alertRuleTemplateName": "c63ae777-d5e0-4113-8c9a-c2c9d3d09fcd"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 26e06d7d1d0eee66ec9a8bcbdfb49501bc856bbd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:17 +0000
Subject: [PATCH 255/375] Exported file: Process executed from binary hidden in
Base64 encoded file.json.json
---
... binary hidden in Base64 encoded file.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
diff --git a/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
new file mode 100644
index 00000000..73cfa20b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process executed from binary hidden in Base64 encoded file.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f801914e-c351-43d7-b2a7-ba58f064fda6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet ProcessCreationEvents=() {\nlet processEvents=SecurityEvent\n| where EventID==4688\n| where isnotempty(CommandLine)\n| project TimeGenerated, Computer, Account = SubjectUserName, AccountDomain = SubjectDomainName, FileName = Process, CommandLine, ParentProcessName;\nprocessEvents;\n};\nProcessCreationEvents \n| where CommandLine contains \".decode('base64')\"\n or CommandLine contains \"base64 --decode\"\n or CommandLine contains \".decode64(\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by Computer, Account, AccountDomain, FileName, CommandLine, ParentProcessName \n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Process executed from binary hidden in Base64 encoded file",
+ "enabled": false,
+ "description": "Encoding malicious software is a technique used to obfuscate files from detection. \nThe first CommandLine component is looking for Python decoding base64. \nThe second CommandLine component is looking for Bash/sh command line base64 decoding.\nThe third one is looking for Ruby decoding base64.",
+ "alertRuleTemplateName": "d6190dde-8fd2-456a-ac5b-0a32400b0464"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e0144a058d8f705432bb528ae4fa59534b7dfbdf Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:18 +0000
Subject: [PATCH 256/375] Exported file: Process execution frequency
anomaly.json.json
---
.../Process execution frequency anomaly.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
diff --git a/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
new file mode 100644
index 00000000..c225444e
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Process execution frequency anomaly.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3421562d-ac3e-42dc-9d90-e751868bb424')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet TotalEventsThreshold = 5;\nlet ExeList = dynamic([\"powershell.exe\",\"cmd.exe\",\"wmic.exe\",\"psexec.exe\",\"cacls.exe\",\"rundll.exe\"]);\nlet TimeSeriesData =\nSecurityEvent\n| where EventID == 4688 | extend Process = tolower(Process)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where Process in (ExeList)\n| project TimeGenerated, Computer, AccountType, Account, Process\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by Process;\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, 1.5, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double), score to typeof(double), baseline to typeof(long)\n| where anomalies > 0\n| project Process, TimeGenerated, Total, baseline, anomalies, score\n| where Total > TotalEventsThreshold);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\nSecurityEvent\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| where EventID == 4688 | extend Process = tolower(Process)\n| summarize CommandlineCount = count() by bin(TimeGenerated, 1h), Process, CommandLine, Computer, Account\n) on Process, TimeGenerated\n| project AnomalyHour = TimeGenerated, Computer, Account, Process, CommandLine, CommandlineCount, Total, baseline, anomalies, score\n| extend timestamp = AnomalyHour, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Process execution frequency anomaly",
+ "enabled": false,
+ "description": "Identifies anomalous spike in frequency of executions of sensitive processes which are often leveraged as attack vectors.\nThe query leverages KQL built-in anomaly detection algorithms to find large deviations from baseline patterns.\nSudden increases in execution frequency of sensitive processes should be further investigated for malicious activity.\nTune the values from 1.5 to 3 in series_decompose_anomalies for further outliers or based on custom threshold values for score.",
+ "alertRuleTemplateName": "2c55fe7a-b06f-4029-a5b9-c54a2320d7b8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3fa6b6644f5f2376bd3af30fdaba979e848e70b3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:18 +0000
Subject: [PATCH 257/375] Exported file: ProofpointPOD - Binary file in
attachment.json.json
---
...fpointPOD - Binary file in attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
new file mode 100644
index 00000000..d7979346
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Binary file in attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ed981a2-337b-4542-a371-3968ac93f923')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Binary file in attachment",
+ "enabled": false,
+ "description": "Detects when email recieved with binary file as attachment.",
+ "alertRuleTemplateName": "eb68b129-5f17-4f56-bf6d-dde48d5e615a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8dff66dfa9a764d62e600d743a96fe6d12aeeefa Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:19 +0000
Subject: [PATCH 258/375] Exported file: ProofpointPOD - Email sender IP in TI
list.json.json
---
...pointPOD - Email sender IP in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
new file mode 100644
index 00000000..56d78c38
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender IP in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/35efaa1c-ca0f-4fc8-b30b-993f1502dadc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcIpAddr)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientIP = SrcIpAddr\n )\non $left.TI_ipEntity == $right.ClientIP\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientIP\n| project ProofpointPOD_TimeGenerated, SrcUserUpn, DstUserUpn, SrcIpAddr, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender IP in TI list",
+ "enabled": false,
+ "description": "Email sender IP in TI list.",
+ "alertRuleTemplateName": "78979d32-e63f-4740-b206-cfb300c735e0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cbabd77ad1f6cadbd94f10a8adf08a183f9e980c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:20 +0000
Subject: [PATCH 259/375] Exported file: ProofpointPOD - Email sender in TI
list.json.json
---
...oofpointPOD - Email sender in TI list.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
new file mode 100644
index 00000000..15e29453
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Email sender in TI list.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b8c2e2cc-a646-45f0-ba28-f4bea15dcbb3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(EmailSenderAddress)\n| extend TI_emailEntity = EmailSenderAddress\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n ProofpointPOD \n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(SrcUserUpn)\n | extend ProofpointPOD_TimeGenerated = TimeGenerated, ClientEmail = SrcUserUpn\n \n)\non $left.TI_emailEntity == $right.ClientEmail\n| where ProofpointPOD_TimeGenerated < ExpirationDateTime\n| summarize ProofpointPOD_TimeGenerated = arg_max(ProofpointPOD_TimeGenerated, *) by IndicatorId, ClientEmail\n| project ProofpointPOD_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, ClientEmail\n| extend timestamp = ProofpointPOD_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Exfiltration",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Email sender in TI list",
+ "enabled": false,
+ "description": "Email sender in TI list.",
+ "alertRuleTemplateName": "35a0792a-1269-431e-ac93-7ae2980d4dde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d0f935ff6d48d3b2c3b20f30b6a9f308c80ba328 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:21 +0000
Subject: [PATCH 260/375] Exported file: ProofpointPOD - High risk message not
discarded.json.json
---
...POD - High risk message not discarded.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
new file mode 100644
index 00000000..40125ada
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - High risk message not discarded.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4416b145-266e-461b-b5bf-c346069f404e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| where FilterModulesSpamScoresOverall == '100'\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - High risk message not discarded",
+ "enabled": false,
+ "description": "Detects when email with high risk score was not rejected or discarded by filters.",
+ "alertRuleTemplateName": "c7cd6073-6d2c-4284-a5c8-da27605bdfde"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c25003bc0f2a9c387ddf72eefdd543cd827bea2e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:22 +0000
Subject: [PATCH 261/375] Exported file: ProofpointPOD - Multiple archived
attachments to the same recipient.json.json
---
...ved attachments to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
new file mode 100644
index 00000000..f4c3e6c5
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple archived attachments to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/47a5442c-c3e1-4a44-829b-a0fce5ffdb54')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend attachedMimeType = todynamic(MsgParts)[0]['detectedMime']\n| where attachedMimeType == 'application/zip'\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple archived attachments to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails where sent to the same recipient with large archived attachments.",
+ "alertRuleTemplateName": "bda5a2bd-979b-4828-a91f-27c2a5048f7f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3695d681e2246728a92f261015d85dc4c023c1bd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:22 +0000
Subject: [PATCH 262/375] Exported file: ProofpointPOD - Multiple large emails
to the same recipient.json.json
---
...le large emails to the same recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
new file mode 100644
index 00000000..51b6a7ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple large emails to the same recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7aa0650e-f8b6-4737-9894-85f684aa5d18')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet msgthreshold = 3;\nlet msgszthreshold = 3000000;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where NetworkBytes > msgszthreshold\n| summarize count() by SrcUserUpn, DstUserUpn\n| where count_ > msgthreshold\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple large emails to the same recipient",
+ "enabled": false,
+ "description": "Detects when multiple emails with lage size where sent to the same recipient.",
+ "alertRuleTemplateName": "d1aba9a3-5ab1-45ef-8ed4-da57dc3c0d32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fe9a0059798eeb6b1c595ba68cfaf2dca52ff6a5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:23 +0000
Subject: [PATCH 263/375] Exported file: ProofpointPOD - Multiple protected
emails to unknown recipient.json.json
---
...protected emails to unknown recipient.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
new file mode 100644
index 00000000..46b01c27
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Multiple protected emails to unknown recipient.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fcaa294-5c2f-495c-acf4-f6a93b6589f9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT30M",
+ "queryPeriod": "PT30M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 30m;\nlet lbperiod = 14d;\nlet knownrecipients = ProofpointPOD\n| where TimeGenerated > ago(lbperiod)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where SrcUserUpn != ''\n| where array_length(todynamic(DstUserUpn)) == 1\n| summarize recipients = make_set(tostring(todynamic(DstUserUpn)[0])) by SrcUserUpn\n| extend commcol = SrcUserUpn;\nProofpointPOD\n| where TimeGenerated between (ago(lbtime) .. now())\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| extend isProtected = todynamic(MsgParts)[0]['isProtected']\n| extend mimePgp = todynamic(MsgParts)[0]['detectedMime']\n| where isProtected == 'true' or mimePgp == 'application/pgp-encrypted'\n| extend DstUserMail = tostring(todynamic(DstUserUpn)[0])\n| extend commcol = tostring(todynamic(DstUserUpn)[0])\n| join knownrecipients on commcol\n| where recipients !contains DstUserMail\n| project SrcUserUpn, DstUserMail\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Multiple protected emails to unknown recipient",
+ "enabled": false,
+ "description": "Detects when multiple protected messages where sent to early not seen recipient.",
+ "alertRuleTemplateName": "f8127962-7739-4211-a4a9-390a7a00e91f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d47d048e5cb74fc94eda17ed84b3a8d129e8a772 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:24 +0000
Subject: [PATCH 264/375] Exported file: ProofpointPOD - Possible data
exfiltration to private email.json.json
---
...le data exfiltration to private email.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
new file mode 100644
index 00000000..41839953
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Possible data exfiltration to private email.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/55f68d39-f930-44bd-acb6-4eddd9007237')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'outbound'\n| where array_length(todynamic(DstUserUpn)) == 1\n| extend sender = extract(@'\\A(.*?)@', 1, SrcUserUpn)\n| extend sender_domain = extract(@'@(.*)$', 1, SrcUserUpn)\n| extend recipient = extract(@'\\A(.*?)@', 1, tostring(todynamic(DstUserUpn)[0]))\n| extend recipient_domain = extract(@'@(.*)$', 1, tostring(todynamic(DstUserUpn)[0]))\n| where sender =~ recipient\n| where sender_domain != recipient_domain\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Possible data exfiltration to private email",
+ "enabled": false,
+ "description": "Detects when sender sent email to the non-corporate domain and recipient's username is the same as sender's username.",
+ "alertRuleTemplateName": "aedc5b33-2d7c-42cb-a692-f25ef637cbb1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6ac4a28bdca6a04881ebb7a1f4bb3e139371b263 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:25 +0000
Subject: [PATCH 265/375] Exported file: ProofpointPOD - Suspicious
attachment.json.json
---
...ProofpointPOD - Suspicious attachment.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
new file mode 100644
index 00000000..92580185
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Suspicious attachment.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3838a2fe-0433-432b-8f34-fd48f0930148')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT10M",
+ "queryPeriod": "PT10M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let lbtime = 10m;\nlet disallowed_ext = dynamic(['ps1', 'exe', 'vbs', 'js', 'scr']);\nProofpointPOD\n| where TimeGenerated > ago(lbtime)\n| where EventType == 'message'\n| where NetworkDirection == 'inbound'\n| where FilterDisposition !in ('reject', 'discard')\n| extend attachedExt = todynamic(MsgParts)[0]['detectedExt']\n| where attachedExt in (disallowed_ext)\n| project SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = DstUserUpn\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "ProofpointPOD - Suspicious attachment",
+ "enabled": false,
+ "description": "Detects when email contains suspicious attachment (file type).",
+ "alertRuleTemplateName": "f6a51e2c-2d6a-4f92-a090-cfb002ca611f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 524d314b4db4608e64342f07a4848f7cc6b8cf22 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:25 +0000
Subject: [PATCH 266/375] Exported file: ProofpointPOD - Weak ciphers.json.json
---
.../ProofpointPOD - Weak ciphers.json | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
diff --git a/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
new file mode 100644
index 00000000..bc4737a2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/ProofpointPOD - Weak ciphers.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fddce345-91bc-4cba-82f9-af733f7cdc69')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let lbtime = 1h;\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\nProofpointPOD\n| where EventType == 'message'\n| where TlsCipher in (tls_ciphers)\n| extend IpCustomEntity = SrcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": null,
+ "techniques": null,
+ "displayName": "ProofpointPOD - Weak ciphers",
+ "enabled": false,
+ "description": "Detects when weak TLS ciphers are used.",
+ "alertRuleTemplateName": "56b0a0cd-894e-4b38-a0a1-c41d9f96649a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a0dfd9ad29e4c9656613054c76cc93e4cd1d5d22 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:26 +0000
Subject: [PATCH 267/375] Exported file: PulseConnectSecure - Large Number of
Distinct Failed User Logins.json.json
---
...Number of Distinct Failed User Logins.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
new file mode 100644
index 00000000..ddd791b4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Large Number of Distinct Failed User Logins.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6fbd8942-976f-4b19-94c6-785e9f05136e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 100;\nPulseConnectSecure\n| where Messages startswith \"Login failed\"\n| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)\n| where dcount_User > threshold\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Large Number of Distinct Failed User Logins",
+ "enabled": false,
+ "description": "This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server",
+ "alertRuleTemplateName": "1fa1528e-f746-4794-8a41-14827f4cb798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From c3c01b1ec0b6654baef59bedc9a5939e4ebce023 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:27 +0000
Subject: [PATCH 268/375] Exported file: PulseConnectSecure - Potential Brute
Force Attempts.json.json
---
...cure - Potential Brute Force Attempts.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
diff --git a/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
new file mode 100644
index 00000000..09ccf3d3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/PulseConnectSecure - Potential Brute Force Attempts.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b59ad89c-249e-462f-ac68-c23a93202fa3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
+ "enabled": false,
+ "description": "This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server",
+ "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1533472c414e7a0df5a7960d2d58dfea918baf84 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:28 +0000
Subject: [PATCH 269/375] Exported file: RDP Nesting.json.json
---
.../RDP Nesting.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/RDP Nesting.json
diff --git a/SentinelExported-AnalyticsRule/RDP Nesting.json b/SentinelExported-AnalyticsRule/RDP Nesting.json
new file mode 100644
index 00000000..93ec5a16
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/RDP Nesting.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cda14730-b43b-4099-a785-6145306928b9')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cda14730-b43b-4099-a785-6145306928b9')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet endtime = 1d;\nlet starttime = 8d;\n// The threshold below excludes matching on RDP connection computer counts of 5 or more by a given account and IP in a given day. Change the threshold as needed.\nlet threshold = 5;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the first RDP connection time, computer and ip\n| extend FirstHop = TimeGenerated, FirstComputer = toupper(Computer), FirstIPAddress = IpAddress, Account = tolower(Account) \n| join kind=inner (\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n// Labeling the second RDP connection time, computer and ip\n| extend SecondHop = TimeGenerated, SecondComputer = toupper(Computer), SecondIPAddress = IpAddress, Account = tolower(Account)\n) on Account\n// Make sure that the first connection is after the second connection --> SecondHop > FirstHop\n// Then identify only RDP to another computer from within the first RDP connection by only choosing matches where the Computer names do not match --> FirstComputer != SecondComputer\n// Then make sure the IPAddresses do not match by excluding connections from the same computers with first hop RDP connections to multiple computers --> FirstIPAddress != SecondIPAddress\n| where FirstComputer != SecondComputer and FirstIPAddress != SecondIPAddress and SecondHop > FirstHop\n// where the second hop occurs within 30 minutes of the first hop\n| where SecondHop <= FirstHop+30m\n| distinct Account, FirstHop, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, SecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 7 days where the Account and IP has connected 5 or more computers.\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated >= ago(starttime) and TimeGenerated < ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize makeset(Computer), ComputerCount = dcount(Computer) by bin(TimeGenerated, 1d), Account = tolower(Account), IpAddress\n// Connection count to computer by same account and IP to exclude counts of 5 or more on a given day\n| where ComputerCount >= threshold\n| mvexpand set_Computer\n| extend Computer = toupper(set_Computer)\n) on Account, $left.SecondComputer == $right.Computer, $left.SecondIPAddress == $right.IpAddress\n| summarize FirstHopFirstSeen = min(FirstHop), FirstHopLastSeen = max(FirstHop) by Account, FirstComputer, FirstIPAddress, SecondHop, SecondComputer, \nSecondIPAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = FirstHopFirstSeen, AccountCustomEntity = Account, HostCustomEntity = FirstComputer, IPCustomEntity = FirstIPAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "RDP Nesting",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is made to a first system and then an RDP connection is made from the first system \nto another system with the same account within the 60 minutes. Additionally, if historically daily \nRDP connections are indicated by the logged EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "69a45b05-71f5-45ca-8944-2e038747fb39"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0032a8cf38b710241cb4aea75fd18dfb274fea88 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:28 +0000
Subject: [PATCH 270/375] Exported file: Rare RDP Connections.json.json
---
.../Rare RDP Connections.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare RDP Connections.json
diff --git a/SentinelExported-AnalyticsRule/Rare RDP Connections.json b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
new file mode 100644
index 00000000..84ec8eb1
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare RDP Connections.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af136dbc-b98a-4c3b-9842-e076768ae2a1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nSecurityEvent\n| where TimeGenerated >= ago(endtime) \n| where EventID == 4624 and LogonType == 10\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ConnectionCount = count() \nby Account = tolower(Account), Computer = toupper(Computer), IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n// use left anti to exclude anything from the previous 14 days that is not rare\n| join kind=leftanti (\nSecurityEvent\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where EventID == 4624\n| summarize by Computer = toupper(Computer), IpAddress, Account = tolower(Account)\n) on Account, Computer\n| summarize StartTime = min(StartTime), EndTime = max(EndTime), ConnectionCount = sum(ConnectionCount) \nby Account, Computer, IpAddress, AccountType, Activity, LogonTypeName, ProcessName\n| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement"
+ ],
+ "techniques": null,
+ "displayName": "Rare RDP Connections",
+ "enabled": false,
+ "description": "Identifies when an RDP connection is new or rare related to any logon type by a given account today based on comparison with the previous 14 days.\nRDP connections are indicated by the EventID 4624 with LogonType = 10",
+ "alertRuleTemplateName": "45b903c5-6f56-4969-af10-ae62ac709718"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 63ca0fa304858d8171abae52ae60721d215b43de Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:29 +0000
Subject: [PATCH 271/375] Exported file: Rare and potentially high-risk Office
operations.json.json
---
...tentially high-risk Office operations.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
diff --git a/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
new file mode 100644
index 00000000..ee48f951
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare and potentially high-risk Office operations.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e557ae74-ef8a-4bab-b807-959486942ceb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nOfficeActivity\n| where Operation in~ ( \"Add-MailboxPermission\", \"Add-MailboxFolderPermission\", \"Set-Mailbox\", \"New-ManagementRoleAssignment\")\nand not(UserId has_any ('NT AUTHORITY\\\\SYSTEM (Microsoft.Exchange.ServiceHost)','devilfish-applicationaccount') and Operation in~ ( \"Add-MailboxPermission\", \"Set-Mailbox\"))\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare and potentially high-risk Office operations",
+ "enabled": false,
+ "description": "Identifies Office operations that are typically rare and can provide capabilities useful to attackers.",
+ "alertRuleTemplateName": "957cb240-f45d-4491-9ba5-93430a3c08be"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0ced5a98965c4771d7678848708493b32ef61745 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:30 +0000
Subject: [PATCH 272/375] Exported file: Rare application consent.json.json
---
.../Rare application consent.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare application consent.json
diff --git a/SentinelExported-AnalyticsRule/Rare application consent.json b/SentinelExported-AnalyticsRule/Rare application consent.json
new file mode 100644
index 00000000..66f56236
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare application consent.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3f40377b-15d8-490f-a8d7-82c385f81829')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet current = 1d;\nlet auditLookback = 7d;\n// Setting threshold to 3 as a default, change as needed. \n// Any operation that has been initiated by a user or app more than 3 times in the past 7 days will be excluded\nlet threshold = 3;\n// Gather initial data from lookback period, excluding current, adjust current to more than a single day if no results\nlet AuditTrail = AuditLogs | where TimeGenerated >= ago(auditLookback) and TimeGenerated < ago(current)\n// 2 other operations that can be part of malicious activity in this situation are \n// \"Add OAuth2PermissionGrant\" and \"Add service principal\", extend the filter below to capture these too\n| where OperationName has \"Consent to application\"\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| summarize max(TimeGenerated), OperationCount = count() by OperationName, InitiatedBy, TargetResourceName\n// only including operations by initiated by a user or app that is above the threshold so we produce only rare and has not occurred in last 7 days\n| where OperationCount > threshold\n;\n// Gather current period of audit data\nlet RecentConsent = AuditLogs | where TimeGenerated >= ago(current)\n| where OperationName has \"Consent to application\"\n| extend IpAddress = case(\nisnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \nisnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \ntostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))\n| extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))\n| parse TargetResources.[0].modifiedProperties with * \"ConsentType: \" ConsentType \"]\" *\n| mv-expand AdditionalDetails\n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| project TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type;\n// Exclude previously seen audit activity for \"Consent to application\" that was seen in the lookback period\n// First for rare InitiatedBy\nlet RareConsentBy = RecentConsent | join kind= leftanti AuditTrail on OperationName, InitiatedBy \n| extend Reason = \"Previously unseen user consenting\";\n// Second for rare TargetResourceName\nlet RareConsentApp = RecentConsent | join kind= leftanti AuditTrail on OperationName, TargetResourceName\n| extend Reason = \"Previously unseen app granted consent\";\nRareConsentBy | union RareConsentApp\n| summarize Reason = makeset(Reason) by TimeGenerated, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, ConsentType, UserAgent, CorrelationId, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatedBy, HostCustomEntity = TargetResourceName, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "LateralMovement",
+ "Collection"
+ ],
+ "techniques": null,
+ "displayName": "Rare application consent",
+ "enabled": false,
+ "description": "This will alert when the \"Consent to application\" operation occurs by a user that has not done this operation before or rarely does this.\nThis could indicate that permissions to access the listed Azure App were provided to a malicious actor. \nConsent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. \nThis may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "83ba3057-9ea3-4759-bf6a-933f2e5bc7ee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6609abc388fe2bf175d308ba824fb4b0551e2991 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:31 +0000
Subject: [PATCH 273/375] Exported file: Rare client observed with high reverse
DNS lookup count.json.json
---
...ed with high reverse DNS lookup count.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
diff --git a/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
new file mode 100644
index 00000000..d4f3d8ac
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare client observed with high reverse DNS lookup count.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/176ecb24-2007-4d65-a832-af6efe88afb5')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P8D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 8d;\nlet endtime = 1d;\nlet threshold = 10;\nDnsEvents \n| where TimeGenerated > ago(endtime)\n| where Name contains \"in-addr.arpa\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), dcount(Name) by ClientIP\n| where dcount_Name > threshold\n| project StartTimeUtc, EndTimeUtc, ClientIP , dcount_Name \n| join kind=leftanti (DnsEvents \n | where TimeGenerated between(ago(starttime)..ago(endtime))\n | where Name contains \"in-addr.arpa\" \n | summarize dcount(Name) by ClientIP, bin(TimeGenerated, 1d)\n | where dcount_Name > threshold\n | project ClientIP , dcount_Name \n) on ClientIP\n| extend timestamp = StartTimeUtc, IPCustomEntity = ClientIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Rare client observed with high reverse DNS lookup count",
+ "enabled": false,
+ "description": "Identifies clients with a high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\nAlert is generated if the IP performing such reverse DNS lookups was not seen doing so in the preceding 7-day period.",
+ "alertRuleTemplateName": "15ae38a2-2e29-48f7-883f-863fb25a5a06"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5c77582c26c11c18cffd2fe24088592ff72c7493 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:31 +0000
Subject: [PATCH 274/375] Exported file: Rare subscription-level operations in
Azure.json.json
---
...ubscription-level operations in Azure.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
diff --git a/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
new file mode 100644
index 00000000..9d3c1cd9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Rare subscription-level operations in Azure.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9578ea47-ee34-4289-9aa2-05630ecf2f1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet SensitiveOperationList = dynamic([\"microsoft.compute/snapshots/write\", \"microsoft.network/networksecuritygroups/write\", \"microsoft.storage/storageaccounts/listkeys/action\"]);\nlet SensitiveActivity = AzureActivity\n| where OperationNameValue in~ (SensitiveOperationList) or OperationNameValue hassuffix \"listkeys/action\"\n| where ActivityStatusValue =~ \"Succeeded\";\nSensitiveActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller, OperationNameValue\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \nSensitiveActivity\n| where TimeGenerated >= ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CorrelationIds = makelist(CorrelationId), Resources = makelist(Resource), ResourceGroups = makelist(ResourceGroup), ResourceIds = makelist(ResourceId), ActivityCountByCallerIPAddress = count() \nby CallerIpAddress, Caller, OperationNameValue\n) on CallerIpAddress, Caller, OperationNameValue\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Rare subscription-level operations in Azure",
+ "enabled": false,
+ "description": "This query looks for a few sensitive subscription-level events based on Azure Activity Logs. \n For example this monitors for the operation name 'Create or Update Snapshot' which is used for creating backups but could be misused by attackers \n to dump hashes or extract sensitive information from the disk.",
+ "alertRuleTemplateName": "23de46ea-c425-4a77-b456-511ae4855d69"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d430c03bcd41d14d30d849df33b7977554816090 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:32 +0000
Subject: [PATCH 275/375] Exported file: Request for single resource on
domain.json.json
---
...Request for single resource on domain.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Request for single resource on domain.json
diff --git a/SentinelExported-AnalyticsRule/Request for single resource on domain.json b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
new file mode 100644
index 00000000..edbd74c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Request for single resource on domain.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/63037f09-9e99-49da-909e-f384f84b9738')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet scriptExtensions = dynamic([\".php\", \".aspx\", \".asp\", \".cfml\"]);\n//The number of URI's seen to be suspicious, higher = less likely to be suspicious\nlet uriThreshold = 1;\nCommonSecurityLog\n// Only look at connections that were allowed through the web proxy\n| where DeviceVendor =~ \"Zscaler\" and DeviceAction =~ \"Allowed\"\n// Only look where some data was exchanged.\n| where SentBytes > 0 and ReceivedBytes > 0\n// Extract the Domain\n| extend Domain = iff(countof(DestinationHostName,'.') >= 2, strcat(split(DestinationHostName,'.')[-2], '.',split(DestinationHostName,'.')[-1]), DestinationHostName)\n| extend GetData=iff(RequestURL == \"?\", 1, 0)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), makelist(RequestURL), makelist(DestinationIP), makelist(SourceIP), numOfConnections = count(), make_set(RequestMethod), max(GetData), max(RequestContext) by Domain\n// Determine the number of URIs that have been visited for the domain\n| extend destinationURI = arraylength(list_RequestURL)\n| where destinationURI <= uriThreshold\n| where tostring(list_RequestURL) has_any(scriptExtensions)\n//Remove matches with referer\n| where max_RequestContext == \"\"\n//Keep requests where data was trasferred either in a GET with parameters or a POST\n| where set_RequestMethod in~ (\"POST\") or max_GetData == 1\n//Defeat email click tracking, may increase FN's while decreasing FP's\n| where list_RequestURL !has \"click\" and set_RequestMethod !has \"GET\"\n| mvexpand list_RequestURL, list_DestinationIP\n| extend RequestURL = tostring(list_RequestURL), DestinationIP = tostring(list_DestinationIP), ClientIP = tostring(list_SourceIP)\n//Extend custom entitites for incidents\n| extend timestamp = StartTimeUtc, IPCustomEntity = DestinationIP\n| project-away list_RequestURL, list_DestinationIP, list_SourceIP, destinationURI, Domain, StartTimeUtc, EndTimeUtc, max_GetData, max_RequestContext\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Request for single resource on domain",
+ "enabled": false,
+ "description": "This will look for connections to a domain where only a single file is requested, this is unusual as most modern web applications require additional recources. This type of activity is often assocaited with malware beaconing or tracking URL's delivered in emails. Developed for Zscaler but applicable to any outbound web logging.",
+ "alertRuleTemplateName": "4d500e6d-c984-43a3-9f39-7edec8dcc04d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3299fd46bde8e0613b5e5b76ac91d4e0d068e02f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:33 +0000
Subject: [PATCH 276/375] Exported file: SOURGUM Actor IOC - July
2021.json.json
---
.../SOURGUM Actor IOC - July 2021.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
diff --git a/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
new file mode 100644
index 00000000..67959ccf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SOURGUM Actor IOC - July 2021.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b94b9a2-ddd7-4d88-949e-ac13cf28b454')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let iocs = externaldata(DateAdded:string,IoC:string,Type:string,TLP:string) [@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/SOURGUM.csv\"] with (format=\"csv\", ignoreFirstRecord=True);\nlet domains = (iocs | where Type =~ \"domainname\"| project IoC);\nlet sha256Hashes = (iocs | where Type =~ \"sha256\" | project IoC);\nlet file_path1 = (iocs | where Type =~ \"filepath1\" | project IoC);\nlet file_path2 = (iocs | where Type =~ \"filepath2\" | project IoC);\nlet file_path3 = (iocs | where Type =~ \"filepath3\" | project IoC);\nlet reg_key = (iocs | where Type =~ \"regkey\" | project IoC);\n (union isfuzzy=true\n(CommonSecurityLog\n| where DestinationHostName has_any (domains) or RequestURL has_any (domains) or Message has_any (domains)\n| parse Message with * '(' DNSName ')' *\n| project TimeGenerated, Message, SourceUserID, RequestURL, DestinationHostName, Type, SourceIP, DestinationIP, DNSName\n| extend Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, AccountCustomEntity = SourceUserID, UrlCustomEntity = RequestURL , IPCustomEntity = DestinationIP, DNSCustomEntity = DNSName\n),\n(DnsEvents\n| where Name in~ (domains)\n| project TimeGenerated, Computer, IPAddresses, Name, ClientIP, Type\n| extend DNSName = Name, Host = Computer , Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Host, DNSCustomEntity = DNSName, IPCustomEntity = IPAddresses\n),\n(VMConnection\n| where RemoteDnsCanonicalNames has_any (domains)\n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| project TimeGenerated, Computer, Direction, RemoteDnsCanonicalNames, ProcessName, SourceIp, DestinationIp, DestinationPort, DNSName,BytesSent, BytesReceived, RemoteCountry, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = DestinationIp, HostCustomEntity = Computer, ProcessCustomEntity = ProcessName, DNSCustomEntity = DNSName, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 3\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| extend SourceIP = EventDetail.[9].[\"#text\"], DestinationIP = EventDetail.[14].[\"#text\"], Image = EventDetail.[4].[\"#text\"]\n| where Image has_any (file_path1) or Image has_any (file_path3)\n| project TimeGenerated, SourceIP, DestinationIP, Image, UserName, Computer, EventDetail, Type\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), HostCustomEntity = Computer , IPCustomEntity = DestinationIP, Alert = 'SOURGUM IOC detected'\n), \n(DeviceNetworkEvents\n| where (RemoteUrl has_any (domains)) or (InitiatingProcessSHA256 in (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or InitiatingProcessFolderPath has_any (file_path3)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RemoteIP, RemoteUrl, LocalIP, Type\n| extend timestamp = TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = DeviceName, Alert = 'SOURGUM IOC detected', UrlCustomEntity =RemoteUrl\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| project TimeGenerated,Resource, msg_s, Type\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (domains)\n| extend timestamp = TimeGenerated, DNSName = Request_Name, IPCustomEntity = ClientIP, Alert = 'SOURGUM IOC detected'\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| project TimeGenerated,Resource, msg_s\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where DestinationHost has_any (domains) \n| extend timestamp = TimeGenerated, DNSName = DestinationHost, IPCustomEntity = SourceHost, Alert = 'SOURGUM IOC detected'\n),\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID == 1\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataItem.EventData.Data\n| parse EventDetail with * 'SHA256=' SHA256 '\",' *\n| extend Image = EventDetail.[4].[\"#text\"], CommandLine = EventDetail.[10].[\"#text\"]\n| where (SHA256 has_any (sha256Hashes) and Image has_any (file_path1)) or (Image has_any (file_path3)) or ( CommandLine has_any (file_path3)) or ( CommandLine has_any (file_path1)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) \n| project TimeGenerated, EventDetail, UserName, Computer, Type, Source, SHA256, CommandLine, Image\n| extend Type = strcat(Type, \": \", Source), Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = UserName, ProcessCustomEntity = tostring(split(Image, '\\\\', -1)[-1]), AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = SHA256\n),\n(DeviceRegistryEvents\n| where RegistryKey has_any (reg_key) and RegistryValueData has_any (file_path2)\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, Type \n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceProcessEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceFileEvents\n| where (InitiatingProcessSHA256 has_any (sha256Hashes) and InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3)) or ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, RequestAccountName, RequestSourceIP, InitiatingProcessSHA256, FolderPath, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = RequestAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256, Alert = 'SOURGUM IOC detected'\n),\n(DeviceEvents\n| where ( InitiatingProcessCommandLine has_any (file_path1)) or ( InitiatingProcessCommandLine has_any (file_path3)) or ( InitiatingProcessCommandLine has 'reg add' and InitiatingProcessCommandLine has_any (reg_key) and InitiatingProcessCommandLine has_any (file_path2)) or (InitiatingProcessFolderPath has_any (file_path1)) or (InitiatingProcessFolderPath has_any (file_path3)) or (FolderPath has_any (file_path1)) or (FolderPath has_any (file_path3))\n| project TimeGenerated, ActionType, DeviceId, DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessSHA256, FolderPath, Type\n| extend CommandLine = InitiatingProcessCommandLine, Alert = 'SOURGUM IOC detected'\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName , AccountCustomEntity = InitiatingProcessAccountName, ProcessCustomEntity = InitiatingProcessFileName, AlgorithmCustomEntity = \"SHA256\", FileHashCustomEntity = InitiatingProcessSHA256\n),\n( SecurityEvent\n| where EventID == 4688\n| where ( CommandLine has_any (file_path1)) or ( CommandLine has_any (file_path3)) or ( CommandLine has 'reg add' and CommandLine has_any (reg_key) and CommandLine has_any (file_path2)) or (NewProcessName has_any (file_path1)) or (NewProcessName has_any (file_path3)) or (ParentProcessName has_any (file_path1)) or (ParentProcessName has_any (file_path3))\n| project TimeGenerated, Computer, NewProcessName, ParentProcessName, Account, NewProcessId, Type\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer , AccountCustomEntity = Account, ProcessCustomEntity = NewProcessName, Alert = 'SOURGUM IOC detected'\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SOURGUM Actor IOC - July 2021",
+ "enabled": false,
+ "description": "Identifies a match across IOC's related to an actor tracked by Microsoft as SOURGUM",
+ "alertRuleTemplateName": "94749332-1ad9-49dd-a5ab-5ff2170788fc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 848c9258460c332f43001ba05be41a368766493a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:34 +0000
Subject: [PATCH 277/375] Exported file: SSH - Potential Brute Force.json.json
---
.../SSH - Potential Brute Force.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
diff --git a/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
new file mode 100644
index 00000000..97991578
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SSH - Potential Brute Force.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c84de391-2133-43e6-af89-27b021feaf75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 15;\nSyslog\n| where SyslogMessage contains \"Failed password for invalid user\"\n| where ProcessName =~ \"sshd\" \n| parse kind=relaxed SyslogMessage with * \"invalid user\" user \" from \" ip \" port\" port \" ssh2\"\n| project user, ip, port, SyslogMessage, EventTime\n| summarize EventTimes = make_list(EventTime), PerHourCount = count() by ip, bin(EventTime, 4h), user\n| where PerHourCount > threshold\n| mvexpand EventTimes\n| extend EventTimes = tostring(EventTimes) \n| summarize StartTimeUtc = min(EventTimes), EndTimeUtc = max(EventTimes), UserList = makeset(user), sum(PerHourCount) by IPAddress = ip\n| extend UserList = tostring(UserList) \n| extend timestamp = StartTimeUtc, IPCustomEntity = IPAddress, AccountCustomEntity = UserList\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SSH - Potential Brute Force",
+ "enabled": false,
+ "description": "Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.",
+ "alertRuleTemplateName": "e1ce0eab-10d1-4aae-863f-9a383345ba88"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9f173a0a85c7394a6479134507df2f7cb6443b67 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:34 +0000
Subject: [PATCH 278/375] Exported file: SUNBURST and SUPERNOVA backdoor hashes
(Normalized File Events).json.json
---
...kdoor hashes (Normalized File Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
new file mode 100644
index 00000000..49eef9f4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dbdd4b0a-a0f5-4e97-8a7e-c11e342bbb46')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nimFileEvent\n| where TargetFileMD5 in(SunburstMD5) or TargetFileMD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = User, \n HostCustomEntity = DvcHostname,\n FileHashCustomEntity = TargetFileMD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelFileEvent)\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "bc5ffe2a-84d6-48fe-bc7b-1055100469bc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7c2a3aa7b64c719352095303146ab054ab96922c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:35 +0000
Subject: [PATCH 279/375] Exported file: SUNBURST and SUPERNOVA backdoor
hashes.json.json
---
...UNBURST and SUPERNOVA backdoor hashes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
new file mode 100644
index 00000000..93fabf1d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST and SUPERNOVA backdoor hashes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c110f9e8-7ac6-496f-8df7-da0c413e767e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nDeviceFileEvents\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST and SUPERNOVA backdoor hashes",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "a3c144f9-8051-47d4-ac29-ffb0c312c910"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bc77c26c5211050f8fc574c9aa80f0059f5f3869 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:36 +0000
Subject: [PATCH 280/375] Exported file: SUNBURST network beacons.json.json
---
.../SUNBURST network beacons.json | 96 +++++++++++++++++++
1 file changed, 96 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST network beacons.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST network beacons.json b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
new file mode 100644
index 00000000..be9feb5a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST network beacons.json
@@ -0,0 +1,96 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c5b4fb13-738e-4591-a704-741486688b20')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet SunburstURL=dynamic([\"panhardware.com\",\"databasegalore.com\",\"avsvmcloud.com\",\"freescanonline.com\",\"thedoccloud.com\",\"deftsecurity.com\"]);\nDeviceNetworkEvents\n| where ActionType == \"ConnectionSuccess\"\n| where RemoteUrl in(SunburstURL)\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = InitiatingProcessMD5, \n HashAlgorithm = 'MD5',\n URLCustomEntity = RemoteUrl,\n IPCustomEntity = RemoteIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST network beacons",
+ "enabled": false,
+ "description": "Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "ce1e7025-866c-41f3-9b08-ec170e05e73e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d79ae46dd888f3010145f9edbf4aeeacd4ad201c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:37 +0000
Subject: [PATCH 281/375] Exported file: SUNBURST suspicious SolarWinds child
processes (Normalized Process Events).json.json
---
...processes (Normalized Process Events).json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
new file mode 100644
index 00000000..19087bd8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes (Normalized Process Events).json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/20412a8c-a3a7-41a5-8620-6d4c724d3092')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nimProcessCreate\n| where Process hassuffix 'solarwinds.businesslayerhost.exe'\n| where not(Process has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = ActorUsername,\n HostCustomEntity = User,\n FileHashCustomEntity = TargetProcessMD5 // Change to *hash* once implemented\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes (Normalized Process Events)",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelProcessEvent)'",
+ "alertRuleTemplateName": "631d02df-ab51-46c1-8d72-32d0cfec0720"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3798f685c003f9566daf96dfc93122fc9ef27143 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:37 +0000
Subject: [PATCH 282/375] Exported file: SUNBURST suspicious SolarWinds child
processes.json.json
---
...suspicious SolarWinds child processes.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
diff --git a/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
new file mode 100644
index 00000000..ba56da8a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNBURST suspicious SolarWinds child processes.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a0ae8d0a-38d8-441f-b491-134cf3151846')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nDeviceProcessEvents\n| where InitiatingProcessFileName =~ \"solarwinds.businesslayerhost.exe\"\n| where not(FolderPath has_any (excludeProcs))\n| extend\n timestamp = TimeGenerated,\n AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\n HostCustomEntity = DeviceName,\n FileHashCustomEntity = MD5\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNBURST suspicious SolarWinds child processes",
+ "enabled": false,
+ "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "4a3073ac-7383-48a9-90a8-eb6716183a54"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 69fdd6b70ec6bde04ac9cc23d00506cf02dc5e6b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:38 +0000
Subject: [PATCH 283/375] Exported file: SUNSPOT log file creation.json.json
---
.../SUNSPOT log file creation.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
new file mode 100644
index 00000000..5010a7fc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT log file creation.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a13c922b-fe7c-476e-a586-edaab2219e57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "union isfuzzy=true\n(DeviceFileEvents\n| where FolderPath endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated),\n(SecurityEvent\n| where EventID == 4663\n| where ObjectName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = Computer, timestamp=TimeGenerated),\n(imFileEvent\n| where TargetFileName endswith \"vmware-vmdmp.log\"\n| extend HostCustomEntity = DvcHostname, timestamp=TimeGenerated\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT log file creation",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data and Windows Event Logs to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "c0e84221-f240-4dd7-ab1e-37e034ea2a4e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b7f5101539370c60a3d28ed574fefc5abbeec7cd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:39 +0000
Subject: [PATCH 284/375] Exported file: SUNSPOT malware hashes.json.json
---
.../SUNSPOT malware hashes.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
diff --git a/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
new file mode 100644
index 00000000..ae9509a3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUNSPOT malware hashes.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe80d1cc-65a1-400c-a5d5-5a5decf74f31')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let SUNSPOT_Hashes = dynamic([\"c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168\", \"0819db19be479122c1d48743e644070a8dc9a1c852df9a8c0dc2343e904da389\"]);\nunion isfuzzy=true(\nDeviceEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes)),\n(DeviceImageLoadEvents\n| where InitiatingProcessSHA256 in (SUNSPOT_Hashes))\n| extend HostCustomEntity = DeviceName, timestamp=TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "SUNSPOT malware hashes",
+ "enabled": false,
+ "description": "This query uses Microsoft Defender for Endpoint data to look for IoCs associated with the SUNSPOT malware shared by Crowdstrike.\nMore details: \n - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ \n - https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-software-build-process-with-azure-sentinel/ba-p/2140807",
+ "alertRuleTemplateName": "53e936c6-6c30-4d12-8343-b8a0456e8429"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2e3f8d13f38a021cb2b4a596e68cf48c94cd5377 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:40 +0000
Subject: [PATCH 285/375] Exported file: SUPERNOVA webshell.json.json
---
.../SUPERNOVA webshell.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
diff --git a/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
new file mode 100644
index 00000000..58eaf929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SUPERNOVA webshell.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ceb7fe01-21a7-4ffb-b8f0-ac29b991da50')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nW3CIISLog\n| where csMethod == 'GET'\n| where isnotempty(csUriStem) and isnotempty(csUriQuery)\n| where csUriStem contains \"logoimagehandler.ashx\"\n| where csUriQuery contains \"codes\" and csUriQuery contains \"clazz\" and csUriQuery contains \"method\" and csUriQuery contains \"args\"\n| extend timestamp = TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "SUPERNOVA webshell",
+ "enabled": false,
+ "description": "Identifies SUPERNOVA webshell based on W3CIISLog data.\n References:\n - https://unit42.paloaltonetworks.com/solarstorm-supernova/",
+ "alertRuleTemplateName": "2acc91c3-17c2-4388-938e-4eac2d5894e8"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 27d083ec1a0382325dac224ae1f615d2bb7e46f3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:40 +0000
Subject: [PATCH 286/375] Exported file: Security Event log cleared.json.json
---
.../Security Event log cleared.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Event log cleared.json
diff --git a/SentinelExported-AnalyticsRule/Security Event log cleared.json b/SentinelExported-AnalyticsRule/Security Event log cleared.json
new file mode 100644
index 00000000..de1e55cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Event log cleared.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fd618de1-e892-433a-9bc3-4d5d94edf017')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSecurityEvent\n| where EventID == 1102 and EventSourceName == \"Microsoft-Windows-Eventlog\" \n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), EventCount = count() by Computer, Account, EventID, Activity\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Event log cleared",
+ "enabled": false,
+ "description": "Checks for event id 1102 which indicates the security event log was cleared. \nIt uses Event Source Name \"Microsoft-Windows-Eventlog\" to avoid generating false positives from other sources, like AD FS servers for instance.",
+ "alertRuleTemplateName": "80da0a8f-cfe1-4cd0-a895-8bc1771a720e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f0765d2a33d990d1457fb77d5644a3bb02bea542 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:41 +0000
Subject: [PATCH 287/375] Exported file: Security Service Registry ACL
Modification.json.json
---
...ity Service Registry ACL Modification.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
diff --git a/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
new file mode 100644
index 00000000..88f3794a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Security Service Registry ACL Modification.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ef3b755-c57d-4103-8ad3-7536adbdd953')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet servicelist = dynamic(['Services\\\\HealthService', 'Services\\\\Sense', 'Services\\\\WinDefend', 'Services\\\\MsSecFlt', 'Services\\\\DiagTrack', 'Services\\\\SgrmBroker', 'Services\\\\SgrmAgent', 'Services\\\\AATPSensorUpdater' , 'Services\\\\AATPSensor', 'Services\\\\mpssvc']);\nlet filename = dynamic([\"subinacl.exe\",'SetACL.exe']);\nlet parameters = dynamic (['/deny=SYSTEM', '/deny=S-1-5-18', '/grant=SYSTEM=r', '/grant=S-1-5-18=r', 'n:SYSTEM;p:READ', 'n1:SYSTEM;ta:remtrst;w:dacl']);\nlet FullAccess = dynamic(['A;CI;KA;;;SY', 'A;ID;KA;;;SY', 'A;CIID;KA;;;SY']);\nlet ReadAccess = dynamic(['A;CI;KR;;;SY', 'A;ID;KR;;;SY', 'A;CIID;KR;;;SY']);\nlet DenyAccess = dynamic(['D;CI;KR;;;SY', 'D;ID;KR;;;SY', 'D;CIID;KR;;;SY']);\nlet timeframe = 1d;\n(union isfuzzy=true\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4670\n| where ObjectType == 'Key'\n| where ObjectName has_any (servicelist)\n| parse EventData with * 'OldSd\">' OldSd \"<\" *\n| parse EventData with * 'NewSd\">' NewSd \"<\" *\n| extend Reason = case( (OldSd has ';;;SY' and NewSd !has ';;;SY'), 'System Account is removed', (OldSd has_any (FullAccess) and NewSd has_any (ReadAccess)) , 'System permission has been changed to read from full access', (OldSd has_any (FullAccess) and NewSd has_any (DenyAccess)), 'System account has been given denied permission', 'None')\n| project TimeGenerated, Computer, Account, ProcessName, ProcessId, ObjectName, EventData, Activity, HandleId, SubjectLogonId, OldSd, NewSd , Reason\n),\n(\nSecurityEvent\n| where TimeGenerated >= ago(timeframe)\n| where EventID == 4688\n| extend ProcessName = tostring(split(NewProcessName, '\\\\')[-1])\n| where ProcessName in~ (filename) \n| where CommandLine has_any (servicelist) and CommandLine has_any (parameters)\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type\n),\n(\nDeviceProcessEvents\n| where TimeGenerated >= ago(timeframe)\n| where InitiatingProcessFileName in~ (filename) \n| where InitiatingProcessCommandLine has_any(servicelist) and InitiatingProcessCommandLine has_any (parameters)\n| extend Account = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName), Computer = DeviceName\n| project TimeGenerated, Computer, Account, AccountDomain, ProcessName = InitiatingProcessFileName, ProcessNameFullPath = FolderPath, Activity = ActionType, CommandLine = InitiatingProcessCommandLine, Type, InitiatingProcessParentFileName\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Security Service Registry ACL Modification",
+ "enabled": false,
+ "description": "Identifies attempts to modify registry ACL to evade security solutions. In the Solorigate attack, the attackers were found modifying registry permissions so services.exe cannot access the relevant registry keys to start the service.\n The detection leverages Security Event as well as MDE data to identify when specific security services registry permissions are modified. \n Only some portions of this detection are related to Solorigate, it also includes coverage for some common tools that perform this activity. \n Reference on guidance for enabling registry auditing:\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing-faq\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-registry\n - https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4670\n - For the event 4670 to be created the audit policy for the registry must have auditing enabled for Write DAC and/or Write Owner\n - https://github.com/OTRF/Set-AuditRule \n - https://docs.microsoft.com/dotnet/api/system.security.accesscontrol.registryrights?view=dotnet-plat-ext-5.0",
+ "alertRuleTemplateName": "473d57e6-f787-435c-a16b-b38b51fa9a4b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0fb66ba7b8b11acb17c9cdc3b3a136e8bb06bbd9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:42 +0000
Subject: [PATCH 288/375] Exported file: SecurityEvent - Multiple
authentication failures followed by a success.json.json
---
...cation failures followed by a success.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
diff --git a/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
new file mode 100644
index 00000000..a237d536
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SecurityEvent - Multiple authentication failures followed by a success.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cc7acbf4-21dc-4fab-ba8a-6ed8e62087e0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet timeRange = 6h;\nlet authenticationWindow = 1h;\nlet authenticationThreshold = 5;\nSecurityEvent\n| where TimeGenerated > ago(timeRange)\n| where EventID == 4624 or EventID == 4625\n| where IpAddress != \"-\" and isnotempty(Account)\n| extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n// bin outcomes into 5 minute windows to reduce the volume of data\n| summarize OutcomeCount=count() by Account, IpAddress, Computer, Outcome, bin(TimeGenerated, 5m)\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n// sort ready for sessionizing - by account and time of the authentication outcome\n| sort by Account asc, TimeGenerated asc\n| serialize \n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \"Success\")\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), makelist(Outcome), makeset(Computer), makeset(IpAddress) by SessionStartedUtc, Account\n// the session must not start with a success, and must end with one\n| where array_index_of(list_Outcome, \"Success\") != 0\n| where array_index_of(list_Outcome, \"Success\") == array_length(list_Outcome) - 1\n| project-away SessionStartedUtc, list_Outcome \n// where the number of failures before the success is above the threshold \n| where FailureCountBeforeSuccess >= authenticationThreshold\n// expand out ip and computer for customer entity assignment\n| mvexpand set_IpAddress, set_Computer\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n| extend timestamp=StartTime, AccountCustomEntity=Account, HostCustomEntity=Computer, IPCustomEntity=IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "SecurityEvent - Multiple authentication failures followed by a success",
+ "enabled": false,
+ "description": "Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication\nwithin a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or\npossible mis-configuration of a service account within an environment.\nThe lookback is set to 6h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum\nof 5 failures followed by a success for an account within 1 hour to surface an alert.",
+ "alertRuleTemplateName": "cf3ede88-a429-493b-9108-3e46d3c741f7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d0374b2b5bdf6dd72d1d47b2efb298505be219b1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:43 +0000
Subject: [PATCH 289/375] Exported file: Sensitive Azure Key Vault
operations.json.json
---
.../Sensitive Azure Key Vault operations.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
diff --git a/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
new file mode 100644
index 00000000..7c838929
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sensitive Azure Key Vault operations.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/64c74af9-0412-4732-89f8-86f46e4897eb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet SensitiveOperationList = dynamic(\n[\"VaultDelete\", \"KeyDelete\", \"SecretDelete\", \"SecretPurge\", \"KeyPurge\", \"SecretBackup\", \"KeyBackup\"]);\nAzureDiagnostics\n| extend ResultType = columnifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = columnifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = columnifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\")\n| extend id_s = columnifexists(\"id_s\", \"None\"), CallerIPAddress = columnifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = columnifexists(\"clientInfo_s\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g !~ \"None\" and isnotempty(identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g)\n| where id_s !~ \"None\" and isnotempty(id_s)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| where clientInfo_s !~ \"None\" and isnotempty(clientInfo_s)\n| where requestUri_s !~ \"None\" and isnotempty(requestUri_s)\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\" \n| where OperationName in~ (SensitiveOperationList) \n| summarize EventCount=count(), StartTimeUtc=min(TimeGenerated), EndTimeUtc=max(TimeGenerated), TimeTriggered=makelist(TimeGenerated),OperationNameList=make_set(OperationName), RequestURLList=make_set(requestUri_s), CallerIPList = make_set(CallerIPAddress), CallerIPMax= arg_max(CallerIPAddress,*) by ResourceType, ResultType, Resource, id_s, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, clientInfo_s\n| extend timestamp = StartTimeUtc, IPCustomEntity = CallerIPMax, AccountCustomEntity = identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Sensitive Azure Key Vault operations",
+ "enabled": false,
+ "description": "Identifies when sensitive Azure Key Vault operations are used. This includes: VaultDelete, KeyDelete, SecretDelete, SecretPurge, KeyPurge, SecretBackup, KeyBackup. \nAny Backup operations should match with expected scheduled backup activity.",
+ "alertRuleTemplateName": "d6491be0-ab2d-439d-95d6-ad8ea39277c5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From aa6d2b82b7709bce49227800b7a5e7ac6edfc3c3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:44 +0000
Subject: [PATCH 290/375] Exported file: Several deny actions
registered.json.json
---
.../Several deny actions registered.json | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Several deny actions registered.json
diff --git a/SentinelExported-AnalyticsRule/Several deny actions registered.json b/SentinelExported-AnalyticsRule/Several deny actions registered.json
new file mode 100644
index 00000000..780cdb88
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Several deny actions registered.json
@@ -0,0 +1,70 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/61cf974b-9170-4e7e-9c13-f801cce8b2c2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet threshold = 1;\nAzureDiagnostics\n | where OperationName in (\"AzureFirewallApplicationRuleLog\",\"AzureFirewallNetworkRuleLog\")\n | extend msg_s_replaced0 = replace(@\"\\s\\s\",@\" \",msg_s)\n | extend msg_s_replaced1 = replace(@\"\\.\\s\",@\" \",msg_s_replaced0)\n | extend msg_a = split(msg_s_replaced1,\" \")\n | extend srcAddr_a = split(msg_a[3],\":\") , destAddr_a = split(msg_a[5],\":\")\n | extend protocol = tostring(msg_a[0]), srcIp = tostring(srcAddr_a[0]), srcPort = tostring(srcAddr_a[1]), destIp = tostring(destAddr_a[0]), destPort = tostring(destAddr_a[1]), action = tostring(msg_a[7])\n | where action == \"Deny\"\n | extend url = iff(destIp matches regex \"\\\\d+\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+\",\"\",destIp)\n | summarize StartTime = min(TimeGenerated), count() by srcIp, destIp, url, action, protocol\n | where count_ >= [\"threshold\"]\n | extend timestamp = StartTime, URLCustomEntity = url, IPCustomEntity = srcIp\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Discovery",
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Several deny actions registered",
+ "enabled": false,
+ "description": "Identifies attack pattern when attacker tries to move, or scan, from resource to resource on the network and creates an incident when a source has more than 1 registered deny action in Azure Firewall.",
+ "alertRuleTemplateName": "f8dad4e9-3f19-4d70-ab7f-8f19ccd43a3e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 989131692497e778be80452af4cb5ea6d76911dd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:44 +0000
Subject: [PATCH 291/375] Exported file: SharePointFileOperation via devices
with previously unseen user agents.json.json
---
...es with previously unseen user agents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
new file mode 100644
index 00000000..890b9771
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via devices with previously unseen user agents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b4b19b2b-c30f-4f25-b5d5-762e7ceeef99')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 5;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| summarize historicalCount = count() by UserAgent, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| where TimeGenerated > ago(endtime)\n| where isnotempty(UserAgent)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation;\nlet RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent\n| order by recentCount desc, UserAgent\n// More than 5 downloads/uploads from a new user agent today\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated > ago(endtime) \n| where RecordType =~ szSharePointFileOperation \n| where Operation in~ (szOperations)\n| where isnotempty(UserAgent)\n| join kind= inner (RareUserAgent)\non UserAgent, RecordType, Operation \n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via devices with previously unseen user agents",
+ "enabled": false,
+ "description": "Identifies if the number of documents uploaded or downloaded from device(s) associated\nwith a previously unseen user agent exceeds a threshold (default is 5).",
+ "alertRuleTemplateName": "5dd76a87-9f87-4576-bab3-268b0e2b338b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ed57b9d2a924ec8f5f5d51bd706adb20594732c3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:45 +0000
Subject: [PATCH 292/375] Exported file: SharePointFileOperation via previously
unseen IPs.json.json
---
...leOperation via previously unseen IPs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
diff --git a/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
new file mode 100644
index 00000000..379ae7e9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/SharePointFileOperation via previously unseen IPs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/85e14dab-bc47-4f28-810f-47db9aa5896f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet threshold = 50;\nlet szSharePointFileOperation = \"SharePointFileOperation\";\nlet szOperations = dynamic([\"FileDownloaded\", \"FileUploaded\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet historicalActivity =\nOfficeActivity\n| where TimeGenerated between(ago(starttime)..ago(endtime))\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize historicalCount = count() by ClientIP, RecordType, Operation;\nlet recentActivity = OfficeActivity\n| where TimeGenerated > ago(endtime)\n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| summarize min(Start_Time), max(Start_Time), recentCount = count() by ClientIP, RecordType, Operation;\nlet RareIP = recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP, RecordType, Operation\n// More than 50 downloads/uploads from a new IP\n| where recentCount > threshold;\nOfficeActivity \n| where TimeGenerated >= ago(endtime) \n| where RecordType =~ szSharePointFileOperation\n| where Operation in~ (szOperations)\n| join kind= inner (RareIP) on ClientIP, RecordType, Operation\n| where Start_Time between(min_Start_Time .. max_Start_Time)\n| summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgent, IPSeenCount = recentCount\n| extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url\n| order by IPSeenCount desc, ClientIP asc, Operation asc, UserId asc\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "SharePointFileOperation via previously unseen IPs",
+ "enabled": false,
+ "description": "Identifies when the volume of documents uploaded to or downloaded from Sharepoint by new IP addresses\nexceeds a threshold (default is 50).",
+ "alertRuleTemplateName": "4b11568b-3f5f-4ba1-80c8-7f1dc8390eb7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5bb7f7625b8a8eae7893a710f18bb3cf7dfda358 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:46 +0000
Subject: [PATCH 293/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
new file mode 100644
index 00000000..0124366b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization).json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/595b910c-156b-4a20-996e-06c50a217133')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/595b910c-156b-4a20-996e-06c50a217133')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n , applicationsTargeted = dcount(TargetAppName)\n , applicationSet = make_set(TargetAppName) \n by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n imAuthentication\n | where EventResult=='Success'\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n )\n on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f24ca48e9602e124f5af4357de99df081ea2409a Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:47 +0000
Subject: [PATCH 294/375] Exported file: Sign-ins from IPs that attempt
sign-ins to disabled accounts.json.json
---
...attempt sign-ins to disabled accounts.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
diff --git a/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
new file mode 100644
index 00000000..e4ffdb36
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Sign-ins from IPs that attempt sign-ins to disabled accounts.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ee20e13-a511-42e0-beb8-020666b7071c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\" \n| where ResultDescription == \"User account is disabled. The account has been disabled by an administrator.\" \n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), \ndisabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), \napplicationSet = make_set(AppDisplayName) by IPAddress, Type\n| order by disabledAccountLoginAttempts desc\n| join kind= leftouter (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n table(tableName)\n | where ResultType == 0\n | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n) on IPAddress \n// IPs from which attempts to authenticate as disabled user accounts originated, and had a non-zero success rate for some other account\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, IPAddress, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n| extend timestamp = StartTime, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts",
+ "enabled": false,
+ "description": "Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.\nThis could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.",
+ "alertRuleTemplateName": "500c103a-0319-4d56-8e99-3cec8d860757"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 99d73dfcf9a3983347006251fcc065573cb4b12f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:47 +0000
Subject: [PATCH 295/375] Exported file: Solorigate Defender
Detections.json.json
---
.../Solorigate Defender Detections.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
new file mode 100644
index 00000000..d2be50b9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Defender Detections.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9aa5f4c8-b3ad-458f-92e4-d4cf21948c59')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceInfo\n| extend DeviceName = tolower(DeviceName)\n| join (SecurityAlert\n| where ProviderName =~ \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| where ThreatName has \"Solorigate\"\n| extend HostCustomEntity = tolower(CompromisedEntity)\n) on $left.DeviceName == $right.HostCustomEntity\n| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId, HostCustomEntity\n| extend timestamp = TimeGenerated, IPCustomEntity = PublicIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Defender Detections",
+ "enabled": false,
+ "description": "Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as \n Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.",
+ "alertRuleTemplateName": "e70fa6e0-796a-4e85-9420-98b17b0bb749"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff896112eac2eacefdd10838395dc81262c1a9e4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:48 +0000
Subject: [PATCH 296/375] Exported file: Solorigate Domains Found in VM
Insights.json.json
---
...lorigate Domains Found in VM Insights.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
new file mode 100644
index 00000000..9ca5d68d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Domains Found in VM Insights.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c0b5afe-4cb8-4ce4-9ecd-a84706d91c1f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\nlet timeframe = 1h;\nlet connections = VMConnection \n | where TimeGenerated >= ago(timeframe)\n | extend DNSName = set_union(todynamic(RemoteDnsCanonicalNames),todynamic(RemoteDnsQuestions))\n | mv-expand DNSName\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = RemoteIp\n | summarize TimeGenerated = arg_min(TimeGenerated, *), requests = count() by IPCustomEntity, DNSName = tostring(DNSName), AgentId, Machine, Process;\nlet processes = VMProcess\n | where TimeGenerated >= ago(timeframe)\n | project AgentId, Machine, Process, UserName, UserDomain, ExecutablePath, CommandLine, FirstPid\n | extend exePathArr = split(ExecutablePath, \"\\\\\")\n | extend DirectoryName = array_strcat(array_slice(exePathArr, 0, array_length(exePathArr) - 2), \"\\\\\")\n | extend Filename = array_strcat(array_slice(exePathArr, array_length(exePathArr) - 1, array_length(exePathArr)), \"\\\\\")\n | project-away exePathArr;\nlet computers = VMComputer\n | where TimeGenerated >= ago(timeframe)\n | project HostCustomEntity = HostName, AzureResourceId = _ResourceId, AgentId, Machine;\nconnections | join kind = inner (processes) on AgentId, Machine, Process\n | join kind = inner (computers) on AgentId, Machine\n \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Domains Found in VM Insights",
+ "enabled": false,
+ "description": "Identifies connections to Solorigate-related DNS records based on VM insights data",
+ "alertRuleTemplateName": "ab4b6944-a20d-42ab-8b63-238426525801"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b88136b37697ca68c48dc0eb33c3a0eaac5060cc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:49 +0000
Subject: [PATCH 297/375] Exported file: Solorigate Named Pipe.json.json
---
.../Solorigate Named Pipe.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
new file mode 100644
index 00000000..3567c779
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Named Pipe.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a4d01245-f322-4861-9ffe-1c410aa9dfaa')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\n(union isfuzzy=true\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID in (17,18)\n| where EventData has '583da945-62af-10e8-4902-a8f205c72b2e'\n| extend EventData = parse_xml(EventData).DataItem.EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, MG, ManagementGroupName, _ResourceId)\n| extend PipeName = column_ifexists(\"PipeName\", \"\")\n| extend Account = UserName\n),\n(\n SecurityEvent\n| where EventID == '5145'\n// %%4418 looks for presence of CreatePipeInstance value \n| where AccessList has '%%4418' \n| where RelativeTargetName has '583da945-62af-10e8-4902-a8f205c72b2e'\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Named Pipe",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.\n For the sysmon events required for this detection, logging for Named Pipe Events needs to be configured in Sysmon config (Event ID 17 and Event ID 18)\n Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095",
+ "alertRuleTemplateName": "11b4c19d-2a79-4da3-af38-b067e1273dee"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4540010ae34f65ec8d672304769f1a54852d0567 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:50 +0000
Subject: [PATCH 298/375] Exported file: Solorigate Network Beacon.json.json
---
.../Solorigate Network Beacon.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
diff --git a/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
new file mode 100644
index 00000000..5d0d4c2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Solorigate Network Beacon.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f34bfe11-29ce-41f8-9a1e-167cd3302d0e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT6H",
+ "queryPeriod": "PT6H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let domains = dynamic([\"incomeupdate.com\",\"zupertech.com\",\"databasegalore.com\",\"panhardware.com\",\"avsvmcloud.com\",\"digitalcollege.org\",\"freescanonline.com\",\"deftsecurity.com\",\"thedoccloud.com\",\"virtualdataserver.com\",\"lcomputers.com\",\"webcodez.com\",\"globalnetworkissues.com\",\"kubecloud.com\",\"seobundlekit.com\",\"solartrackingsystem.net\",\"virtualwebdata.com\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n | parse Message with * '(' DNSName ')' * \n | where DNSName in~ (domains) or DestinationHostName has_any (domains) or RequestURL has_any(domains)\n | extend AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName, IPCustomEntity = SourceIP\n ),\n(DnsEvents \n | extend DNSName = Name\n | where isnotempty(DNSName)\n | where DNSName has_any (domains)\n | extend IPCustomEntity = ClientIP\n ),\n(imDns (domain_has_any=domains)\n | extend DNSName = DnsQuery\n | extend IPCustomEntity = SrcIpAddr\n ),\n(VMConnection \n | parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n | where isnotempty(DNSName)\n | where DNSName in~ (domains)\n | extend IPCustomEntity = RemoteIp\n ),\n(DeviceNetworkEvents \n | where isnotempty(RemoteUrl) \n | where RemoteUrl has_any (domains) \n | extend DNSName = RemoteUrl\n | extend IPCustomEntity = RemoteIP \n | extend HostCustomEntity = DeviceName \n ),\n(AzureDiagnostics\n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallDnsProxy\"\n | parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n | where Request_Name has_any (domains) \n | extend DNSName = Request_Name\n | extend IPCustomEntity = ClientIP \n ),\n(AzureDiagnostics \n | where ResourceType == \"AZUREFIREWALLS\"\n | where Category == \"AzureFirewallApplicationRule\"\n | parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n | where isnotempty(DestinationHost)\n | where DestinationHost has_any (domains) \n | extend DNSName = DestinationHost \n | extend IPCustomEntity = SourceHost\n ) \n )\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Solorigate Network Beacon",
+ "enabled": false,
+ "description": "Identifies a match across various data feeds for domains IOCs related to the Solorigate incident.\n References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, \n https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1",
+ "alertRuleTemplateName": "cecdbd4c-4902-403c-8d4b-32eb1efe460b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 392180e70513f8d0ac9855b272ac7b69cae7c1a8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:50 +0000
Subject: [PATCH 299/375] Exported file: Squid proxy events for ToR
proxies.json.json
---
.../Squid proxy events for ToR proxies.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
new file mode 100644
index 00000000..54cd03c7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events for ToR proxies.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ff44fc3f-4e22-4c9c-94d9-645c7644d2ca')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"tor2web.org\", \"tor2web.com\", \"torlink.co\", \"onion.to\", \"onion.ink\", \"onion.cab\", \"onion.nu\", \"onion.link\", \n\"onion.it\", \"onion.city\", \"onion.direct\", \"onion.top\", \"onion.casa\", \"onion.plus\", \"onion.rip\", \"onion.dog\", \"tor2web.fi\", \n\"tor2web.blutmagie.de\", \"onion.sh\", \"onion.lu\", \"onion.pet\", \"t2w.pw\", \"tor2web.ae.org\", \"tor2web.io\", \"tor2web.xyz\", \"onion.lt\", \n\"s1.tor-gateways.de\", \"s2.tor-gateways.de\", \"s3.tor-gateways.de\", \"s4.tor-gateways.de\", \"s5.tor-gateways.de\", \"hiddenservice.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == \"200\"\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events for ToR proxies",
+ "enabled": false,
+ "description": "Check for Squid proxy events associated with common ToR proxies. This query presumes the default squid log format is being used.\nhttp://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "90d3f6ec-80fb-48e0-9937-2c70c9df9bad"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 505d91de5b3dbd8cdb77e1c8d7cf0771280a35f8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:51 +0000
Subject: [PATCH 300/375] Exported file: Squid proxy events related to mining
pools.json.json
---
... proxy events related to mining pools.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
diff --git a/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
new file mode 100644
index 00000000..bc4e34de
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Squid proxy events related to mining pools.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e9a6f1b-a40e-4ffa-974d-3ab5d675c531')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet DomainList = dynamic([\"monerohash.com\", \"do-dear.com\", \"xmrminerpro.com\", \"secumine.net\", \"xmrpool.com\", \"minexmr.org\", \"hashanywhere.com\", \"xmrget.com\", \n\"mininglottery.eu\", \"minergate.com\", \"moriaxmr.com\", \"multipooler.com\", \"moneropools.com\", \"xmrpool.eu\", \"coolmining.club\", \"supportxmr.com\",\n\"minexmr.com\", \"hashvault.pro\", \"xmrpool.net\", \"crypto-pool.fr\", \"xmr.pt\", \"miner.rocks\", \"walpool.com\", \"herominers.com\", \"gntl.co.uk\", \"semipool.com\", \n\"coinfoundry.org\", \"cryptoknight.cc\", \"fairhash.org\", \"baikalmine.com\", \"tubepool.xyz\", \"fairpool.xyz\", \"asiapool.io\", \"coinpoolit.webhop.me\", \"nanopool.org\", \n\"moneropool.com\", \"miner.center\", \"prohash.net\", \"poolto.be\", \"cryptoescrow.eu\", \"monerominers.net\", \"cryptonotepool.org\", \"extrmepool.org\", \"webcoin.me\", \n\"kippo.eu\", \"hashinvest.ws\", \"monero.farm\", \"supportxmr.com\", \"xmrpool.eu\", \"linux-repository-updates.com\", \"1gh.com\", \"dwarfpool.com\", \"hash-to-coins.com\", \n\"hashvault.pro\", \"pool-proxy.com\", \"hashfor.cash\", \"fairpool.cloud\", \"litecoinpool.org\", \"mineshaft.ml\", \"abcxyz.stream\", \"moneropool.ru\", \"cryptonotepool.org.uk\",\n\"extremepool.org\", \"extremehash.com\", \"hashinvest.net\", \"unipool.pro\", \"crypto-pools.org\", \"monero.net\", \"backup-pool.com\", \"mooo.com\", \"freeyy.me\", \"cryptonight.net\",\n\"shscrypto.net\"]);\nSyslog\n| where ProcessName contains \"squid\"\n| extend URL = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :]*)\",3,SyslogMessage), \n SourceIP = extract(\"([0-9]+ )(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3}))\",2,SyslogMessage), \n Status = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))\",1,SyslogMessage), \n HTTP_Status_Code = extract(\"(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})\",8,SyslogMessage),\n User = extract(\"(CONNECT |GET )([^ ]* )([^ ]+)\",3,SyslogMessage),\n RemotePort = extract(\"(CONNECT |GET )([^ ]*)(:)([0-9]*)\",4,SyslogMessage),\n Domain = extract(\"(([A-Z]+ [a-z]{4,5}:\\\\/\\\\/)|[A-Z]+ )([^ :\\\\/]*)\",3,SyslogMessage),\n Bytes = toint(extract(\"([A-Z]+\\\\/[0-9]{3} )([0-9]+)\",2,SyslogMessage)),\n contentType = extract(\"([a-z/]+$)\",1,SyslogMessage)\n| extend TLD = extract(\"\\\\.[a-z]*$\",0,Domain)\n| where HTTP_Status_Code == '200'\n| where Domain contains \".\"\n| where Domain has_any (DomainList)\n| extend timestamp = TimeGenerated, URLCustomEntity = URL, IPCustomEntity = SourceIP, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Squid proxy events related to mining pools",
+ "enabled": false,
+ "description": "Checks for Squid proxy events in Syslog associated with common mining pools .This query presumes the default Squid log format is being used. \n http://www.squid-cache.org/Doc/config/access_log/",
+ "alertRuleTemplateName": "80733eb7-35b2-45b6-b2b8-3c51df258206"
+ }
+ }
+ ]
+}
\ No newline at end of file
From caa8204beff816c48c72b33580fab4b6930e1c74 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:52 +0000
Subject: [PATCH 301/375] Exported file: Starting or Stopping HealthService to
Avoid Detection.json.json
---
...ping HealthService to Avoid Detection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
diff --git a/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
new file mode 100644
index 00000000..6ff4834f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Starting or Stopping HealthService to Avoid Detection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bbcf3e06-84cb-4bb0-813b-f4f9ce090bab')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "SecurityEvent\n| where EventID == 4656\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion=array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value), TimeGenerated, TargetAccount, Computer, EventSourceName, Channel, Task, Level, EventID, Activity, TargetLogonId, SourceComputerId, EventOriginId, Type, _ResourceId, TenantId, SourceSystem, ManagementGroupName, IpAddress, Account)\n| extend ObjectServer = column_ifexists('ObjectServer', \"\"), ObjectType = column_ifexists('ObjectType', \"\"), ObjectName = column_ifexists('ObjectName', \"\")\n| where isnotempty(ObjectServer) and isnotempty(ObjectType) and isnotempty(ObjectName)\n| where ObjectServer =~ \"SC Manager\" and ObjectType =~ \"SERVICE OBJECT\" and ObjectName =~ \"HealthService\"\n// Comment out the join below if the SACL only audits users that are part of the Network logon users, i.e. with user/group target pointing to \"NU.\"\n| join kind=leftouter (\n SecurityEvent\n | where EventID == 4624\n) on TargetLogonId\n| project TimeGenerated, Computer, Account, TargetAccount, IpAddress,TargetLogonId, ObjectServer, ObjectType, ObjectName\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account, IPCustomEntity = IpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Starting or Stopping HealthService to Avoid Detection",
+ "enabled": false,
+ "description": "This query detects events where an actor is stopping or starting HealthService to disable telemetry collection/detection from the agent.\n The query requires a SACL to audit for access request to the service.",
+ "alertRuleTemplateName": "2bc7b4ae-eeaa-4538-ba15-ef298ec1ffae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 09e827f0660ae131da845cdbe70e172b5ad1594e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:53 +0000
Subject: [PATCH 302/375] Exported file: Successful SSH brute force
attack.json.json
---
.../Successful SSH brute force attack.json | 104 ++++++++++++++++++
1 file changed, 104 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
diff --git a/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
new file mode 100644
index 00000000..f5336b5f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful SSH brute force attack.json
@@ -0,0 +1,104 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a658bc2-1c28-40d4-be6d-fb228e071c1b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "Usage\r\n| extend User1 = \"Bob\"\r\n| extend User2 = \"Bill\"\r\n| extend Host1 = \"DC01\"\r\n| extend Host2 = \"Web-DMZ01\"\r\n| extend IP = \"185.32.177.53\"\r\n| take 1\r\n",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": true,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host1"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "HostName",
+ "columnName": "Host2"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User1"
+ }
+ ]
+ },
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "User2"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IP"
+ }
+ ]
+ }
+ ],
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": null,
+ "alertDescriptionFormat": "Analysis of host data has detected a successful brute force attack. The IP {{IP}} was seen making multiple login attempts. This means that the host may be compromised and controlled by a malicious actor.",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful SSH brute force attack",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From f9a3f6e1b33feefda90c5ff4d249091f561a8f1e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:54 +0000
Subject: [PATCH 303/375] Exported file: Successful logon from IP and failure
from a different IP.json.json
---
...om IP and failure from a different IP.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
diff --git a/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
new file mode 100644
index 00000000..4b8645f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Successful logon from IP and failure from a different IP.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22a677eb-9971-4b78-8082-0061d9a975fd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet logonDiff = 10m;\nlet aadFunc = (tableName:string){\ntable(tableName) \n| where ResultType == \"0\" \n| where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress, AppDisplayName, SuccessIPBlock = strcat(split(IPAddress, \".\")[0], \".\", split(IPAddress, \".\")[1]), Type\n| join kind= inner (\n table(tableName)\n | where ResultType !in (\"0\", \"50140\") \n | where ResultDescription !~ \"Other\" \n | where AppDisplayName !in (\"Office 365 Exchange Online\", \"Skype for Business Online\")\n | project FailedLogonTime = TimeGenerated, UserPrincipalName, FailedIPAddress = IPAddress, AppDisplayName, ResultType, ResultDescription, Type\n) on UserPrincipalName, AppDisplayName \n| where SuccessLogonTime < FailedLogonTime and FailedLogonTime - SuccessLogonTime <= logonDiff and FailedIPAddress !startswith SuccessIPBlock\n| summarize FailedLogonTime = max(FailedLogonTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, SuccessIPAddress, AppDisplayName, FailedIPAddress, ResultType, ResultDescription, Type\n| extend timestamp = SuccessLogonTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Successful logon from IP and failure from a different IP",
+ "enabled": false,
+ "description": "Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.\nThis may indicate a malicious attempt at password guessing based on knowledge of the users account.",
+ "alertRuleTemplateName": "02ef8d7e-fc3a-4d86-a457-650fa571d8d2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 38fdf397b875fc9ad2ba41b2f341f9460b5d96b0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:54 +0000
Subject: [PATCH 304/375] Exported file: Suspicious Resource
deployment.json.json
---
.../Suspicious Resource deployment.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
new file mode 100644
index 00000000..5f4e2cf8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Resource deployment.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2950dda7-bc3f-4e83-9528-80df8dbe1368')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet szOperationNames = dynamic([\"Microsoft.Compute/virtualMachines/write\", \"Microsoft.Resources/deployments/write\"]);\nlet starttime = 14d;\nlet endtime = 1d;\nlet RareCaller = AzureActivity\n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| project ResourceGroup, Caller, OperationNameValue, CallerIpAddress\n| join kind=rightantisemi (\nAzureActivity\n| where TimeGenerated > ago(endtime)\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityStatusValue = makeset(ActivityStatusValue), OperationIds = makeset(OperationId), CallerIpAddress = makeset(CallerIpAddress) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n) on Caller, ResourceGroup \n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress);\nlet Counts = RareCaller | summarize ActivityCountByCaller = count() by Caller;\nRareCaller | join kind= inner (Counts) on Caller | project-away Caller1\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = tostring(CallerIpAddress)\n| sort by ActivityCountByCaller desc nulls last \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Resource deployment",
+ "enabled": false,
+ "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
+ "alertRuleTemplateName": "9fb57e58-3ed8-4b89-afcf-c8e786508b1c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 59260dd3ce1870fe6430b9a4d34b4e38dfd30998 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:55 +0000
Subject: [PATCH 305/375] Exported file: Suspicious Service Principal creation
activity.json.json
---
...s Service Principal creation activity.json | 50 +++++++++++++++++++
1 file changed, 50 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
new file mode 100644
index 00000000..dbc7eb1b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious Service Principal creation activity.json
@@ -0,0 +1,50 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b7e581ff-451f-4e85-97fd-f22c8be96580')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let timeframe = 60m;\nlet lookback = 10m;\nlet account_created =\nAuditLogs \n | where ActivityDisplayName == \"Add service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend creationTime = ActivityDateTime\n | extend userPrincipalName_creator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_creator = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_activity =\nAADServicePrincipalSignInLogs\n | extend Activities = pack(\"ActivityTime\", TimeGenerated ,\"IpAddress\", IPAddress, \"ResourceDisplayName\", ResourceDisplayName)\n | extend AppID = AppId\n | summarize make_list(Activities) by AppID;\nlet account_deleted =\nAuditLogs \n | where OperationName == \"Remove service principal\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend deletionTime = ActivityDateTime\n | extend userPrincipalName_deleter = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ipAddress_deleter = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress);\nlet account_credentials =\nAuditLogs\n | where OperationName contains \"Update application - Certificates and secrets management\"\n | where Result == \"success\"\n | extend AppID = tostring(AdditionalDetails[1].value)\n | extend credentialCreationTime = ActivityDateTime;\nlet roles_assigned =\nAuditLogs\n | where ActivityDisplayName == \"Add app role assignment to service principal\"\n | extend AppID = tostring(TargetResources[1].displayName)\n | extend AssignedRole = iff(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].displayName)==\"AppRole.Value\", tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))),\"\")\n | extend AssignedRoles = pack(\"Role\", AssignedRole)\n |summarize make_list(AssignedRoles) by AppID;\naccount_created \n | join kind= inner (account_activity) on AppID, AppID \n | join kind= inner (account_deleted) on AppID, AppID \n | join kind= inner (account_credentials) on AppID, AppID \n | join kind= inner (roles_assigned) on AppID, AppID\n | where deletionTime - creationTime < lookback\n | where tolong(deletionTime - creationTime) >= 0\n | where creationTime > ago(timeframe)\n | extend AliveTime = deletionTime - creationTime\n | project AADTenantId, AppID, creationTime, deletionTime, userPrincipalName_creator, userPrincipalName_deleter, ipAddress_creator, ipAddress_deleter, list_Activities , list_AssignedRoles, AliveTime\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "CredentialAccess",
+ "PrivilegeEscalation",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious Service Principal creation activity",
+ "enabled": false,
+ "description": "This alert will detect creation of an SPN, permissions granted, credentials cretaed, activity and deletion of the SPN in a time frame (default 10 minutes)",
+ "alertRuleTemplateName": "6852d9da-8015-4b95-8ecf-d9572ee0395d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cdf9467d037139a082ab1067951a325cb1715338 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:56 +0000
Subject: [PATCH 306/375] Exported file: Suspicious application consent for
offline access.json.json
---
...pplication consent for offline access.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
new file mode 100644
index 00000000..7478c516
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent for offline access.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6dff9c6d-c191-4e5b-a308-a0906a23752d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"offline_access\" and ConsentFull contains \"Files.Read\" or ConsentFull contains \"Mail.Read\" or ConsentFull contains \"Notes.Read\" or ConsentFull contains \"ChannelMessage.Read\" or ConsentFull contains \"Chat.Read\" or ConsentFull contains \"TeamsActivity.Read\" or ConsentFull contains \"Group.Read\" or ConsentFull contains \"EWS.AccessAsUser.All\" or ConsentFull contains \"EAS.AccessAsUser.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend GrantUserAgent = tostring(iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\"))\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent for offline access",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.\nOffline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.\nConsent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "3533f74c-9207-4047-96e2-0eb9383be587"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fce4177a17d13f93616dea0ee0c0742fcf1f99a7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:57 +0000
Subject: [PATCH 307/375] Exported file: Suspicious application consent similar
to O365 Attack Toolkit.json.json
---
...onsent similar to O365 Attack Toolkit.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
new file mode 100644
index 00000000..b43857d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to O365 Attack Toolkit.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8cfd3e23-2616-4c6f-b061-a8e47d0536bb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"mailboxsettings\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"contacts.read\" and ConsentFull contains \"user.read\" and ConsentFull contains \"mail.read\" and ConsentFull contains \"notes.read.all\" and ConsentFull contains \"mailboxsettings.readwrite\" and ConsentFull contains \"Files.ReadWrite.All\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", tostring(AdditionalDetails[0].value), \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to O365 Attack Toolkit",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).\nThe default permissions/scope for the MDSec O365 Attack toolkit are contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, and files.readwrite.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "f948a32f-226c-4116-bddd-d95e91d97eb9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1abb58e2a99dbdc845294599ba8b94fc49a28466 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:57 +0000
Subject: [PATCH 308/375] Exported file: Suspicious application consent similar
to PwnAuth.json.json
---
...pplication consent similar to PwnAuth.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
new file mode 100644
index 00000000..cd0527f3
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious application consent similar to PwnAuth.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2636af24-3225-405a-aa4b-7b455f326445')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let detectionTime = 1d;\nlet joinLookback = 14d;\nAuditLogs\n| where TimeGenerated > ago(detectionTime)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Consent to application\"\n| where TargetResources has \"offline\"\n| extend AppDisplayName = TargetResources.[0].displayName\n| extend AppClientId = tolower(TargetResources.[0].id)\n| where AppClientId !in ((externaldata(knownAppClientId:string, knownAppDisplayName:string)[@\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.OAuth.KnownApplications.csv\"] with (format=\"csv\")))\n| extend ConsentFull = TargetResources[0].modifiedProperties[4].newValue\n| parse ConsentFull with * \"ConsentType: \" GrantConsentType \", Scope: \" GrantScope1 \"]\" *\n| where ConsentFull contains \"user.read\" and ConsentFull contains \"offline_access\" and ConsentFull contains \"mail.readwrite\" and ConsentFull contains \"mail.send\" and ConsentFull contains \"files.read.all\"\n| where GrantConsentType != \"AllPrincipals\" // NOTE: we are ignoring if OAuth application was granted to all users via an admin - but admin due diligence should be audited occasionally\n| extend GrantIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))\n| extend GrantInitiatedBy = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend GrantUserAgent = iff(AdditionalDetails[0].key =~ \"User-Agent\", AdditionalDetails[0].value, \"\")\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, GrantIpAddress, GrantUserAgent, AppClientId, OperationName, ConsentFull, CorrelationId\n| join kind = leftouter (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add service principal\"\n| extend AppClientId = tolower(TargetResources[0].id)\n| extend AppReplyURLs = iff(TargetResources[0].modifiedProperties[1].newValue has \"AddressType\", TargetResources[0].modifiedProperties[1].newValue, \"\")\n| distinct AppClientId, tostring(AppReplyURLs)\n)\non AppClientId\n| join kind = innerunique (AuditLogs\n| where TimeGenerated > ago(joinLookback)\n| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"ApplicationManagement\"\n| where OperationName =~ \"Add OAuth2PermissionGrant\" or OperationName =~ \"Add delegated permission grant\"\n| extend GrantAuthentication = tostring(TargetResources[0].displayName)\n| extend GrantOperation = OperationName\n| project GrantAuthentication, GrantOperation, CorrelationId\n) on CorrelationId\n| project TimeGenerated, GrantConsentType, GrantScope1, GrantInitiatedBy, AppDisplayName, AppReplyURLs, GrantIpAddress, GrantUserAgent, AppClientId, GrantAuthentication, OperationName, GrantOperation, CorrelationId, ConsentFull\n| extend timestamp = TimeGenerated, AccountCustomEntity = GrantInitiatedBy, IPCustomEntity = GrantIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious application consent similar to PwnAuth",
+ "enabled": false,
+ "description": "This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).\nThe default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.\nConsent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.",
+ "alertRuleTemplateName": "39198934-62a0-4781-8416-a81265c03fd6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 00365bfe782fdf6ac7d1efbe8741e764daba5817 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:58 +0000
Subject: [PATCH 309/375] Exported file: Suspicious granting of permissions to
an account.json.json
---
...granting of permissions to an account.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
new file mode 100644
index 00000000..e8e3617d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious granting of permissions to an account.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/59b0b0bc-b313-42b4-a3d9-7c5dc383b448')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\n// The number of operations below which an IP address is considered an unusual source of role assignment operations\nlet alertOperationThreshold = 5;\nlet createRoleAssignmentActivity = AzureActivity\n| where OperationNameValue =~ \"microsoft.authorization/roleassignments/write\";\ncreateRoleAssignmentActivity \n| where TimeGenerated between (ago(starttime) .. ago(endtime))\n| summarize count() by CallerIpAddress, Caller\n| where count_ >= alertOperationThreshold\n| join kind = rightanti ( \ncreateRoleAssignmentActivity\n| where TimeGenerated > ago(endtime)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = make_set(TimeGenerated), ActivityStatusValue = make_set(ActivityStatusValue), \nOperationIds = make_set(OperationId), CorrelationId = make_set(CorrelationId), ActivityCountByCallerIPAddress = count() \nby ResourceId, CallerIpAddress, Caller, OperationNameValue, Resource, ResourceGroup\n) on CallerIpAddress, Caller\n| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious granting of permissions to an account",
+ "enabled": false,
+ "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.",
+ "alertRuleTemplateName": "b2c15736-b9eb-4dae-8b02-3016b6a45a32"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 596e1462558997e98f162752ced2ca5c3fd396e8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:18:59 +0000
Subject: [PATCH 310/375] Exported file: Suspicious link sharing
pattern.json.json
---
.../Suspicious link sharing pattern.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
new file mode 100644
index 00000000..5cc525ae
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious link sharing pattern.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dfbb9a20-254e-4c70-a302-0ba22da59117')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet threshold = 3; \nZoomLogs \n| where Event =~ \"chat_message.sent\" \n| extend Channel = tostring(parse_json(ChatEvents).Channel) \n| extend Message = tostring(parse_json(ChatEvents).Message) \n| where Message matches regex \"http(s?):\\\\/\\\\/\" \n| summarize Channels = makeset(Channel), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Message, User, UserId\n| extend ChannelCount = arraylength(Channels) \n| where ChannelCount > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious link sharing pattern",
+ "enabled": false,
+ "description": "Alerts in links that have been shared across multiple Zoom chat channels by the same user in a short space if time. \nAdjust the threshold figure to change the number of channels a message needs to be posted in before an alert is raised.",
+ "alertRuleTemplateName": "1218175f-c534-421c-8070-5dcaabf28067"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cdb194cf186e8b845dfb292b9bca99a4fe01a576 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:00 +0000
Subject: [PATCH 311/375] Exported file: Suspicious number of resource creation
or deployment activities.json.json
---
...rce creation or deployment activities.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
diff --git a/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
new file mode 100644
index 00000000..96915b2d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Suspicious number of resource creation or deployment activities.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7791c2cc-28ac-4387-87e7-9ddda54c2543')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P7D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet szOperationNames = dynamic([\"microsoft.compute/virtualMachines/write\", \"microsoft.resources/deployments/write\"]);\nlet starttime = 7d;\nlet endtime = 1d;\nAzureActivity\n| where TimeGenerated between (startofday(ago(starttime)) .. startofday(ago(endtime)))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(7d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2\n| join kind=leftsemi (\n// Last day's activity is anomalous\nAzureActivity\n| where TimeGenerated >= startofday(ago(endtime))\n| where OperationNameValue in~ (szOperationNames)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatusValue = makelist(ActivityStatusValue), \nOperationIds = makelist(OperationId), CallerIpAddress = makelist(CallerIpAddress), CorrelationId = makelist(CorrelationId) \nby ResourceId, Caller, OperationNameValue, Resource, ResourceGroup\n| mvexpand CallerIpAddress\n| where isnotempty(CallerIpAddress)\n| make-series dResourceCount=dcount(ResourceId) default=0 on StartTimeUtc in range(startofday(ago(1d)), now(), 1d) \nby Caller, tostring(ActivityTimeStamp), tostring(ActivityStatusValue), tostring(OperationIds), tostring(CallerIpAddress), tostring(CorrelationId), ResourceId, OperationNameValue , Resource, ResourceGroup\n| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount)\n| where Slope > 0.2 \n) on Caller, CallerIpAddress \n| mvexpand todynamic(ActivityTimeStamp), todynamic(ActivityStatusValue), todynamic(OperationIds), todynamic(CorrelationId)\n| extend timestamp = ActivityTimeStamp, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Suspicious number of resource creation or deployment activities",
+ "enabled": false,
+ "description": "Indicates when an anomalous number of VM creations or deployment activities occur in Azure via the AzureActivity log.\nThe anomaly detection identifies activities that have occurred both since the start of the day 1 day ago and the start of the day 7 days ago.\nThe start of the day is considered 12am UTC time.",
+ "alertRuleTemplateName": "361dd1e3-1c11-491e-82a3-bb2e44ac36ba"
+ }
+ }
+ ]
+}
\ No newline at end of file
From da9609660637544aee0edcd39a824e1abcff424e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:00 +0000
Subject: [PATCH 312/375] Exported file: TEARDROP memory-only dropper.json.json
---
.../TEARDROP memory-only dropper.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
diff --git a/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
new file mode 100644
index 00000000..846ccdaf
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TEARDROP memory-only dropper.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/460cbcbe-314d-4841-8398-6926043768b8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nDeviceEvents\n| where ActionType has \"ExploitGuardNonMicrosoftSignedBlocked\"\n| where InitiatingProcessFileName contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \"SHA1\"\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "FileHash",
+ "fieldMappings": [
+ {
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "TEARDROP memory-only dropper",
+ "enabled": false,
+ "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
+ "alertRuleTemplateName": "738702fd-0a66-42c7-8586-e30f0583f8fe"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 52aee58487a949772bb44429c84c02114273b69d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:01 +0000
Subject: [PATCH 313/375] Exported file: THALLIUM domains included in DCU
takedown.json.json
---
...LIUM domains included in DCU takedown.json | 78 +++++++++++++++++++
1 file changed, 78 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
diff --git a/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
new file mode 100644
index 00000000..06378b01
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/THALLIUM domains included in DCU takedown.json
@@ -0,0 +1,78 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7ee415a8-0c09-46a1-b75d-9223de562a12')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let DomainNames = dynamic([\"seoulhobi.biz\", \"reader.cash\", \"pieceview.club\", \"app-wallet.com\", \"bigwnet.com\", \"bitwoll.com\", \"cexrout.com\", \"change-pw.com\", \"checkprofie.com\", \"cloudwebappservice.com\", \"ctquast.com\", \"dataviewering.com\", \"day-post.com\", \"dialy-post.com\", \"documentviewingcom.com\", \"dovvn-mail.com\", \"down-error.com\", \"drivecheckingcom.com\", \"drog-service.com\", \"encodingmail.com\", \"filinvestment.com\", \"foldershareing.com\", \"golangapis.com\", \"hotrnall.com\", \"lh-logins.com\", \"login-use.com\", \"mail-down.com\", \"matmiho.com\", \"mihomat.com\", \"natwpersonal-online.com\", \"nidlogin.com\", \"nid-login.com\", \"nidlogon.com\", \"pw-change.com\", \"rnaii.com\", \"rnailm.com\", \"sec-live.com\", \"secrityprocessing.com\", \"securitedmode.com\", \"securytingmail.com\", \"set-login.com\", \"usrchecking.com\", \"com-serviceround.info\", \"mai1.info\", \"reviewer.mobi\", \"files-download.net\", \"fixcool.net\", \"hanrnaii.net\", \"office356-us.org\", \"smtper.org\"]);\n(union isfuzzy=true\n(CommonSecurityLog \n| parse Message with * '(' DNSName ')' * \n| where isnotempty(FileHash)\n| where DNSName in~ (DomainNames)\n| extend Account = SourceUserID, Computer = DeviceName, IPAddress = SourceIP\n),\n(DnsEvents \n| extend DNSName = Name\n| where isnotempty(DNSName)\n| where DNSName has_any (DomainNames)\n| extend IPAddress = ClientIP\n),\n(imDns (domain_has_any=DomainNames)\n| extend DNSName = DnsQuery\n| extend IPAddress = SrcIpAddr\n),\n(VMConnection \n| parse RemoteDnsCanonicalNames with * '[\"' DNSName '\"]' *\n| where isnotempty(DNSName)\n| where DNSName in~ (DomainNames)\n| extend IPAddress = RemoteIp\n),\n(AzureDiagnostics\n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallDnsProxy\"\n| parse msg_s with \"DNS Request: \" ClientIP \":\" ClientPort \" - \" QueryID \" \" Request_Type \" \" Request_Class \" \" Request_Name \". \" Request_Protocol \" \" Request_Size \" \" EDNSO_DO \" \" EDNS0_Buffersize \" \" Responce_Code \" \" Responce_Flags \" \" Responce_Size \" \" Response_Duration\n| where Request_Name has_any (DomainNames) \n| extend DNSName = Request_Name\n| extend IPAddress = ClientIP \n),\n(AzureDiagnostics \n| where ResourceType == \"AZUREFIREWALLS\"\n| where Category == \"AzureFirewallApplicationRule\"\n| parse msg_s with Protocol 'request from ' SourceHost ':' SourcePort 'to ' DestinationHost ':' DestinationPort '. Action:' Action\n| where isnotempty(DestinationHost)\n| where DestinationHost has_any (DomainNames) \n| extend DNSName = DestinationHost \n| extend IPAddress = SourceHost \n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IPAddress \n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CommandAndControl",
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "THALLIUM domains included in DCU takedown",
+ "enabled": false,
+ "description": "THALLIUM spearphishing and command and control domains included in December 2019 DCU/MSTIC takedown. \n Matches domain name IOCs related to the THALLIUM activity group with CommonSecurityLog, DnsEvents, VMConnection and SecurityEvents dataTypes.\n References: https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/ ",
+ "alertRuleTemplateName": "70b12a3b-4896-42cb-910c-5ffaf8d7987d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3f446e72ac450f6af0c280d52153c09039b31dff Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:02 +0000
Subject: [PATCH 314/375] Exported file: TI map Domain entity to
CommonSecurityLog.json.json
---
...ap Domain entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
new file mode 100644
index 00000000..9f942723
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a48aee53-b375-4d5c-b0e2-9d534f99bed8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend DomainName = tolower(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "dd0a6029-ecef-4507-89c4-fc355ac52111"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ff7917ad50d472c0cc9fd6e1535a09a3b5fbbc98 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:03 +0000
Subject: [PATCH 315/375] Exported file: TI map Domain entity to
DnsEvent.json.json
---
.../TI map Domain entity to DnsEvent.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
new file mode 100644
index 00000000..eeb3f542
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to DnsEvent.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a52b38c6-0473-4282-b1ac-a34022f46447')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.Name\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, Name\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, Computer, ClientIP, Name, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to DnsEvent",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvent table from any Domain IOC from TI",
+ "alertRuleTemplateName": "85aca4d1-5d15-4001-abd9-acb86ca1786a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 86ee5fb8b68c25bd23db2f6917f88c987b7f334d Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:04 +0000
Subject: [PATCH 316/375] Exported file: TI map Domain entity to
PaloAlto.json.json
---
.../TI map Domain entity to PaloAlto.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
new file mode 100644
index 00000000..32541d26
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to PaloAlto.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b52679aa-c825-444f-8dc3-2e679658b552')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation of extracted domains\nlet list_tlds = ThreatIntelligenceIndicator\n | where TimeGenerated > ago(ioc_lookBack)\n | where isnotempty(DomainName)\n | extend DomainName = tolower(DomainName)\n | extend parts = split(DomainName, '.')\n | extend tld = parts[(array_length(parts)-1)]\n | summarize count() by tostring(tld)\n | summarize make_list(tld);\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n | join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n | where DeviceVendor =~ 'Palo Alto Networks'\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Extract domain from RequestURL, if not present extarct it from AdditionalExtentions\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url) and AdditionalExtensions !startswith \"PanOS\", extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | extend Domain = trim(@\"\"\"\",tostring(parse_url(PA_Url).Host))\n | where isnotempty(Domain)\n | extend Domain = tolower(Domain)\n | extend parts = split(Domain, '.')\n //Split out the TLD for the purpose of checking if we have any TI indicators with this TLD to match on\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking TLD against TLDs from threat feed and drop domains where there is no chance of a match\n | where tld in~ (list_tlds)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n ) on $left.DomainName==$right.Domain\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, Domain\n | project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, PA_Url, Domain, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, \n DeviceAction, DestinationIP, DestinationPort, DeviceName, SourceIP, SourcePort, ApplicationProtocol, RequestMethod\n | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to PaloAlto",
+ "enabled": false,
+ "description": "Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "ec21493c-2684-4acd-9bc2-696dbad72426"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d542cbdd70f008631448412520232335693c9951 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:04 +0000
Subject: [PATCH 317/375] Exported file: TI map Domain entity to
SecurityAlert.json.json
---
...TI map Domain entity to SecurityAlert.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
new file mode 100644
index 00000000..71a2d372
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to SecurityAlert.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d12000f0-f1b6-4344-bb3c-a8988e77eb75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated > ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n //Extract domain patterns from message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\", 1, tolower(Entities))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column extract hostname and IP address\n | extend EntityType = tostring(parse_json(EntitiesDynamicArray).Type), EntityAddress = tostring(EntitiesDynamicArray.Address), EntityHostName = tostring(EntitiesDynamicArray.HostName)\n | extend HostName = iif(EntityType == 'host', EntityHostName, '')\n | extend IP_addr = iif(EntityType == 'ip', EntityAddress, '')\n | extend Alert_TimeGenerated = TimeGenerated\n | extend Alert_Description = Description\n) on $left.DomainName==$right.domain\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, Alert_Description, ProviderName, AlertSeverity, ConfidenceLevel, HostName, IP_addr, Url\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = HostName, IPCustomEntity = IP_addr, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Domain IOC from TI",
+ "alertRuleTemplateName": "87890d78-3e05-43ec-9ab9-ba32f4e01250"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6324bac0a1e4d2ee9eabd5c3741f4d5f06bcd32c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:05 +0000
Subject: [PATCH 318/375] Exported file: TI map Domain entity to
Syslog.json.json
---
.../TI map Domain entity to Syslog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
new file mode 100644
index 00000000..45bfae87
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Domain entity to Syslog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75cbd5b7-4158-4e21-8ce3-8197e05caa7f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.domain\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, domain\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Domain entity to Syslog",
+ "enabled": false,
+ "description": "Identifies a match in Syslog table from any Domain IOC from TI",
+ "alertRuleTemplateName": "532f62c1-fba6-4baa-bbb6-4a32a4ef32fa"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4a31ea2444b1b7d907df0675b3c72cca10c2631f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:06 +0000
Subject: [PATCH 319/375] Exported file: TI map Email entity to
AzureActivity.json.json
---
.../TI map Email entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
new file mode 100644
index 00000000..87307357
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/efea115d-c997-4be7-adcb-95afd6643a0a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Caller)\n | extend Caller = tolower(Caller)\n | where Caller matches regex emailregex\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.Caller\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, Caller\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Caller, Level, CallerIpAddress, CategoryValue, OperationNameValue, ActivityStatusValue, \nResourceGroup, SubscriptionId\n| extend timestamp = AzureActivity_TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "cca3b4d9-ac39-4109-8b93-65bb284003e6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 31aba985b3dbbadc49ea427870eb508ca54483cd Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:07 +0000
Subject: [PATCH 320/375] Exported file: TI map Email entity to
CommonSecurityLog.json.json
---
...map Email entity to CommonSecurityLog.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
new file mode 100644
index 00000000..dd6cb3d2
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to CommonSecurityLog.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/149a0db6-2ad7-4e69-bf36-0c4f62873101')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\" and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex emailregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, DestinationUserID\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, EmailSenderName, EmailRecipient, \nEmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction, SourceIP, SourcePort, \nDestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityLog_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to CommonSecurityLog",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI",
+ "alertRuleTemplateName": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 83c62a078698a4fc011115b25ceddfcaebbc0ae0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:07 +0000
Subject: [PATCH 321/375] Exported file: TI map Email entity to
OfficeActivity.json.json
---
...TI map Email entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
new file mode 100644
index 00000000..1f3aee6d
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/da88214f-a4b3-48fc-b8c3-fa71bb3ef678')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserId)\n | where UserId matches regex emailregex\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.UserId\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, UserId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, UserId, ClientIP, Operation, UserType, RecordType, OfficeWorkload, Parameters\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity table from any Email IOC from TI",
+ "alertRuleTemplateName": "4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7eb8cf157ed782c3cef4d02de3e8ca41fa8c0df1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:08 +0000
Subject: [PATCH 322/375] Exported file: TI map Email entity to
SecurityAlert.json.json
---
.../TI map Email entity to SecurityAlert.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
new file mode 100644
index 00000000..e93dc3e4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityAlert.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/789aca0f-8766-49a2-84b7-1d68e2db7652')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert \n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Converting Entities into dynamic data type and use mv-expand to unpack the array\n | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray\n // Parsing relevant entity column to filter type account and creating new column by combining account and UPNSuffix\n | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),\n EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)\n | where Entitytype =~ \"account\"\n | extend EntityEmail = tolower(strcat(EntityName, \"@\", EntityUPNSuffix))\n | where EntityEmail matches regex emailregex\n | extend Alert_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.EntityEmail\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, \nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, EntityEmail, AlertName, AlertType,\nAlertSeverity, Entities, ProviderName, VendorName\n| extend timestamp = Alert_TimeGenerated, AccountCustomEntity = EntityEmail, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityAlert",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others",
+ "alertRuleTemplateName": "a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 67700acbaed5d6d992d6d460cadd6b2bdda8b6b8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:09 +0000
Subject: [PATCH 323/375] Exported file: TI map Email entity to
SecurityEvent.json.json
---
.../TI map Email entity to SecurityEvent.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
new file mode 100644
index 00000000..9040d0eb
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SecurityEvent.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/481c342f-c33a-455b-82d5-2205b068f5d0')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack) and isnotempty(TargetUserName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend TargetUserName = tolower(TargetUserName)\n // renaming timestamp column so it is clear the log this came from SecurityEvent table\n | extend SecurityEvent_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.TargetUserName\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, TargetUserName\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, Computer, EventID, TargetUserName, Activity, IpAddress, AccountType,\nLogonTypeName, LogonProcessName, Status, SubStatus\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = TargetUserName, IPCustomEntity = IpAddress, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SecurityEvent",
+ "enabled": false,
+ "description": "Identifies a match in SecurityEvent table from any Email IOC from TI",
+ "alertRuleTemplateName": "2fc5d810-c9cc-491a-b564-841427ae0e50"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bd3c8de7d77a375aaabde437bd22e19b5beb9f0b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:10 +0000
Subject: [PATCH 324/375] Exported file: TI map Email entity to
SigninLogs.json.json
---
.../TI map Email entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
new file mode 100644
index 00000000..90b58046
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map Email entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/204119a5-daf5-4bfb-a565-a6bbf5dec2ad')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(UserPrincipalName)\n //Normalizing the column to lower case for exact match with EmailSenderAddress column\n | extend UserPrincipalName = tolower(UserPrincipalName)\n | where UserPrincipalName matches regex emailregex\n | extend Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming timestamp column so it is clear the log this came from SigninLogs table\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.EmailSenderAddress == $right.UserPrincipalName\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, UserPrincipalName\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, FileHashType, IPAddress, UserPrincipalName, AppDisplayName,\nStatusCode, StatusDetails, NetworkIP, NetworkDestinationIP, NetworkSourceIP, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map Email entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs table from any Email IOC from TI",
+ "alertRuleTemplateName": "30fa312c-31eb-43d8-b0cc-bcbdfb360822"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f77850e210f4480ee939f61a0414b6fa97b406d7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:11 +0000
Subject: [PATCH 325/375] Exported file: TI map File Hash to CommonSecurityLog
Event.json.json
---
... File Hash to CommonSecurityLog Event.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
new file mode 100644
index 00000000..87ccc2ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to CommonSecurityLog Event.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e9f798a0-8821-4cde-9667-21d84cc45915')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet fileHashIndicators = ThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue);\n// Handle matches against both lower case and uppercase versions of the hash:\n(fileHashIndicators | extend FileHashValue = tolower(FileHashValue)\n| union (fileHashIndicators | extend FileHashValue = toupper(FileHashValue)))\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(FileHash)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\non $left.FileHashValue == $right.FileHash\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, FileHashValue\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nSourceIP, SourcePort, DestinationIP, DestinationPort, SourceUserID, SourceUserName, DeviceName, DeviceAction,\nRequestURL, DestinationUserName, DestinationUserID, ApplicationProtocol, Activity\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, AccountCustomEntity = SourceUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to CommonSecurityLog Event",
+ "enabled": false,
+ "description": "Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI",
+ "alertRuleTemplateName": "5d33fc63-b83b-4913-b95e-94d13f0d379f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 7434380cc0594c53fb83bcdf9d0b066a79ed4528 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:11 +0000
Subject: [PATCH 326/375] Exported file: TI map File Hash to Security
Event.json.json
---
.../TI map File Hash to Security Event.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
diff --git a/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
new file mode 100644
index 00000000..ea816559
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map File Hash to Security Event.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/689e109d-46e0-4f54-b0b4-1377167cd660')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(FileHashValue)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityEvent | where TimeGenerated >= ago(dt_lookBack)\n | where EventID in (\"8003\",\"8002\",\"8005\")\n | where isnotempty(FileHash)\n | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID\n)\non $left.FileHashValue == $right.FileHash\n| where SecurityEvent_TimeGenerated < ExpirationDateTime\n| summarize SecurityEvent_TimeGenerated = arg_max(SecurityEvent_TimeGenerated, *) by IndicatorId, FileHash\n| project SecurityEvent_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nProcess, FileHash, Computer, Account, Event\n| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map File Hash to Security Event",
+ "enabled": false,
+ "description": "Identifies a match in Security Event data from any File Hash IOC from TI",
+ "alertRuleTemplateName": "a7427ed7-04b4-4e3b-b323-08b981b9b4bf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 71357dd2f15a8646aeecff9492f148f569411d09 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:12 +0000
Subject: [PATCH 327/375] Exported file: TI map IP entity to
AWSCloudTrail.json.json
---
.../TI map IP entity to AWSCloudTrail.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
new file mode 100644
index 00000000..fb100404
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AWSCloudTrail.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/32d3c923-7729-41bc-8b18-790e97726d79')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AWSCloudTrail | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AWSCloudTrail_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SourceIpAddress\n| where AWSCloudTrail_TimeGenerated < ExpirationDateTime\n| summarize AWSCloudTrail_TimeGenerated = arg_max(AWSCloudTrail_TimeGenerated, *) by IndicatorId, SourceIpAddress\n| project AWSCloudTrail_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserIdentityUserName, SourceIpAddress,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AWSCloudTrail_TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AWSCloudTrail",
+ "enabled": false,
+ "description": "Identifies a match in AWSCloudTrail from any IP IOC from TI",
+ "alertRuleTemplateName": "f110287e-1358-490d-8147-ed804b328514"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2be75bb51369792f053f23d337aa97122c81a742 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:13 +0000
Subject: [PATCH 328/375] Exported file: TI map IP entity to
AppServiceHTTPLogs.json.json
---
...I map IP entity to AppServiceHTTPLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
new file mode 100644
index 00000000..1ecbb4dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AppServiceHTTPLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c3d7a74-362a-4a6e-836a-279bc1fd8813')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AppServiceHTTPLogs | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(CIp)\n | extend WebApp = split(_ResourceId, '/')[8]\n // renaming time column so it is clear the log this came from\n | extend AppService_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CIp\n| where AppService_TimeGenerated < ExpirationDateTime\n| summarize AppService_TimeGenerated = arg_max(AppService_TimeGenerated, *) by IndicatorId, CIp\n| project AppService_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CsUsername, \nWebApp = split(_ResourceId, '/')[8], CIp, CsHost, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, _ResourceId\n| extend timestamp = AppService_TimeGenerated, AccountCustomEntity = CsUsername, IPCustomEntity = CIp, URLCustomEntity = CsHost\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AppServiceHTTPLogs",
+ "enabled": false,
+ "description": "Identifies a match in AppServiceHTTPLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f9949656-473f-4503-bf43-a9d9890f7d08"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e65cb3b31ecb0bf07d8dd46b1fdb3fc87191c580 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:14 +0000
Subject: [PATCH 329/375] Exported file: TI map IP entity to Azure Key Vault
logs.json.json
---
...map IP entity to Azure Key Vault logs.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
new file mode 100644
index 00000000..30687ab8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure Key Vault logs.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34be0f95-d845-4501-a64f-3f272d3e7d52')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where ResourceType =~ \"VAULTS\"\n | where TimeGenerated >= ago(dt_lookBack)\n | extend KeyVaultEvents_TimeGenerated = TimeGenerated, ClientIP = CallerIPAddress\n)\non $left.TI_ipEntity == $right.ClientIP\n| where KeyVaultEvents_TimeGenerated < ExpirationDateTime\n| summarize KeyVaultEvents_TimeGenerated = arg_max(KeyVaultEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project KeyVaultEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, ResourceId, SubscriptionId, OperationName, ResultType, CorrelationId, id_s, clientInfo_s, httpStatusCode_d, identity_claim_appid_g, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\n| extend timestamp = KeyVaultEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure Key Vault logs",
+ "enabled": false,
+ "description": "Identifies a match in Azure Key Vault logsfrom any IP IOC from TI",
+ "alertRuleTemplateName": "57c7e832-64eb-411f-8928-4133f01f4a25"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d4eae2dde061ace274e2a1c3d9ac41d7dc134391 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:14 +0000
Subject: [PATCH 330/375] Exported file: TI map IP entity to Azure SQL Security
Audit Events.json.json
---
...ty to Azure SQL Security Audit Events.json | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
new file mode 100644
index 00000000..c6db79c8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Azure SQL Security Audit Events.json
@@ -0,0 +1,48 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ab212c5e-07ce-439e-a2d3-cba34ff1cc1d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() \n| where Active == true\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where ResourceProvider == 'MICROSOFT.SQL'\n | where Category == 'SQLSecurityAuditEvents'\n | extend SQLSecurityAuditEvents_TimeGenerated = TimeGenerated\n // projecting fields with column if exists as this is in AzureDiag and if the event is not in the table, then queries will fail due to event specific schemas\n | extend ClientIP = column_ifexists(\"client_ip_s\", \"Not Available\"), Action = column_ifexists(\"action_name_s\", \"Not Available\"), \n Application = column_ifexists(\"application_name_s\", \"Not Available\"), HostName = column_ifexists(\"host_name_s\", \"Not Available\")\n)\non $left.TI_ipEntity == $right.ClientIP\n| where SQLSecurityAuditEvents_TimeGenerated < ExpirationDateTime\n| summarize SQLSecurityAuditEvents_TimeGenerated = arg_max(SQLSecurityAuditEvents_TimeGenerated, *) by IndicatorId, ClientIP\n| project SQLSecurityAuditEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ResourceId, ClientIP, Action, Application, HostName, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = SQLSecurityAuditEvents_TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Azure SQL Security Audit Events",
+ "enabled": false,
+ "description": "Identifies a match in SQLSecurityAuditEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "d0aa8969-1bbe-4da3-9e76-09e5f67c9d85"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2bf86738a857fea51ba1d42ed4d5ae747bdcf9ad Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:15 +0000
Subject: [PATCH 331/375] Exported file: TI map IP entity to
AzureActivity.json.json
---
.../TI map IP entity to AzureActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
new file mode 100644
index 00000000..3cc5e808
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/49325680-a0e6-4b0d-b9ea-cc4991de4c73')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.CallerIpAddress\n| where AzureActivity_TimeGenerated < ExpirationDateTime\n| summarize AzureActivity_TimeGenerated = arg_max(AzureActivity_TimeGenerated, *) by IndicatorId, CallerIpAddress\n| project AzureActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CallerIpAddress, \nCaller, OperationNameValue, ActivityStatusValue, CategoryValue, ResourceId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureActivity_TimeGenerated, IPCustomEntity = CallerIpAddress, AccountCustomEntity = Caller, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureActivity",
+ "enabled": false,
+ "description": "Identifies a match in AzureActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "2441bce9-02e4-407b-8cc7-7d597f38b8b0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a52e861b7b5fb452c5e6634d78c0883d02cd9f1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:16 +0000
Subject: [PATCH 332/375] Exported file: TI map IP entity to
AzureFirewall.json.json
---
.../TI map IP entity to AzureFirewall.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
new file mode 100644
index 00000000..d28e4d71
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureFirewall.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7ae3efb-a5d4-4c77-a61f-a7a618c9a16d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureDiagnostics\n | where TimeGenerated >= ago(dt_lookBack)\n | where OperationName in (\"AzureFirewallApplicationRuleLog\", \"AzureFirewallNetworkRuleLog\")\n | parse kind=regex flags=U msg_s with Protocol 'request from ' SourceHost 'to ' DestinationHost @'\\.? Action: ' Action @'\\.' Rest_msg\n | extend SourceAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, SourceHost)\n | extend DestinationAddress = extract(@'([\\.0-9]+)(:[\\.0-9]+)?', 1, DestinationHost)\n | extend RemoteIP = case(not(ipv4_is_private(DestinationAddress)), DestinationAddress, not(ipv4_is_private(SourceAddress)), SourceAddress, \"\")\n // Traffic that involves a public address, and in case this is the source address then the traffic was not denied\n | where isnotempty(RemoteIP)\n | project-rename AzureFirewall_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where AzureFirewall_TimeGenerated < ExpirationDateTime\n| summarize AzureFirewall_TimeGenerated = arg_max(AzureFirewall_TimeGenerated, *) by IndicatorId, RemoteIP\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore, AzureFirewall_TimeGenerated,\nTI_ipEntity, Resource, Category, msg_s, SourceAddress, DestinationAddress, Action, Protocol, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureFirewall_TimeGenerated, IPCustomEntity = TI_ipEntity, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureFirewall",
+ "enabled": false,
+ "description": "Identifies a match in AzureFirewall (NetworkRule & ApplicationRule Logs) from any IP IOC from TI",
+ "alertRuleTemplateName": "0b904747-1336-4363-8d84-df2710bfe5e7"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 0d27158f1e0ce1d4c23e28dbd8f0fdc39d6f1cdb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:17 +0000
Subject: [PATCH 333/375] Exported file: TI map IP entity to
AzureNetworkAnalytics_CL (NSG Flow Logs).json.json
---
...reNetworkAnalytics_CL (NSG Flow Logs).json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
new file mode 100644
index 00000000..aa067349
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs).json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5fa2554b-b319-4605-ad60-92601ac5d7ba')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AzureNetworkAnalytics_CL\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend AzureNetworkAnalytics_CL_TimeGenerated = TimeGenerated\n // NSG Flow Logs have additional information concat with Public IP, removing onlp Public IP\n | extend PIPs = split(PublicIPs_s, '|', 0)\n | extend PIP = tostring(PIPs[0])\n)\non $left.TI_ipEntity == $right.PIP\n| where AzureNetworkAnalytics_CL_TimeGenerated < ExpirationDateTime\n| summarize AzureNetworkAnalytics_CL_TimeGenerated = arg_max(AzureNetworkAnalytics_CL_TimeGenerated, *) by IndicatorId, PIP\n// Set to alert on Allowed NSG Flows from TI Public IP IOC\n| where FlowStatus_s == \"A\"\n| project AzureNetworkAnalytics_CL_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, FlowDirection_s, FlowStatus_s, FlowType_s, SrcPublicIPs_s, DestPublicIPs_s, PublicIPs_s, L7Protocol_s, DestPort_d, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = AzureNetworkAnalytics_CL_TimeGenerated, IPCustomEntity = TI_ipEntity, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to AzureNetworkAnalytics_CL (NSG Flow Logs)",
+ "enabled": false,
+ "description": "Identifies a match in AzureNetworkAnalytics_CL (NSG Flow Logs) from any IP IOC from TI that was Allowed",
+ "alertRuleTemplateName": "a4025a76-6490-4e6b-bb69-d02be4b03f07"
+ }
+ }
+ ]
+}
\ No newline at end of file
From f23073addb0b5edc9d99f9e2d4c7dc26e5b52524 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:17 +0000
Subject: [PATCH 334/375] Exported file: TI map IP entity to
DnsEvents.json.json
---
.../TI map IP entity to DnsEvents.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
new file mode 100644
index 00000000..867984dc
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to DnsEvents.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/58d21291-77aa-4e73-9603-1cefbe80b39c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time column so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SingleIP\n| where DNS_TimeGenerated < ExpirationDateTime\n| summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated , *) by IndicatorId, SingleIP\n| project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to DnsEvents",
+ "enabled": false,
+ "description": "Identifies a match in DnsEvents from any IP IOC from TI",
+ "alertRuleTemplateName": "69b7723c-2889-469f-8b55-a2d355ed9c87"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 2f8c96d97827df62623fad8c1c1dfcea57e1340e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:18 +0000
Subject: [PATCH 335/375] Exported file: TI map IP entity to Duo
Security.json.json
---
.../TI map IP entity to Duo Security.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
new file mode 100644
index 00000000..83f1a1ee
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to Duo Security.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eba9eb63-e5e8-4617-87f7-492aedad803a')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n DuoSecurityAuthentication_CL\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(access_device_ip_s)\n // renaming time column so it is clear the log this came from\n | extend Duo_TimeGenerated = isotimestamp_t\n)\non $left.TI_ipEntity == $right.access_device_ip_s\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, Duo_TimeGenerated,\nTI_ipEntity, user_name_s, factor_s, result_s, application_name_s, event_type_s, txid_g, user_key_s, access_device_ip_s, access_device_location_city_s, access_device_location_state_s, access_device_location_country_s\n| extend timestamp = Duo_TimeGenerated, IPCustomEntity = access_device_ip_s, AccountCustomEntity = user_name_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to Duo Security",
+ "enabled": false,
+ "description": "Identifies a match in DuoSecurity from any IP IOC from TI",
+ "alertRuleTemplateName": "d23ed927-5be3-4902-a9c1-85f841eb4fa1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a6782cdf83a77cec55ce44478f25c95026a311ee Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:19 +0000
Subject: [PATCH 336/375] Exported file: TI map IP entity to
GitHub_CL.json.json
---
.../TI map IP entity to GitHub_CL.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
new file mode 100644
index 00000000..09aeb7aa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to GitHub_CL.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/049d9663-9edb-4269-8bfa-340896d5cfe4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nThreatIntelligenceIndicator\n| where Action == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n GitHubAudit\n | extend GitHubAudit_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.IPaddress\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to GitHub_CL",
+ "enabled": false,
+ "description": "Identifies a match in GitHub_CL table from any IP IOC from TI",
+ "alertRuleTemplateName": "aac495a9-feb1-446d-b08e-a1164a539452"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 38df039b3dd82e2688999bc9c3f6226c17ef0d57 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:20 +0000
Subject: [PATCH 337/375] Exported file: TI map IP entity to
OfficeActivity.json.json
---
.../TI map IP entity to OfficeActivity.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
new file mode 100644
index 00000000..78721a0a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to OfficeActivity.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bedfc0cf-b75b-4574-9de6-1b38a51fc987')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.ClientIP\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to OfficeActivity",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity from any IP IOC from TI",
+ "alertRuleTemplateName": "f15370f4-c6fa-42c5-9be4-1d308f40284e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 93abd365dd66280259cf1abd8e599fd36849faf0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:21 +0000
Subject: [PATCH 338/375] Exported file: TI map IP entity to
SigninLogs.json.json
---
.../TI map IP entity to SigninLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
new file mode 100644
index 00000000..d42c80cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to SigninLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ccf4287-558c-445f-9331-ebb58c2be800')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet aadFunc = (tableName:string){\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n table(tableName) | where TimeGenerated >= ago(dt_lookBack)\n | extend Status = todynamic(Status), LocationDetails = todynamic(LocationDetails)\n | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails), StatusReason = tostring(Status.failureReason)\n | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)\n // renaming time column so it is clear the log this came from\n | extend SigninLogs_TimeGenerated = TimeGenerated, Type = Type\n)\non $left.TI_ipEntity == $right.IPAddress\n| where SigninLogs_TimeGenerated < ExpirationDateTime\n| summarize SigninLogs_TimeGenerated = arg_max(SigninLogs_TimeGenerated, *) by IndicatorId, IPAddress\n| project SigninLogs_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, IPAddress, UserPrincipalName, AppDisplayName, StatusCode, StatusDetails, StatusReason, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n| extend timestamp = SigninLogs_TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, URLCustomEntity = Url\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to SigninLogs",
+ "enabled": false,
+ "description": "Identifies a match in SigninLogs from any IP IOC from TI",
+ "alertRuleTemplateName": "f2eb15bd-8a88-4b24-9281-e133edfba315"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 43e6721197f7e709d54a44a27834dbf3a0b14d87 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:22 +0000
Subject: [PATCH 339/375] Exported file: TI map IP entity to
VMConnection.json.json
---
.../TI map IP entity to VMConnection.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
new file mode 100644
index 00000000..6144c2fa
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to VMConnection.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0a9646c6-c11c-4190-83be-ff0440581ebd')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n VMConnection\n | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend VMConnection_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIp\n| where VMConnection_TimeGenerated < ExpirationDateTime\n| summarize VMConnection_TimeGenerated = arg_max(VMConnection_TimeGenerated, *) by IndicatorId, RemoteIp\n| project VMConnection_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, Direction, ProcessName, SourceIp, DestinationIp, RemoteIp, Protocol, DestinationPort, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = VMConnection_TimeGenerated, IPCustomEntity = RemoteIp, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to VMConnection",
+ "enabled": false,
+ "description": "Identifies a match in VMConnection from any IP IOC from TI",
+ "alertRuleTemplateName": "9713e3c0-1410-468d-b79e-383448434b2d"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4764ffa5b7978a62112331f671c8d5fd0d26d4e5 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:22 +0000
Subject: [PATCH 340/375] Exported file: TI map IP entity to
W3CIISLog.json.json
---
.../TI map IP entity to W3CIISLog.json | 86 +++++++++++++++++++
1 file changed, 86 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
new file mode 100644
index 00000000..2d186704
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to W3CIISLog.json
@@ -0,0 +1,86 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/324b11f6-6382-45b4-934b-3f60ff4457a3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n W3CIISLog\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(cIP)\n // renaming time column so it is clear the log this came from\n | extend W3CIISLog_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.cIP\n| where W3CIISLog_TimeGenerated < ExpirationDateTime\n| summarize W3CIISLog_TimeGenerated = arg_max(W3CIISLog_TimeGenerated, *) by IndicatorId, cIP\n| project W3CIISLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, sSiteName, cIP, sIP, sPort, csMethod, csUserName, scStatus, scSubStatus, scWin32Status,\nNetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = W3CIISLog_TimeGenerated, IPCustomEntity = cIP, HostCustomEntity = Computer, AccountCustomEntity = csUserName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to W3CIISLog",
+ "enabled": false,
+ "description": "Identifies a match in W3CIISLog from any IP IOC from TI",
+ "alertRuleTemplateName": "5e45930c-09b1-4430-b2d1-cc75ada0dc0f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From bc0cbc35ed3125dc0fbd26deb268d451dde2b57e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:23 +0000
Subject: [PATCH 341/375] Exported file: TI map IP entity to WireData.json.json
---
.../TI map IP entity to WireData.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
diff --git a/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
new file mode 100644
index 00000000..a8cbfc13
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map IP entity to WireData.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e6cbbe1-93ba-45ab-8731-82d2802a60df')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n WireData | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(RemoteIP)\n // renaming time column so it is clear the log this came from\n | extend WireData_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.RemoteIP\n| where WireData_TimeGenerated < ExpirationDateTime\n| summarize WireData_TimeGenerated = arg_max(WireData_TimeGenerated, *) by IndicatorId, RemoteIP\n| project WireData_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\nTI_ipEntity, Computer, LocalIP, RemoteIP, ProcessName, ApplicationProtocol, LocalPortNumber, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = WireData_TimeGenerated, IPCustomEntity = RemoteIP, HostCustomEntity = Computer, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map IP entity to WireData",
+ "enabled": false,
+ "description": "Identifies a match in WireData from any IP IOC from TI",
+ "alertRuleTemplateName": "a50766a7-0674-4ccb-8845-15dc55a80ba1"
+ }
+ }
+ ]
+}
\ No newline at end of file
From cb7ffb1604a92bce518f6b3795f93e2c70d34f89 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:24 +0000
Subject: [PATCH 342/375] Exported file: TI map URL entity to
AuditLogs.json.json
---
.../TI map URL entity to AuditLogs.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
new file mode 100644
index 00000000..0db2b994
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to AuditLogs.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/929e1a28-c623-44b1-a8ef-7a1739b9bba1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n AuditLogs\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract the URL that is contained within the JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,tostring(TargetResources))\n | where isnotempty(Url)\n | extend userPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend TargetResourceDisplayName = tostring(TargetResources[0].displayName)\n | extend Audit_TimeGenerated = TimeGenerated\n) on Url\n| where Audit_TimeGenerated < ExpirationDateTime\n| summarize Audit_TimeGenerated = arg_max(Audit_TimeGenerated, *) by IndicatorId, Url\n| project Audit_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore,\nOperationName, Identity, userPrincipalName, TargetResourceDisplayName, Url\n| extend timestamp = Audit_TimeGenerated, AccountCustomEntity = userPrincipalName, HostCustomEntity = TargetResourceDisplayName, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to AuditLogs",
+ "enabled": false,
+ "description": "Identifies a match in AuditLogs from any URL IOC from TI",
+ "alertRuleTemplateName": "712fab52-2a7d-401e-a08c-ff939cc7c25e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 5e75df0152b24b5ef3a839956841a5d5603f3bc1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:25 +0000
Subject: [PATCH 343/375] Exported file: TI map URL entity to OfficeActivity
data.json.json
---
...map URL entity to OfficeActivity data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
new file mode 100644
index 00000000..03f38954
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to OfficeActivity data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3df1a9a5-9ba0-4dde-96a2-1cb0c3041d75')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n //Extract the Url from a number of potential fields\n | extend Url = iif(OfficeWorkload == \"AzureActiveDirectory\",extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);\", 1,ModifiedProperties),tostring(parse_json(ModifiedProperties)[12].NewValue))\n | where isnotempty(Url)\n // Ensure we get a clean URL\n | extend Url = tostring(split(Url, ';')[0])\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n // Project a single user identity that we can use for entity mapping\n | extend User = iif(isnotempty(UserId), UserId, iif(isnotempty(Actor), tostring(parse_json(Actor)[0].ID), tostring(parse_json(Parameters)[0].Vlaue))) \n) on Url\n| where OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize OfficeActivity_TimeGenerated = arg_max(OfficeActivity_TimeGenerated, *) by IndicatorId, Url\n| project OfficeActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Operation, \nUserType, OfficeWorkload, Parameters, Url, User\n| extend timestamp = OfficeActivity_TimeGenerated, AccountCustomEntity = User, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to OfficeActivity data",
+ "enabled": false,
+ "description": "Identifies a match in OfficeActivity data from any URL IOC from TI",
+ "alertRuleTemplateName": "36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 1293a2d00487e70064260adab6b90bc8d803baf6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:25 +0000
Subject: [PATCH 344/375] Exported file: TI map URL entity to PaloAlto
data.json.json
---
.../TI map URL entity to PaloAlto data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
new file mode 100644
index 00000000..c1250d23
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to PaloAlto data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/be59c13c-c811-4444-9a72-b69c713672b1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n CommonSecurityLog\n | extend IngestionTime = ingestion_time()\n | where IngestionTime > ago(dt_lookBack)\n // Select on Palo Alto logs\n | where DeviceVendor =~ \"Palo Alto Networks\"\n | where DeviceEventClassID =~ 'url'\n //Uncomment the line below to only alert on allowed connections\n //| where DeviceAction !~ \"block-url\"\n //Select logs where URL data is populated\n | extend PA_Url = columnifexists(\"RequestURL\", \"None\")\n | extend PA_Url = iif(isempty(PA_Url), extract(\"([^\\\"]+)\", 1, tolower(AdditionalExtensions)), trim('\"', PA_Url))\n | extend PA_Url = iif(PA_Url !startswith \"http://\" and ApplicationProtocol !~ \"ssl\", strcat('http://', PA_Url), iif(PA_Url !startswith \"https://\" and ApplicationProtocol =~ \"ssl\", strcat('https://', PA_Url), PA_Url))\n | where isnotempty(PA_Url)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n) on $left.Url == $right.PA_Url\n| where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n| summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, PA_Url\n| project CommonSecurityLog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DeviceAction, SourceIP, PA_Url, DeviceName\n| extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName, URLCustomEntity = PA_Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to PaloAlto data",
+ "enabled": false,
+ "description": "Identifies a match in PaloAlto data from any URL IOC from TI",
+ "alertRuleTemplateName": "106813db-679e-4382-a51b-1bfc463befc3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From fbba3b81a1da1f2bd0addbc5766f65bac6cf0d19 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:26 +0000
Subject: [PATCH 345/375] Exported file: TI map URL entity to SecurityAlert
data.json.json
---
... map URL entity to SecurityAlert data.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
new file mode 100644
index 00000000..1349ea09
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to SecurityAlert data.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e857375b-b96a-4757-a5a6-c0ed478ee5de')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n SecurityAlert\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MSTI = case(AlertName has \"TI map\" and VendorName == \"Microsoft\" and ProductName == 'Azure Sentinel', true, false)\n | where MSTI == false\n // Extract URL from JSON data\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,Entities)\n // We only want alerts that actually contain URL data\n | where isnotempty(Url)\n // Extract hostname from JSON data for entity mapping\n | extend Compromised_Host = tostring(parse_json(ExtendedProperties).[\"Compromised Host\"])\n | extend Alert_TimeGenerated = TimeGenerated\n) on Url\n| where Alert_TimeGenerated < ExpirationDateTime\n| summarize Alert_TimeGenerated = arg_max(Alert_TimeGenerated, *) by IndicatorId, AlertName\n| project Alert_TimeGenerated, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, AlertName, AlertSeverity, Description, Url, Compromised_Host\n| extend timestamp = Alert_TimeGenerated, HostCustomEntity = Compromised_Host, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to SecurityAlert data",
+ "enabled": false,
+ "description": "Identifies a match in SecurityAlert data from any URL IOC from TI",
+ "alertRuleTemplateName": "f30a47c1-65fb-42b1-a7f4-00941c12550b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From e836df733a5a245d2b7d312eb5199138184bedfb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:27 +0000
Subject: [PATCH 346/375] Exported file: TI map URL entity to Syslog
data.json.json
---
.../TI map URL entity to Syslog data.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
diff --git a/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
new file mode 100644
index 00000000..1d5cd75b
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/TI map URL entity to Syslog data.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/80491722-4553-4683-a9a0-8f14ea6dfe08')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(Url)\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n Syslog\n | where TimeGenerated >= ago(dt_lookBack)\n // Extract URL from the Syslog message but only take messages that include URLs\n | extend Url = extract(\"(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\\\(\\\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)\", 1,SyslogMessage)\n | where isnotempty(Url)\n | extend Syslog_TimeGenerated = TimeGenerated\n) on Url\n| where Syslog_TimeGenerated < ExpirationDateTime\n| summarize Syslog_TimeGenerated = arg_max(Syslog_TimeGenerated , *) by IndicatorId, Url\n| project Syslog_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SyslogMessage, Computer, ProcessName, Url, HostIP\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "TI map URL entity to Syslog data",
+ "enabled": false,
+ "description": "Identifies a match in Syslog data from any URL IOC from TI",
+ "alertRuleTemplateName": "b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a7b2c1849d430ff6e16b41de6093dde80e6e26b Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:28 +0000
Subject: [PATCH 347/375] Exported file: Threats detected by Eset.json.json
---
.../Threats detected by Eset.json | 79 +++++++++++++++++++
1 file changed, 79 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Threats detected by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Threats detected by Eset.json b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
new file mode 100644
index 00000000..f18c55d7
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Threats detected by Eset.json
@@ -0,0 +1,79 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/eb68e7af-1e04-45c3-985f-76e076002f57')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == \"Threat_Event\"\n| extend HostCustomEntity = hostname_s, AccountCustomEntity = username_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Execution",
+ "CredentialAccess",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "Threats detected by Eset",
+ "enabled": false,
+ "description": "Escalates threats detected by Eset.",
+ "alertRuleTemplateName": "2d8a60aa-c15e-442e-9ce3-ee924889d2a6"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 6cf5631c9b5cab4f2e9eae93d23ebe311c88bcb7 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:29 +0000
Subject: [PATCH 348/375] Exported file: Time series anomaly detection for
total volume of traffic.json.json
---
...detection for total volume of traffic.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
new file mode 100644
index 00000000..959377cd
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly detection for total volume of traffic.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d781e96-280e-4760-8a74-e28bcd7ef128')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 3,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet percentotalthreshold = 50;\nlet TimeSeriesData = CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| project TimeGenerated,SourceIP, DestinationIP, DeviceVendor\n| make-series Total=count() on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor;\n// Filtering specific records associated with spikes as outliers\nlet TimeSeriesAlerts=materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(Total, scorethreshold, -1, 'linefit')\n| mv-expand Total to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend score = round(score,2), AnomalyHour = TimeGenerated\n| project DeviceVendor,AnomalyHour, TimeGenerated, Total, baseline, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n// Join anomalies with Base Data to popalate associated records for investigation - Results sorted by score in descending order\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n CommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| summarize HourlyCount = count(), TimeGeneratedMax = arg_max(TimeGenerated, *), DestinationIPlist = make_set(DestinationIP, 100), DestinationPortlist = make_set(DestinationPort, 100) by DeviceVendor, SourceIP, TimeGeneratedHour= bin(TimeGenerated, 1h)\n| extend AnomalyHour = TimeGeneratedHour\n) on AnomalyHour, DeviceVendor\n| extend PercentTotal = round((HourlyCount / Total) * 100, 3)\n| where PercentTotal > percentotalthreshold\n| project DeviceVendor , AnomalyHour, TimeGeneratedMax, SourceIP, DestinationIPlist, DestinationPortlist, HourlyCount, PercentTotal, Total, baseline, score, anomalies\n| summarize HourlyCount=sum(HourlyCount), StartTimeUtc=min(TimeGeneratedMax), EndTimeUtc=max(TimeGeneratedMax), SourceIPlist = make_set(SourceIP, 100), SourceIPMax= arg_max(SourceIP, *), DestinationIPlist = make_set(DestinationIPlist, 100), DestinationPortlist = make_set(DestinationPortlist, 100) by DeviceVendor , AnomalyHour, Total, baseline, score, anomalies\n| project DeviceVendor , AnomalyHour, EndTimeUtc, SourceIPMax ,SourceIPlist, DestinationIPlist, DestinationPortlist, HourlyCount, Total, baseline, score, anomalies\n| extend timestamp= EndTimeUtc , IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly detection for total volume of traffic",
+ "enabled": false,
+ "description": "Identifies anamalous spikes in network traffic logs as compared to baseline or normal historical patterns.\nThe query leverages a KQL built-in anomaly detection algorithm to find large deviations from baseline patterns.\nSudden increases in network traffic volume may be an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than percentotalthreshold of the total traffic have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "06a9b845-6a95-4432-a78b-83919b28c375"
+ }
+ }
+ ]
+}
\ No newline at end of file
From ae86edae0f9c629bd690781a47b51867dfbe4550 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:29 +0000
Subject: [PATCH 349/375] Exported file: Time series anomaly for data size
transferred to public internet.json.json
---
...a size transferred to public internet.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
diff --git a/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
new file mode 100644
index 00000000..c701785c
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Time series anomaly for data size transferred to public internet.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/26ed4120-b9df-487e-bf25-3f179ebf75f4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 1,
+ "severity": "Medium",
+ "query": "\nlet starttime = 14d;\nlet endtime = 1d;\nlet timeframe = 1h;\nlet scorethreshold = 5;\nlet bytessentperhourthreshold = 10;\nlet PrivateIPregex = @'^127\\.|^10\\.|^172\\.1[6-9]\\.|^172\\.2[0-9]\\.|^172\\.3[0-1]\\.|^192\\.168\\.';\nlet TimeSeriesData = (union isfuzzy=true\n(\nVMConnection\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| project TimeGenerated, BytesSent, DeviceVendor\n| make-series TotalBytesSent=sum(BytesSent) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n),\n(\nCommonSecurityLog\n| where TimeGenerated between (startofday(ago(starttime))..startofday(ago(endtime)))\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| project TimeGenerated, SentBytes, DeviceVendor\n| make-series TotalBytesSent=sum(SentBytes) on TimeGenerated from startofday(ago(starttime)) to startofday(ago(endtime)) step timeframe by DeviceVendor\n)\n);\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = materialize(TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(TotalBytesSent, scorethreshold, -1, 'linefit')\n| mv-expand TotalBytesSent to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| extend TotalBytesSentinMBperHour = round(((TotalBytesSent / 1024)/1024),2), baselinebytessentperHour = round(((baseline / 1024)/1024),2), score = round(score,2)\n| project DeviceVendor, AnomalyHour, TimeGenerated, TotalBytesSentinMBperHour, baselinebytessentperHour, anomalies, score);\nlet AnomalyHours = materialize(TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated);\n//Union of all BaseLogs aggregated per hour\nlet BaseLogs = (union isfuzzy=true\n(\nCommonSecurityLog\n| where isnotempty(DestinationIP) and isnotempty(SourceIP)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend DestinationIpType = iff(DestinationIP matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\"\n| extend SentBytesinMB = ((SentBytes / 1024)/1024), ReceivedBytesinMB = ((ReceivedBytes / 1024)/1024)\n| summarize HourlyCount = count(), TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort,100), TotalSentBytesinMB = sum(SentBytesinMB), TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n),\n(\nVMConnection\n| where isnotempty(DestinationIp) and isnotempty(SourceIp)\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend SourceIP = SourceIp, DestinationIP = DestinationIp\n| extend DestinationIpType = iff(DestinationIp matches regex PrivateIPregex,\"private\" ,\"public\" )\n| where DestinationIpType == \"public\" | extend DeviceVendor = \"VMConnection\"\n| extend SentBytesinMB = ((BytesSent / 1024)/1024), ReceivedBytesinMB = ((BytesReceived / 1024)/1024)\n| summarize HourlyCount = count(),TimeGeneratedMax=arg_max(TimeGenerated, *), DestinationIPList=make_set(DestinationIP, 100), DestinationPortList = make_set(DestinationPort, 100), TotalSentBytesinMB = sum(SentBytesinMB),TotalReceivedBytesinMB = sum(ReceivedBytesinMB) by SourceIP, DeviceVendor, TimeGeneratedHour=bin(TimeGenerated,1h)\n| where TotalSentBytesinMB > bytessentperhourthreshold\n| sort by TimeGeneratedHour asc, TotalSentBytesinMB desc\n| extend Rank=row_number(1, prev(TimeGeneratedHour) != TimeGeneratedHour) // Ranking the dataset per Hourly Partition\n| where Rank < 10 // Selecting Top 10 records with Highest BytesSent in each Hour\n| project DeviceVendor, TimeGeneratedHour, TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, Rank\n)\n);\n// Join against base logs to retrive records associated with the hour of anomoly\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join (\n BaseLogs | extend AnomalyHour = TimeGeneratedHour\n) on DeviceVendor, AnomalyHour | sort by score desc\n| project DeviceVendor, AnomalyHour,TimeGeneratedMax, SourceIP, DestinationIPList, DestinationPortList, TotalSentBytesinMB, TotalReceivedBytesinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| summarize EventCount = count(), StartTimeUtc= min(TimeGeneratedMax), EndTimeUtc= max(TimeGeneratedMax), SourceIPMax= arg_max(SourceIP,*), TotalBytesSentinMB = sum(TotalSentBytesinMB), TotalBytesReceivedinMB = sum(TotalReceivedBytesinMB), SourceIPList = make_set(SourceIP, 100), DestinationIPList = make_set(DestinationIPList, 100) by AnomalyHour,TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies\n| project DeviceVendor, AnomalyHour, StartTimeUtc, EndTimeUtc, SourceIPMax, SourceIPList, DestinationIPList, DestinationPortList, TotalBytesSentinMB, TotalBytesReceivedinMB, TotalBytesSentinMBperHour, baselinebytessentperHour, score, anomalies, EventCount\n| extend timestamp =EndTimeUtc, IPCustomEntity = SourceIPMax\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Time series anomaly for data size transferred to public internet",
+ "enabled": false,
+ "description": "Identifies anomalous data transfer to public networks. The query leverages built-in KQL anomaly detection algorithms that detects large deviations from a baseline pattern.\nA sudden increase in data transferred to unknown public networks is an indication of data exfiltration attempts and should be investigated.\nThe higher the score, the further it is from the baseline value.\nThe output is aggregated to provide summary view of unique source IP to destination IP address and port bytes sent traffic observed in the flagged anomaly hour.\nThe source IP addresses which were sending less than bytessentperhourthreshold have been exluded whose value can be adjusted as needed .\nYou may have to run queries for individual source IP addresses from SourceIPlist to determine if anything looks suspicious",
+ "alertRuleTemplateName": "f2dd4a3a-ebac-4994-9499-1a859938c947"
+ }
+ }
+ ]
+}
\ No newline at end of file
From d4fd6a37706bbe43c99aea7312ee525f6148676c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:30 +0000
Subject: [PATCH 350/375] Exported file: Trust Monitor Event.json.json
---
.../Trust Monitor Event.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Trust Monitor Event.json
diff --git a/SentinelExported-AnalyticsRule/Trust Monitor Event.json b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
new file mode 100644
index 00000000..66054f76
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Trust Monitor Event.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2397d157-f3c4-485d-acd3-008ab8612c60')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nlet timeframe = ago(5m);\nDuoSecurityTrustMonitor_CL\n| where TimeGenerated >= timeframe\n| extend AccountCustomEntity = surfaced_auth_user_name_s, IPCustomEntity = surfaced_auth_access_device_ip_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Trust Monitor Event",
+ "enabled": false,
+ "description": "This query identifies when a new trust monitor event is detected.",
+ "alertRuleTemplateName": "8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 76d459619f416e5e1699f23ab17d3cd605da03f8 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:31 +0000
Subject: [PATCH 351/375] Exported file: User Accessed Suspicious URL
Categories.json.json
---
...er Accessed Suspicious URL Categories.json | 77 +++++++++++++++++++
1 file changed, 77 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
diff --git a/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
new file mode 100644
index 00000000..079df84a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accessed Suspicious URL Categories.json
@@ -0,0 +1,77 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6e16dc82-ea01-41d5-aa55-6390a418421d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nSymantecProxySG\n| mv-expand cs_categories\n| where cs_categories has_any (\"Suspicious\",\"phishing\", \"hacking\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories)\n| extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "DefenseEvasion"
+ ],
+ "techniques": null,
+ "displayName": "User Accessed Suspicious URL Categories",
+ "enabled": false,
+ "description": "Creates an incident in the event the requested URL accessed by the user has been identified as Suspicious, Phishing, or Hacking.",
+ "alertRuleTemplateName": "fb0f4a93-d8ad-4b54-9931-85bdb7550f90"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 888c8c8e5cd06dc2d64dd91945b25c4ba5c8b4f4 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:32 +0000
Subject: [PATCH 352/375] Exported file: User Accounts - Sign in Failure due to
CA Spikes.json.json
---
...ts - Sign in Failure due to CA Spikes.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
diff --git a/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
new file mode 100644
index 00000000..39dd9a72
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Accounts - Sign in Failure due to CA Spikes.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c5c78d4-a787-4c7c-9da1-a1244a9878b4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 5;\nlet aadFunc = (tableName:string){\n // Failed Signins attempts with reasoning related to conditional access policies.\n table(tableName)\n | where TimeGenerated between (startofday(ago(starttime))..startofday(ago(timeframe)))\n | where ResultDescription has_any (\"conditional access\", \"CA\") or ResultType in (50005, 50131, 53000, 53001, 53002, 52003, 70044)\n | extend UserPrincipalName = tolower(UserPrincipalName)\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nlet allSignins = union isfuzzy=true aadSignin, aadNonInt ;\nlet TimeSeriesData = union isfuzzy=true aadSignin, aadNonInt \n| project TimeGenerated, UserPrincipalName\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by UserPrincipalName\n| project TimeGenerated, UserPrincipalName, HourlyCount;\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project UserPrincipalName, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts for specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n| join kind=inner ( \nunion isfuzzy=true aadSignin, aadNonInt\n| where TimeGenerated > ago(2d)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName\n) on UserPrincipalName\n| project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score\n| extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Accounts - Sign in Failure due to CA Spikes",
+ "enabled": false,
+ "description": " Identifies spike in failed sign-ins from user accounts due to conditional access policied.\nSpike is determined based on Time series anomaly which will look at historical baseline values.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins",
+ "alertRuleTemplateName": "3a9d5ede-2b9d-43a2-acc4-d272321ff77c"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 61f98171b6dadce6aa5de298a4fde7fafc9e0fd6 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:42 +0000
Subject: [PATCH 353/375] Exported file: User Assigned Privileged
Role.json.json
---
.../User Assigned Privileged Role.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
diff --git a/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
new file mode 100644
index 00000000..27d37b55
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Assigned Privileged Role.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ad713bda-ef00-4837-b0ee-4c955214d0a6')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT2H",
+ "queryPeriod": "PT2H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "AuditLogs\n| where Category =~ \"RoleManagement\"\n| where AADOperationType in (\"Assign\", \"AssignEligibleRole\")\n| where ActivityDisplayName has_any (\"Add eligible member to role\", \"Add member to role\")\n| mv-expand TargetResources\n| mv-expand TargetResources.modifiedProperties\n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName)\n| where displayName_ =~ \"Role.DisplayName\"\n| extend RoleName = tostring(parse_json(tostring(TargetResources_modifiedProperties.newValue)))\n| where RoleName contains \"Admin\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName))\n| extend Target = tostring(TargetResources.userPrincipalName)\n| summarize by bin(TimeGenerated, 1h), OperationName, RoleName, Target, Initiator, Result\n| extend AccountCustomEntity = Target\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "User Assigned Privileged Role",
+ "enabled": false,
+ "description": "Identifies when a new privileged role is assigned to a user. Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.\nRef : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1",
+ "alertRuleTemplateName": "050b9b3d-53d0-4364-a3da-1b678b8211ec"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 20fed2ec78636811a82295d5a741b0b10aeabe10 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:43 +0000
Subject: [PATCH 354/375] Exported file: User Login from Different Countries
within 3 hours.json.json
---
...om Different Countries within 3 hours.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
diff --git a/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
new file mode 100644
index 00000000..0835b8b6
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User Login from Different Countries within 3 hours.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86475faa-04ff-4383-86b2-ebca93ca8097')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "\nlet timeframe = ago(3h);\nlet threshold = 2;\nOkta_CL\n| where column_ifexists('published_t', now()) >= timeframe\n| where eventType_s =~ \"user.session.start\"\n| where outcome_result_s =~ \"SUCCESS\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(client_geographicalContext_country_s) by actor_alternateId_s\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User Login from Different Countries within 3 hours",
+ "enabled": false,
+ "description": "This query searches for successful user logins to the Okta Console from different countries within 3 hours",
+ "alertRuleTemplateName": "2954d424-f786-4677-9ffc-c24c44c6e7d5"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 288fab54d5cb903b1b29027706f9716babb3c0e9 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:44 +0000
Subject: [PATCH 355/375] Exported file: User account added to built in domain
local or global group.json.json
---
...built in domain local or global group.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
diff --git a/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
new file mode 100644
index 00000000..721fa067
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account added to built in domain local or global group.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/349c1b39-5c33-4d6f-b5a5-580083a77cd3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\n// For AD SID mappings - https://docs.microsoft.com/windows/security/identity-protection/access-control/active-directory-security-groups\nlet WellKnownLocalSID = \"S-1-5-32-5[0-9][0-9]$\";\nlet WellKnownGroupSID = \"S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1103$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-498$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1000$\";\nSecurityEvent \n// When MemberName contains '-' this indicates addition of a group to a group\n| where AccountType == \"User\" and MemberName != \"-\"\n// 4728 - A member was added to a security-enabled global group\n// 4732 - A member was added to a security-enabled local group\n// 4756 - A member was added to a security-enabled universal group\n| where EventID in (4728, 4732, 4756) \n| where TargetSid matches regex WellKnownLocalSID or TargetSid matches regex WellKnownGroupSID\n// Exclude Remote Desktop Users group: S-1-5-32-555\n| where TargetSid !in (\"S-1-5-32-555\")\n| extend SimpleMemberName = substring(MemberName, 3, indexof_regex(MemberName, @\",OU|,CN\") - 3)\n| project TimeGenerated, EventID, Activity, Computer, SimpleMemberName, MemberName, MemberSid, TargetUserName, TargetDomainName, TargetSid, UserPrincipalName, SubjectUserName, SubjectUserSid\n| extend timestamp = TimeGenerated, AccountCustomEntity = SimpleMemberName, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account added to built in domain local or global group",
+ "enabled": false,
+ "description": "Identifies when a user account has been added to a privileged built in domain local group or global group \nsuch as the Enterprise Admins, Cert Publishers or DnsAdmins. Be sure to verify this is an expected addition.",
+ "alertRuleTemplateName": "a35f2c18-1b97-458f-ad26-e033af18eb99"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 45758f3714f185641d2bdab2b800fd36f506f8ef Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:45 +0000
Subject: [PATCH 356/375] Exported file: User account created and deleted
within 10 mins.json.json
---
...nt created and deleted within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
new file mode 100644
index 00000000..c2087015
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account created and deleted within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7fd08f98-0dbf-4604-853a-76a610cc9c0d')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was created\n| where EventID == 4720\n| where AccountType =~ \"User\"\n| project creationTime = TimeGenerated, CreateEventID = EventID, CreateActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToCreate = SubjectAccount, SIDofAccountUsedToCreate = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was deleted\n | where EventID == 4726\n| where AccountType == \"User\"\n| project deletionTime = TimeGenerated, DeleteEventID = EventID, DeleteActivity = Activity, Computer, TargetUserName, UserPrincipalName, \nAccountUsedToDelete = SubjectAccount, SIDofAccountUsedToDelete = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where deletionTime - creationTime < spanoftime\n| extend TimeDelta = deletionTime - creationTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, creationTime, CreateEventID, CreateActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToCreate, SIDofAccountUsedToCreate,\ndeletionTime, DeleteEventID, DeleteActivity, AccountUsedToDelete, SIDofAccountUsedToDelete\n| extend timestamp = creationTime, AccountCustomEntity = AccountUsedToCreate, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account created and deleted within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is created and then deleted within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "4b93c5af-d20b-4236-b696-a28b8c51407f"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b15f09768ecb85cff771aa4361dee4d0b365ef97 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:46 +0000
Subject: [PATCH 357/375] Exported file: User account enabled and disabled
within 10 mins.json.json
---
...t enabled and disabled within 10 mins.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
diff --git a/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
new file mode 100644
index 00000000..e20a7721
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User account enabled and disabled within 10 mins.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9d680f1a-5c96-48c6-8662-3604bfe61eb2')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1DT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nSecurityEvent\n| where TimeGenerated > ago(timeframe+spanoftime)\n// A user account was enabled\n| where EventID == 4722\n| where AccountType =~ \"User\"\n| where TargetAccount !hassuffix \"$\"\n| project EnableTime = TimeGenerated, EnableEventID = EventID, EnableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToEnable = SubjectAccount, SIDofAccountUsedToEnable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n| join kind= inner (\n SecurityEvent\n | where TimeGenerated > ago(timeframe)\n // A user account was disabled\n | where EventID == 4725\n| where AccountType =~ \"User\"\n| project DisableTime = TimeGenerated, DisableEventID = EventID, DisableActivity = Activity, Computer, UserPrincipalName, \nAccountUsedToDisable = SubjectAccount, SIDofAccountUsedToDisable = SubjectUserSid, TargetAccount = tolower(TargetAccount), TargetSid\n) on Computer, TargetAccount\n| where DisableTime - EnableTime < spanoftime\n| extend TimeDelta = DisableTime - EnableTime\n| where tolong(TimeDelta) >= threshold\n| project TimeDelta, EnableTime, EnableEventID, EnableActivity, Computer, TargetAccount, TargetSid, UserPrincipalName, AccountUsedToEnable, SIDofAccountUsedToEnable, \nDisableTime, DisableEventID, DisableActivity, AccountUsedToDisable, SIDofAccountUsedToDisable\n| extend timestamp = EnableTime, AccountCustomEntity = AccountUsedToEnable, HostCustomEntity = Computer\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User account enabled and disabled within 10 mins",
+ "enabled": false,
+ "description": "Identifies when a user account is enabled and then disabled within 10 minutes. This can be an indication of compromise and\nan adversary attempting to hide in the noise.",
+ "alertRuleTemplateName": "3d023f64-8225-41a2-9570-2bd7c2c4535e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 64a1c2f99eb2bef271db00f9a2a596bdbedc32ed Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:46 +0000
Subject: [PATCH 358/375] Exported file: User added to Azure Active Directory
Privileged Groups.json.json
---
...re Active Directory Privileged Groups.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
diff --git a/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
new file mode 100644
index 00000000..7ef1fb82
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User added to Azure Active Directory Privileged Groups.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/742ae0bd-633c-4f38-804b-3ed926117077')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "let OperationList = dynamic([\"Add member to role\",\"Add member to role in PIM requested (permanent)\"]);\nlet PrivilegedGroups = dynamic([\"UserAccountAdmins\",\"PrivilegedRoleAdmins\",\"TenantAdmins\"]);\nAuditLogs\n//| where LoggedByService =~ \"Core Directory\"\n| where Category =~ \"RoleManagement\"\n| where OperationName in~ (OperationList)\n| mv-expand TargetResources\n| extend modProps = parse_json(TargetResources).modifiedProperties\n| mv-expand bagexpansion=array modProps\n| evaluate bag_unpack(modProps)\n| extend displayName = column_ifexists(\"displayName\", \"NotAvailable\"), newValue = column_ifexists(\"newValue\", \"NotAvailable\")\n| where displayName =~ \"Role.WellKnownObjectName\"\n| extend DisplayName = displayName, GroupName = replace('\"','',newValue)\n| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user\n| extend AppId = initByApp.appId, \nInitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, \"not available\"),\nServicePrincipalId = tostring(initByApp.servicePrincipalId),\nServicePrincipalName = tostring(initByApp.servicePrincipalName),\nUserId = initByUser.id,\nUserIPAddress = initByUser.ipAddress,\nUserRoles = initByUser.roles,\nUserPrincipalName = tostring(initByUser.userPrincipalName),\nTargetUserPrincipalName = tostring(TargetResources.userPrincipalName)\n| where GroupName in~ (PrivilegedGroups)\n// If you don't want to alert for operations from PIM, remove below filtering for MS-PIM.\n//| where InitiatedByDisplayName != \"MS-PIM\"\n| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName, TargetUserPrincipalName\n| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, \"not available\")\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence",
+ "PrivilegeEscalation"
+ ],
+ "techniques": null,
+ "displayName": "User added to Azure Active Directory Privileged Groups",
+ "enabled": false,
+ "description": "This will alert when a user is added to any of the Privileged Groups.\nFor further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.\nFor Administrator role permissions in Azure Active Directory please see https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
+ "alertRuleTemplateName": "4d94d4a9-dc96-410a-8dea-4d4d4584188b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From eba4be995cb5d76b1c3412a9bb6b6868791538c2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:47 +0000
Subject: [PATCH 359/375] Exported file: User agent search for log4j
exploitation attempt.json.json
---
...search for log4j exploitation attempt.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
diff --git a/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
new file mode 100644
index 00000000..c379ac60
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User agent search for log4j exploitation attempt.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/57d051c8-0108-455a-9a94-bfa7c7c8e565')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let UserAgentString = dynamic ([\"${jndi:ldap:/\", \"${jndi:rmi:/\", \"${jndi:ldaps:/\", \"${jndi:dns:/\", \"${jndi:iiop:/\",\"${jndi:\",\"${jndi:nds:/\",\"${jndi:corba/\"]);\nlet UARegex = @'(\\\\$|%24)(\\\\{|%7B)([^jJ]*[jJ])([^nN]*[nN])([^dD]*[dD])([^iI]*[iI])(:|%3A|\\\\$|%24|}|%7D)';\n(union isfuzzy=true\n(OfficeActivity\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = ClientIP, Account = UserId, Type, Operation\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AzureDiagnostics\n| where Category in (\"FrontdoorWebApplicationFirewallLog\", \"FrontdoorAccessLog\", \"ApplicationGatewayFirewallLog\", \"ApplicationGatewayAccessLog\")\n| where userAgent_s has_any (UserAgentString) or userAgent_s matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = userAgent_s, SourceIP = clientIP_s, Type, host_s, requestUri_s, httpStatus_d\n| extend timestamp = StartTime, IPCustomEntity = SourceIP, UrlCustomEntity = requestUri_s\n),\n(\nW3CIISLog\n| where csUserAgent has_any (UserAgentString) or csUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent = csUserAgent, SourceIP = cIP, Account = csUserName, Type, sSiteName, csMethod, csUriStem\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = csUriStem\n),\n(\nAWSCloudTrail\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = SourceIpAddress, Account = UserIdentityUserName, Type, EventName\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(SigninLogs\n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(AADNonInteractiveUserSignInLogs \n| where UserAgent has_any (UserAgentString) or UserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserAgent, SourceIP = IPAddress, Account = UserPrincipalName, Type, Operation = OperationName, tostring(LocationDetails), tostring(DeviceDetail), AppDisplayName, ClientAppUsed\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP\n),\n(imWebSessions\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, URL, Type\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = URL\n),\n(imNetworkSession\n| where HttpUserAgent has_any (UserAgentString) or HttpUserAgent matches regex UARegex\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by HttpUserAgent, SourceIP = SrcIpAddr, DstIpAddr, Account = SrcUsername, Type, Url\n| extend timestamp = StartTime, AccountCustomEntity = Account, IPCustomEntity = SourceIP, UrlCustomEntity = Url\n)\n)\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User agent search for log4j exploitation attempt",
+ "enabled": false,
+ "description": "This query uses various log sources having user agent data to look for log4j CVE-2021-44228 exploitation attempt based on user agent pattern. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. The regex and the string matching look for the most common attacks. This might not be comprehensive to detect every possible user agent variation.\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/",
+ "alertRuleTemplateName": "29283b22-a1c0-4d16-b0a9-3460b655a46a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 99db77fe99773c82ab3c9cef2862ff1e5cff7672 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:48 +0000
Subject: [PATCH 360/375] Exported file: User joining Zoom meeting from
suspicious timezone.json.json
---
...Zoom meeting from suspicious timezone.json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
diff --git a/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
new file mode 100644
index 00000000..4cd66a44
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User joining Zoom meeting from suspicious timezone.json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/fe7d80f1-5bd1-409b-89df-c48b2f340b80')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P14D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nlet schedule_lookback = 14d; \nlet join_lookback = 1d; \n// If you want to whitelist specific timezones include them in a list here\nlet tz_whitelist = dynamic([]);\nlet meetings = ( \nZoomLogs \n| where TimeGenerated >= ago(schedule_lookback) \n| where Event =~ \"meeting.created\" \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| extend SchedTimezone = tostring(parse_json(MeetingEvents).Timezone)); \nZoomLogs \n| where TimeGenerated >= ago(join_lookback) \n| where Event =~ \"meeting.participant_joined\" \n| extend JoinedTimeZone = tostring(parse_json(MeetingEvents).Timezone) \n| extend MeetingName = tostring(parse_json(MeetingEvents).MeetingName) \n| extend MeetingId = tostring(parse_json(MeetingEvents).MeetingId) \n| where JoinedTimeZone !in (tz_whitelist)\n| join (meetings) on MeetingId \n| where SchedTimezone != JoinedTimeZone \n| project TimeGenerated, MeetingName, JoiningUser=payload_object_participant_user_name_s, JoinedTimeZone, SchedTimezone, MeetingScheduler=User1 \n| extend timestamp = TimeGenerated, AccountCustomEntity = JoiningUser\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User joining Zoom meeting from suspicious timezone",
+ "enabled": false,
+ "description": "The alert shows users that join a Zoom meeting from a time zone other than the one the meeting was created in.\nYou can also whitelist known good time zones in the tz_whitelist value using the tz database name format https://en.wikipedia.org/wiki/List_of_tz_database_time_zones",
+ "alertRuleTemplateName": "58fc0170-0877-4ea8-a9ff-d805e361cfae"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4244087334a0081017b1828cbc799e4ec8b671e2 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:49 +0000
Subject: [PATCH 361/375] Exported file: User login from different countries
within 3 hours (Uses Authentication Normalization).json.json
---
...s (Uses Authentication Normalization).json | 59 +++++++++++++++++++
1 file changed, 59 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
diff --git a/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
new file mode 100644
index 00000000..6bd39a50
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/User login from different countries within 3 hours (Uses Authentication Normalization).json
@@ -0,0 +1,59 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a36172b6-4acf-4915-b0c5-ea8be7d05c86')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT3H",
+ "queryPeriod": "PT3H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "let timeframe = ago(3h);\nlet threshold = 2;\nimAuthentication\n| where TimeGenerated > timeframe\n| where EventType=='Logon' and EventResult=='Success'\n| where isnotempty(SrcGeoCountry)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)\n , NumOfCountries = dcount(SrcGeoCountry)\n by TargetUserId, TargetUsername, TargetUserType\n| where NumOfCountries >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = TargetUsername\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "User login from different countries within 3 hours (Uses Authentication Normalization)",
+ "enabled": false,
+ "description": "This query searches for successful user logins from different countries within 3 hours.\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)",
+ "alertRuleTemplateName": "09ec8fa2-b25f-4696-bfae-05a7b85d7b9e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 8cba8e6e14a7f3a7432f90baca3182223bf562cb Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:49 +0000
Subject: [PATCH 362/375] Exported file: Users searching for VIP user
activity.json.json
---
...Users searching for VIP user activity.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
diff --git a/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
new file mode 100644
index 00000000..cd2e9241
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Users searching for VIP user activity.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/604dfab2-c845-4910-876f-76dce9eb58cb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "// Replace these with the username or emails of your VIP users you wish to monitor for.\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\nlet allowed_users = dynamic([]);\nLAQueryLogs\n| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist(\"VIPUsers\")', \"_GetWatchlist('VIPUsers')\")\n| where AADEmail !in (allowed_users)\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Collection",
+ "Exfiltration"
+ ],
+ "techniques": null,
+ "displayName": "Users searching for VIP user activity",
+ "enabled": false,
+ "description": "This query monitors for users running Log Analytics queries that contain filters\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\nUse this detection to alert for users specifically searching for activity of sensitive users.",
+ "alertRuleTemplateName": "f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e"
+ }
+ }
+ ]
+}
\ No newline at end of file
From de8431121040c5f38fb1938fd6697eb37a7f02a0 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:50 +0000
Subject: [PATCH 363/375] Exported file: Valid Analytic Rule 1.json.json
---
.../Valid Analytic Rule 1.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
diff --git a/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
new file mode 100644
index 00000000..809909b8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Valid Analytic Rule 1.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ed27aa54-2adc-4774-ae30-6f84a1de0213')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "High",
+ "query": "SecurityAlert",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "alertDetailsOverride": {
+ "alertDisplayNameFormat": "alert name {{AlertName}}",
+ "alertDescriptionFormat": "DESC test {{Description}}",
+ "alertTacticsColumnName": null,
+ "alertSeverityColumnName": null
+ },
+ "tactics": [],
+ "techniques": null,
+ "displayName": "Valid Analytic Rule 1",
+ "enabled": true,
+ "description": "DESCRIPTION CHECK",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From af05864abdc6f019a37ca00f713f5ccfc3d3e15f Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:51 +0000
Subject: [PATCH 364/375] Exported file: Vectra AI Detect - Detections with
High Severity.json.json
---
...etect - Detections with High Severity.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
new file mode 100644
index 00000000..5276902f
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Detections with High Severity.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc28747a-f907-4cf8-b2e2-099b4663b67e')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\n//default threshold is 7 (meaning a threat score of 70)\nlet severity_threshold = 7.0;\n//Map by default to High Severity in Sentinel\nlet Severity = \"High\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\"\n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| where todecimal(LogSeverity) >= severity_threshold\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity, Activity\n| sort by TimeGenerated\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Tactic, Activity, LogSeverity, Severity, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Detections with High Severity",
+ "enabled": false,
+ "description": "Create an incident for high severity malicious behavior detected by Vectra AI (Threat score superior to 7.0). \nThe Severity is a mapping with the Threat score assigned to a detection. It ranges between 0 and 10. \nThe severity_threshold variable can be adjusted as desired.",
+ "alertRuleTemplateName": "39e48890-2c02-487e-aa9e-3ba494061798"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 53ca1e69256f08d3a69f0161d758a936d06ac3dc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:51 +0000
Subject: [PATCH 365/375] Exported file: Vectra AI Detect - New Campaign
Detected.json.json
---
...tra AI Detect - New Campaign Detected.json | 69 +++++++++++++++++++
1 file changed, 69 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
new file mode 100644
index 00000000..efaa9e94
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - New Campaign Detected.json
@@ -0,0 +1,69 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2985b2db-a13a-4ec0-9606-dc6c837a6dd8')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "CommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID contains \"campaign\"\n| where DeviceAction == \"START\"\n| extend reason = extract(\"reason=(.+?)$\", 1, AdditionalExtensions)\n| project-rename vectra_URL = DeviceCustomString4\n| project Activity,SourceHostName, reason, vectra_URL\n| extend HostCustomEntity = SourceHostName, URLCustomEntity = vectra_URL\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "LateralMovement",
+ "CommandAndControl"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - New Campaign Detected",
+ "enabled": false,
+ "description": "Identifies when a new Campaign has been detected. This occurs when multiple Detections accross different Hosts are suspected to be part of the same Attack Campaign.",
+ "alertRuleTemplateName": "a34d0338-eda0-42b5-8b93-32aae0d7a501"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 4b41a4dc9bd5f089d3cfb460a51f836fe4c97a3c Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:52 +0000
Subject: [PATCH 366/375] Exported file: Vectra AI Detect - Suspected
Compromised Account.json.json
---
...etect - Suspected Compromised Account.json | 74 +++++++++++++++++++
1 file changed, 74 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
new file mode 100644
index 00000000..e5c6ffe8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Account.json
@@ -0,0 +1,74 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3700252b-2d09-4ca1-ba8d-5b070add4fbc')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nlet upn_has_prefix = \":\";\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"asc\"\n| extend saccount = extract(\"saccount=(.+?);\", 1, AdditionalExtensions)\n| extend type = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[0]) ,\"network\" ) \n| extend upn = iff(saccount matches regex upn_has_prefix, tostring(split(saccount,\":\")[1]) , saccount )\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by saccount\n| project TimeGenerated, saccount, level, Severity, upn, type, threat_score, certainty_score, vectra_URL\n| extend AccountCustomEntity = upn, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Account",
+ "enabled": false,
+ "description": "Create an incident when an Account is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "321f9dbd-64b7-4541-81dc-08cf7732ccb0"
+ }
+ }
+ ]
+}
\ No newline at end of file
From abbb73aa51751b286ee6670ecacb6e41600b6676 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:53 +0000
Subject: [PATCH 367/375] Exported file: Vectra AI Detect - Suspected
Compromised Host.json.json
---
...I Detect - Suspected Compromised Host.json | 83 +++++++++++++++++++
1 file changed, 83 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
new file mode 100644
index 00000000..05d83de4
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspected Compromised Host.json
@@ -0,0 +1,83 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a414027e-9d31-4716-84b5-41bc3cefbde1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "// Edit this variable to only keep the Severity level where an incident needs to be created (Defaults are: \"Low\", \"Medium\", \"High\", \"Critical\" ) \nlet configured_level = dynamic([\"Low\", \"Medium\", \"High\", \"Critical\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID == \"hsc\"\n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| project-rename score_decreases = DeviceCustomString3\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| where level in (configured_level) \n//keep only the event with the highest threat score per Host\n| summarize arg_max(threat_score, *) by SourceHostName\n| project SourceHostName, level, Severity, TimeGenerated, SourceIP, threat_score, certainty_score, vectra_URL\n| extend HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspected Compromised Host",
+ "enabled": false,
+ "description": "Create an incident when a Host is suspected to be compromised. \nThe higher the severity level is, the more immediate attention it requires as Vectra AI engine is more confident that this is a real threat. \nLevel of severity are: Low, Medium, High, Critical). Recommended configuration is to trigger an alert for at least High and Critical.",
+ "alertRuleTemplateName": "60eb6cf0-3fa1-44c1-b1fe-220fbee23d63"
+ }
+ }
+ ]
+}
\ No newline at end of file
From a871cee2ce67b80da91ee9f09b959a453c2a7200 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:54 +0000
Subject: [PATCH 368/375] Exported file: Vectra AI Detect - Suspicious
Behaviors.json.json
---
...ctra AI Detect - Suspicious Behaviors.json | 92 +++++++++++++++++++
1 file changed, 92 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
diff --git a/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
new file mode 100644
index 00000000..af7df314
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vectra AI Detect - Suspicious Behaviors.json
@@ -0,0 +1,92 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2fd7979f-6d09-463b-828c-be33fc9ccfbb')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "// Edit this variable to only keep the tactics where an incident needs to be created (Defaults are: \"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\") \nlet configured_tactics = dynamic([\"COMMAND & CONTROL\", \"BOTNET ACTIVITY\", \"EXFILTRATION\", \"LATERAL MOVEMENT\", \"RECONNAISSANCE\"]);\nCommonSecurityLog\n| where DeviceVendor == \"Vectra Networks\"\n| where DeviceProduct == \"X Series\"\n| where DeviceEventClassID != \"campaigns\" and DeviceEventClassID != \"hsc\" and DeviceEventClassID != \"audit\" and DeviceEventClassID != \"health\" and DeviceEventClassID != \"asc\" \n| extend Category = extract(\"cat=(.+?);\", 1, AdditionalExtensions) \n| project-rename threat_score = FlexNumber1\n| project-rename certainty_score = FlexNumber2\n| project-rename triaged = DeviceCustomString5\n| project-rename vectra_URL = DeviceCustomString4\n| project-rename detection_name = DeviceEventClassID\n| extend Tactic = case( Category == \"COMMAND & CONTROL\", \"CommandAndControl\",\n Category == \"BOTNET ACTIVITY\" , \"Impact\",\n Category == \"EXFILTRATION\", \"Exfiltration\",\n Category == \"LATERAL MOVEMENT\", \"LateralMovement\",\n Category == \"RECONNAISSANCE\", \"Discovery\",\n \"UNKNOWN\")\n| extend level = case( threat_score < 50 and certainty_score < 50, \"Low\",\n threat_score < 50 and certainty_score >= 50 , \"Medium\", \n threat_score >= 50 and certainty_score <= 50, \"High\", \n threat_score >= 50 and certainty_score >= 50, \"Critical\",\n \"UNKNOWN\")\n| extend Severity = case( level == \"Low\", \"Low\",\n level == \"Medium\", \"Medium\",\n level == \"High\", \"Medium\",\n level == \"Critical\", \"High\",\n \"UNKNOWN\")\n| extend account = extract(\"account=(.+?);\", 1, AdditionalExtensions)\n| extend upn = iff(account matches regex \":\", tostring(split(account,\":\")[1]) ,tostring(split(account,\":\")[0])) \n| extend source_entity = case( isnotempty(upn), upn,\n isnotempty(SourceHostName), SourceHostName,\n \"UNKNWON\") \n| where Category in (configured_tactics) \n| summarize arg_max(threat_score, *) by source_entity , Activity\n| project TimeGenerated, source_entity, SourceHostName, SourceIP, upn, Activity, Tactic, Severity, threat_score, certainty_score, triaged, vectra_URL\n| extend AccountCustomEntity = upn, HostCustomEntity = SourceHostName, IPCustomEntity = SourceIP, URLCustomEntity = vectra_URL, timestamp = TimeGenerated\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery",
+ "LateralMovement",
+ "Collection",
+ "CommandAndControl",
+ "Exfiltration",
+ "Impact"
+ ],
+ "techniques": null,
+ "displayName": "Vectra AI Detect - Suspicious Behaviors",
+ "enabled": false,
+ "description": "Create an incident for each new malicious behavior detected by Vectra Detect. \nBy default, it looks through all tactics. This can be modified to create incident only for a subset of tactics.",
+ "alertRuleTemplateName": "6cb75f65-231f-46c4-a0b3-50ff21ee6ed3"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9e9322a4be212ffbd6bdc04f8172db0abbf579e3 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:55 +0000
Subject: [PATCH 369/375] Exported file: Vulnerable Machines related to OMIGOD
CVE-2021-38647.json.json
---
...ines related to OMIGOD CVE-2021-38647.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
new file mode 100644
index 00000000..2f384871
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to OMIGOD CVE-2021-38647.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/00f4fd35-801a-4996-a1c5-bde58605be5c')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-38647'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to OMIGOD CVE-2021-38647",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to OMIGOD CVE-2021-38647. OMI is the Linux equivalent of Windows WMI and \n helps users manage configurations across remote and local environments. The query aims to find machines that have this OMI vulnerability (CVE-2021-38647).\n Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal",
+ "alertRuleTemplateName": "4d94d4a9-dc96-450a-9dea-4d4d4594199b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9852598661a41d7ebfefd7a8b9f7fcacab59bc19 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:55 +0000
Subject: [PATCH 370/375] Exported file: Vulnerable Machines related to log4j
CVE-2021-44228.json.json
---
...hines related to log4j CVE-2021-44228.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
diff --git a/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
new file mode 100644
index 00000000..7586f07a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Vulnerable Machines related to log4j CVE-2021-44228.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1217fe0b-489f-434b-9c6d-877c44610d0b')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "High",
+ "query": "SecurityNestedRecommendation\n| where RemediationDescription has 'CVE-2021-44228'\n| parse ResourceDetails with * 'virtualMachines/' VirtualMAchine '\"' *\n| summarize arg_min(TimeGenerated, *) by TenantId, RecommendationSubscriptionId, VirtualMAchine, RecommendationName,Description,RemediationDescription, tostring(AdditionalData),VulnerabilityId\n| extend Timestamp = TimeGenerated, HostCustomEntity = VirtualMAchine\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "InitialAccess",
+ "Execution"
+ ],
+ "techniques": null,
+ "displayName": "Vulnerable Machines related to log4j CVE-2021-44228",
+ "enabled": false,
+ "description": "This query uses the Azure Defender Security Nested Recommendations data to find machines vulnerable to log4j CVE-2021-44228. Log4j is an open-source Apache logging library that is used in \n many Java-based applications. Security Nested Recommendations data is sent to Microsoft Sentinel using the continuous export feature of Azure Defender(refrence link below).\n Reference: https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/\n Reference: https://docs.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal\n Reference: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271",
+ "alertRuleTemplateName": "3d71fc38-f249-454e-8479-0a358382ef9a"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b42385ef65c1ec0e63ebd0767598a28018cfff9e Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:56 +0000
Subject: [PATCH 371/375] Exported file: Wazuh - Large Number of Web errors
from an IP.json.json
---
...Large Number of Web errors from an IP.json | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
diff --git a/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
new file mode 100644
index 00000000..87204239
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Wazuh - Large Number of Web errors from an IP.json
@@ -0,0 +1,68 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee08a1b6-de2e-4397-bb4a-9d434ad24ee3')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "\nCommonSecurityLog\n| where DeviceProduct =~ \"Wazuh\"\n| where Activity has \"Web server 400 error code.\"\n| where Message has \"403\"\n| extend HostName=substring(split(DeviceCustomString1,\")\")[0],1)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP\n| where NumberOfErrors > 400\n| sort by NumberOfErrors desc\n| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Persistence"
+ ],
+ "techniques": null,
+ "displayName": "Wazuh - Large Number of Web errors from an IP",
+ "enabled": false,
+ "description": "Identifies instances where Wazuh logged over 400 '403' Web Errors from one IP Address. To onboard Wazuh data into Sentinel please view: https://github.com/wazuh/wazuh-documentation/blob/master/source/azure/monitoring%20activity.rst",
+ "alertRuleTemplateName": "2790795b-7dba-483e-853f-44aa0bc9c985"
+ }
+ }
+ ]
+}
\ No newline at end of file
From b99579b001cbce86592dfa734d75390083496eb1 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:57 +0000
Subject: [PATCH 372/375] Exported file: Web sites blocked by Eset.json.json
---
.../Web sites blocked by Eset.json | 88 +++++++++++++++++++
1 file changed, 88 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
diff --git a/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
new file mode 100644
index 00000000..7722ffc8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Web sites blocked by Eset.json
@@ -0,0 +1,88 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c2cab3a7-b80c-4b53-8126-9affe3ef96d4')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5M",
+ "queryPeriod": "PT5M",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Low",
+ "query": "eset_CL\n| where event_type_s == 'FilteredWebsites_Event'\n| extend AccountCustomEntity = username_s, URLCustomEntity = object_uri_s, HostCustomEntity = hostname_s, IPCustomEntity = ipv4_s\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "Host",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "IP",
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ]
+ },
+ {
+ "entityType": "URL",
+ "fieldMappings": [
+ {
+ "identifier": "Url",
+ "columnName": "URLCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "Exfiltration",
+ "CommandAndControl",
+ "InitialAccess"
+ ],
+ "techniques": null,
+ "displayName": "Web sites blocked by Eset",
+ "enabled": false,
+ "description": "Create alert on web sites blocked by Eset.",
+ "alertRuleTemplateName": "84ad2f8a-b64c-49bc-b669-bdb4fd3071e9"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 9f27b03ae83d7397df84749657ecc1ce149551bc Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:58 +0000
Subject: [PATCH 373/375] Exported file: Zoom E2E Encryption Disabled.json.json
---
.../Zoom E2E Encryption Disabled.json | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
diff --git a/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
new file mode 100644
index 00000000..e1fea2e8
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/Zoom E2E Encryption Disabled.json
@@ -0,0 +1,60 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/675ea0df-9fff-4dc5-b0ee-521faf737c55')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "severity": "Medium",
+ "query": "\nZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend NewE2ESetting = columnifexists(\"payload_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| extend OldE2ESetting = columnifexists(\"payload_old_object_settings_in_meeting_e2e_encryption_b\", \"\")\n| where OldE2ESetting =~ 'false' and NewE2ESetting =~ 'true'\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5M",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": null,
+ "groupByCustomDetails": null
+ }
+ },
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
+ }
+ ]
+ }
+ ],
+ "tactics": [
+ "CredentialAccess",
+ "Discovery"
+ ],
+ "techniques": null,
+ "displayName": "Zoom E2E Encryption Disabled",
+ "enabled": false,
+ "description": "This alerts when end to end encryption is disabled for Zoom meetings.",
+ "alertRuleTemplateName": "e4779bdc-397a-4b71-be28-59e6a1e1d16b"
+ }
+ }
+ ]
+}
\ No newline at end of file
From 3a3e819d9b4ce6d1c7008a838cc96c7624b2f808 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:59 +0000
Subject: [PATCH 374/375] Exported file: new file added -- 2_14_2013.json.json
---
.../new file added -- 2_14_2013.json | 55 +++++++++++++++++++
1 file changed, 55 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
diff --git a/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
new file mode 100644
index 00000000..07598ea9
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new file added -- 2_14_2013.json
@@ -0,0 +1,55 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/895522a3-ae18-4771-add7-334f7b4a3124')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "PT5H",
+ "queryPeriod": "PT5H",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": true,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [
+ "ResourceDevelopment"
+ ],
+ "techniques": [
+ "T1583",
+ "T1586",
+ "T1584"
+ ],
+ "displayName": "new file added -- 2/14/2013",
+ "enabled": true,
+ "description": "new file added -- 2/14/2013",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file
From e709931e44780a8d443f4673fac3145596400641 Mon Sep 17 00:00:00 2001
From: "azure-sentinel-canary[bot]"
<81647351+azure-sentinel-canary[bot]@users.noreply.github.com>
Date: Sun, 26 Feb 2023 02:19:59 +0000
Subject: [PATCH 375/375] Exported file: new test rule 1.json.json
---
.../new test rule 1.json | 49 +++++++++++++++++++
1 file changed, 49 insertions(+)
create mode 100644 SentinelExported-AnalyticsRule/new test rule 1.json
diff --git a/SentinelExported-AnalyticsRule/new test rule 1.json b/SentinelExported-AnalyticsRule/new test rule 1.json
new file mode 100644
index 00000000..ed09e71a
--- /dev/null
+++ b/SentinelExported-AnalyticsRule/new test rule 1.json
@@ -0,0 +1,49 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "workspace": {
+ "type": "String"
+ }
+ },
+ "resources": [
+ {
+ "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c48bc19c-dba4-4da3-b215-c9086150d26f')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+ "kind": "Scheduled",
+ "apiVersion": "2022-09-01-preview",
+ "properties": {
+ "queryFrequency": "P1D",
+ "queryPeriod": "P1D",
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "eventGroupingSettings": {
+ "aggregationKind": "SingleAlert"
+ },
+ "severity": "Medium",
+ "query": "CommonSecurityLog",
+ "suppressionDuration": "PT5H",
+ "suppressionEnabled": false,
+ "incidentConfiguration": {
+ "createIncident": false,
+ "groupingConfiguration": {
+ "enabled": false,
+ "reopenClosedIncident": false,
+ "lookbackDuration": "PT5H",
+ "matchingMethod": "AllEntities",
+ "groupByEntities": [],
+ "groupByAlertDetails": [],
+ "groupByCustomDetails": []
+ }
+ },
+ "tactics": [],
+ "techniques": [],
+ "displayName": "new test rule 1",
+ "enabled": true,
+ "description": "",
+ "alertRuleTemplateName": null
+ }
+ }
+ ]
+}
\ No newline at end of file